Presentation on theme: "Government Laws FITSP-A Module 2"— Presentation transcript:
1Government Laws FITSP-A Module 2 We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control… But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better. – President Obama, May 29, 2009Government Laws
2Pre-assessment Questions for Module 2: Government Laws The following legislation requires federal agencies to establish capital planning and investment control policies and procedures when procuring information technology:E-Government Act of 2002Federal Information Security Management Act (FISMA)Government Information Security Reform Act (GISRA)Clinger-Cohen Act The following legislation requires federal agencies to appoint a Chief Information Officer:Clinger-Cohen Act The following legislation requires federal agencies to develop, document and implement an agency-wide information security program:E-Government Act of 2002, Section 208 The following legislation requires federal agencies to prepare Privacy Impact Assessments (PIAs) when developing or procuring new information technology:Privacy Act, 1974 The following legislation requires each agency with an Inspector General to conduct an annual evaluation of agency’s information security program, or to appoint an independent external auditor, to conduct the evaluation on their behalf:E-Government Act of 2002, Title I
3The Secretary of ___________ (department or agency) was delegated the responsibility FISMA to prescribe standards and guidelines pertaining to federal information systems to improve the efficiency of operation or security of Federal information systems:Department of Homeland SecurityDefense DepartmentCommerce DepartmentNational Security AgencyThe following OMB guidance established the requirement for federal agencies to review the security controls in each system when significant modifications are made to the system, but at least every three years. This guidance also requires federal agencies to re-authorize information systems every three years.OMB Circular No. A-123- Management Accountability and ControlOMB Circular No. A-130, Appendix III, Security of Federal Automated Information ResourcesOMB Circular No. A-127, Financial Management SystemsOMB Circular No. A-136, Financial Management Reporting RequirementsAs part of monitoring the security posture of agency desktops, OMB requires federal agencies to use vulnerability scanning tools that leverage the ________ protocol.SNMPSMTPSCAPLDAPFollowing the loss of 26 million records containing PII at the Department of Veteran Affairs, OMB released M Protection of Sensitive Agency Information. This memo required all of the following except:Encryption of all data on mobile computers/devicesPermits remote access only with two-factor authentication where one factor is provided by a device separate from the computer gaining accessUse a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity;Encryption of all server backup tapes
4LeadershipGovernment likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings are not the measure of success. What matters in the end is completion. Performance. Results. Not just making promises, but making good on promises. In my Administration, that will be the standard from the farthest regional office ofgovernment to the highest office of the land.President George W. BushMy Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government.- President Barack ObamaThe issue of cyber security, cyber competitiveness, and cyber warfare has weighed heavily on the minds of policymakers as the severity and complexity of malicious cyber-attacks have intensified over the past decade. Our government must place more emphasis on developing leaders who are competent to engage in these issues. This will require a professional development system that can provide a program of education, assignment, and accreditation to develop a corps of experienced, dedicated service professionals who have an expertise in the breadth of issues related to the cyber environment.Any program must be backed by effective public-private partnerships that produce cutting-edge research, development, and capabilities to operate with freedom, safety, and security in the cyber world.
5FITSP-A Exam Objectives: Security Topic: Regulatory & Standards Compliance A FITSP-Auditor is expected to understand and to be able to apply:Audit strategies for compliance with the organization’s information security programIdentify and stay current on all laws, regulations, standards, and best practices applicable to the organizationOversee relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholdersKeep informed on pending information security changes, trends, and best practices by participating in collaborative settingsReview information security compliance performance measurement componentsThe FITSP-Auditor is focused on the FBK issues related to the high-level knowledge a manager must possess to successfully manage and oversee cost-effective, risk-based IT security of systems operated by or on behalf of the federal government. The following are representative task and knowledge statements, as well as the objectives in each of the 21 IT security topic areas that a FITSP-Auditor is expected to understand and to be able to apply. The topic area most relevant in this module is Regulatory and Standards Compliance, for which the following objectives are covered:Audit strategies for compliance with the organization’s information security programIdentify and stay current on all laws, regulations, standards, and best practices applicable to the organizationEstablish relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholdersKeep informed on pending information security changes, trends, and best practices by participating in collaborative settingsReview information security compliance performance measurement components
6Government Laws Module Overview Section A: Congress & The PresidentFederal Information Security Management Act of 2002 (Title III of the E-Government Act)Evolution of ComplianceElements of a Security ProgramReporting MetricsSection B: NIST – National Institute of Standards & TechnologiesComputer Security DivisionRisk Management FrameworkSection C: OMB – Office of Management & BudgetCircular A-130MemorandumSection D: DHS – Department of Homeland SecurityCybersecurity ResponsibilitiesPresidential DirectivesSection E: HHS – Health & Human ServicesHIPAA Health Insurance Portability and Accountability ActHITECH Health Information Technology for Economic and Clinical HealthWhile the infrastructure of the US Government is reconstructing, Federal IT professionals pay very little mind to the federal laws, mandates, standards and guidelines that have a direct bearing on their responsibilities. IT professionals have their hands full just staying current with the ever-changing technology itself. Federal IT Security Professionals need to keep pace with the Federal mandates that are reshaping the way we operate and secure Federal information systems.
7President: Agenda (PMA) DHS Liaison:Cybesecurity CoordinatorOMB Liaison: Federal CIOCongress: LegislationOMB: OversightDHS:AuthorityHSAPRAHIPAA, HITECHCSA , FISMAHIPAA Security RuleCNSS 1253HHS/CMS OCR Authority, Guidance, OversightRMFCNSS GuidanceThe President has an agenda; in 2001, President Bush published his agenda as The Presidents Management Agenda, which focused on five major areas of improvement.Sometimes Congress will pass laws to promote the President’s agenda, and those laws delegate special oversight authority or responsibilities to various agencies such as the Office of Management and Budget:Paperwork Reduction Act (PRA) – Granted OMB the responsibility to develop Government-wide policies to help other federal agencies comply with the congressional mandates.Homeland Security Act (HSA) – Created the Department of Homeland Security and delegated authority to that agency for carrying out various tasks for protecting the Homeland. In 2009, President Obama created two positions on his staff; the Federal CIO and the Cybersecurity Coordinator, to act as liaisons to the OMB and DHS respectively.Health Insurance Portability and Accountability Act (HIPAA) - Required the Secretary of Department of Health and Human Services (HHS) to adopt security standards for certain health information. These standards, known as the HIPAA Security Rule, were published on February 20, 2003.Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.Computer Security Act (CSA) & Federal Information Security Management Act (FISMA) – Delegated responsibility to NIST and the NSA to create standards and guidelines to help federal agencies comply with congressional mandates. NIST provides standards and guidelines in the Risk Management Framework (RMF), and the Committee on National Security Systems (CNSS) spin-off of RMF, is the CNSS 1253, which provides compliance for CNSS Policy 22 (IARMP) and National Security Directive (#42) on Security of National Security Systems.NIST GuidanceFederal Agencies
8Congress and the President Section ACongress and the President
9Legislative HistoryThere exists a history of information assurance regulations that date back to 1983… two years after International Business Machines introduced the IBM PC. The Computer Security Act of 1987, for example, was the first piece of legislation from Congress to address computer security. It initially tasked NIST to provide guidelines and standards for implementing computer security. NIST has since published many Special Publications (SP) or guidelines to the computer security community.Good information systems security is good business and IT professionals would be hard pressed to find a better source of information pertaining to all aspects of computer security than in the documents issued by NIST.The substance of these laws and regulations, as they apply to IT professionals, isthat IT professionals understand their expanding roles and responsibilities so they may interface successfully with other aspects of managing the Government like a business. Their actions and decisions must align with the business goals of the organization.
10Another stellar piece of legislation is the Clinger-Cohen Act of 1996, which requires government agencies to use performance-based management principals for acquiring and managing information technology.This slide presents a graphical representation of the link between implementing systems security and management using elements of the Clinger-Cohen Act.All aspects of capital planning are taken into consideration just as they would be in a private business:Cost/benefit analysisPerformanceStandardsAccountabilityLife expectancyMultiple usesThe Clinger-Cohen Act also demands agency Chief Information Officers (CIOs) to develop integrated information technology architecture. The Federal Enterprise Architecture (FEA) is an OMB program that intends to comply with the Clinger-Cohen Act and provide a model for sharing information and resources across all Federal agencies. This will reduce overall spending and provided continuity in Government services.
11The Business Reference Model The Business Reference Model of the FEA represents the business of Government using a function-driven approach. Horizontal Lines of Business (LoB) reform previous managerial practices that use stovepipe, agency-centric management. For example, every agency provides IT training and awareness programs that have the same general requirements, yet are implemented differently according to the culture and politics of each individual agency.IT training is a function that is an easily identifiable Line of Business. This is a service that should come from a single source, providing consistency and continuity to the rest of the Federal Government. IT professionals must recognize that the Government of the future will be a competitive one. Stability and complacency in government positions and wasteful, inefficient management will be outdated as agencies compete for these Lines of Business.Risk Management and the Clinger-Cohen ActHow exactly does a system administrator’s responsibility for computer security tie into the Clinger-Cohen Act? For starters, pursuant to CCA and FISMA, NIST issues Federal Information Processing Standards (FIPS) with which all agencies must comply. For example, FIPS 199 requires that all agencies categorize their information systems according to the information stored, processed or transmitted by thosesystems.Information is categorized from a catalog of information types listed in NIST SP , Guide for Mapping Types of Information and Information Systems to Security Categories. These information types tie to Lines of Business in the Business Reference Model. The simple act of categorizing an information system accomplishes so many goals that lend to the accomplishment of an efficient, well-managed business. First, it identifies the importance of that system based on the information it stores, processes or transmits.If you know the value of the system, you know how much effort should be required to protect that system. Second, system categorization will associate that asset with Lines of Business within the agency’s enterprise architecture, which reduces administrative overhead for other tasks such as budgeting and capital planning.
12One of the five government wide initiatives of the PMA is Expanded Electronic Government, codified by the E-Government Act of Title III of the E-Government Act, Information Security, has the most direct impact on defining and expanding theresponsibilities of those involved in operating, managing and securing Government Agency information systems. Other considerable components of E-Government, that IT professionals should be aware of, include supporting the goals of developing IT enterprise architecture and taking a business-minded approach to managing Federal IT systems.Expanding E- GovernmentThe Expanding E-Government initiative of the President’s Management Agenda is more than just information security; it is employing technology to improve how the Government serves its citizens, businesses and state and local governments. The information policy of E-Government provides an agenda for Federal information systems to include not just security, but also privacy and capital planning as well as a standardized model for an information technology architecture that lends to the overarching goal of function-driven business in Government.In hopes of attaining these goals, the OMB is taking a business-motivated approach in developing enterprise architecture. To that end, OMB is identifying opportunities to simplify and consolidate work into lines of business across the Federal Government.
13E-Government Act of 2002 Public Law 107-347 Establishes Office of E-Gov within OMBAreas of E-Gov:Capital planning and investment control for information technologyDevelopment of enterprise architectures (FEA)Information Security (Title III)Access to government informationEstablishes CIO Counsel in the Executive branchThe purpose of this Act is to enhance the management and promotion of electronic government services and processes by establishing a federal Chief Information Officer (CIO) within OMB, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to government information and services and for other purposes.This law codifies OMB’s role, which is to provide an E-Gov administrator through the Office of E-Government that requires agencies to support cross-agency initiatives such as Federal Enterprise Architecture.There is also a requirement for agencies to make annual reports to Congress as to the progress made on the agency’s systems security program.Agencies must establish and operate IT training programs for their personnel.Under Section 208 of the E-Government Act, Agencies must conduct Privacy Impact Assessments (PIA) for new IT investments and on-line information collections. The intent of PIAs is to prompt federal agencies to consider the risks of collecting PII prior to its collection. Subsequent to the passage of the E-Government Act, OMB requires agencies to make their PIAs publically available to interested citizens in the interest of promoting transparency in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, OMB M provides detailed implementation guidance on Section 208 and outlines required disclosures.
14What is FISMA? Title III of E-Gov Act of 2002 Requires Each Federal Agency to Implement an Information Security ProgramReport annually to OMBAdequacy of security programAddress adequacy in plans and reports relating to annual budgetsSignificant deficiencyContinuously EvolvingThe Federal Information Security Management Act of 2002 recognized the importance of information security to the economic and national security interests of the United States.The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.FISMA has receive much criticism, for requiring a huge effort and budget, for documenting and reporting the C&A process. I contend that is was a process that needed to begin. We needed crawl before we could stumble through those first, unstable, baby steps of securing our federal information systems. The process is maturing, and it will continue to grow, and become ever more effective in elevating our security posture and lowering our risk.
15The Evolution of FISMA Compliance This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security.Continuous MonitoringTimely, and Role-relevant InformationOutcome-based Metrics“metrics are a policy statement about what Federal entities should concentrate resources on”Monthly Data Feeds Directly from Security Management Tools (CyberScope)Government-wide Benchmarking on Security Posture (Questionnaire)Agency-specific interviews (CyberStat with DHS)Beginning in FY 2010, FISMA reporting for agencies transitioned from multiple MS Excel spreadsheets from the CIO, Senior Agency Official for Privacy (SAOP), and Office of Inspector General (OIG) to a modern information system called CyberScope. In the first year, agency responses were due November 15, 2010 and corresponded with the submission date of the agencies audited financial statements, Performance and Accountability Reports (PAR), and other reports to Congress. In the first year, agencies followed a three-tiered approach in CyberScope:Data feeds directly from security management tools (first quarterly and then monthly)Government-wide benchmarking on security postureAgency-specific interviewsThis three-tiered approach is a result of the task force established in September 2009 to develop new, outcome-focused metrics for information security performance for Federal agencies. This task force concentrated on developing metrics that would advance the security posture of agencies and departments. The metrics effort continues to evolve today and is led by DHS’ Continuous Diagnostics and Mitigation (CDM) Program. (http://www.dhs.gov/cdm)CyberScope is the platform for the current FISMA submissions. Agencies must use a Personnel Identity Verification (PIV) card, compliant with Homeland Security Presidential Directive 12, access CyberScope via the OMB portal. FISMA submissions for non-national security information systems will not be accepted outside of CyberScope. National Security Systems and other DoD systems utilize similar security metrics as those found in DHS’s CyberScope; however, that classified system has additional security measures and reporting metrics.
16Continuous Monitoring to Provide Timely, Relevant Information Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making.Data feeds directly from security management toolsAgencies are already required to report each quarter. Beginning with the 3rd quarter of FY2010, agencies were required to report new information and beginning January 1, 2011, agencies were required to report on this new information monthly.The new data feeds will include summary information, not detailed information, in the following areas for CIOs:InventorySystems and ServicesHardwareSoftwareExternal ConnectionsSecurity TrainingIdentity Management and AccessIf agencies are unable to provide direct feeds from their security management tools, they are required to provide a data feed through an Excel template as an XML uploaded to CyberScope.Government-wide benchmarking on security postureA set of questions on the security posture of the agencies will also be asked in CyberScope. All agencies, except microagencies, will be required to respond to these questions in addition to the data feeds.Agency-specific interviewsAs a follow-up to the questions described above, a team of government security specialists will interview all agencies individually on their respective security postures. These interviews will be focused on specific threats that each agency faces as a function of its unique mission. The information collected in these interviews will also inform the FY 2010 Report on FISMA to the Congress.This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security.
17FISMA Reporting Metrics Administration Priorities (AP)Key FISMA Metrics (KFM)Baseline Questions (Base)The Federal cybersecurity defensive posture is a constantly moving target. It is constantly shifting because of the relentless dynamic threat environment, emerging technologies, and new vulnerabilities. Many threats can be mitigated by following established cybersecurity best practices, but advanced attackers often search for poor cybersecurity practices and target associated vulnerabilities.The FY12 FISMA Metrics, discussed in the following sections, establish baseline security practices as an entry level requirement for all Federal agencies. However, mitigating advanced attackers requires personnel with advanced cybersecurity knowledge and awareness of the agency’s enterprise security posture. Because cybersecurity is a very important factor for agencies to be able to provide unimpeded essential services to citizens, in FY11 the Administration identified 3 FISMA priorities.They are defined as:Continuous Monitoring,Trusted Internet Connection (TIC) capabilities and traffic consolidation, andHomeland Security Presidential Directive (HSPD)-12, implementation for logical access control.In FY12, these priorities continue to provide emphasis on FISMA metrics that are identified as having the greatest probability of success in mitigating cybersecurity risks to agency information systems. In FY 2013, the Administrative Priorities were:Continuous MonitoringTrusted Internet Connection v2.0 CapabilitiesMulti-factor authentication in accordance with HSPD-12Due to the changing threat landscape, administrative priorities shifted slightly in FY2014 with OMB’s top priority becoming TIC capacities followed by multi-factor authentication and then Continuous Monitoring. OMB’s priorities and delegated responsibilities to DHS are described in detail each year in an annual reporting instructions. The most recent, dated November 18, 2013 is titled, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. Information security professionals should closely read the annual OMB FISMA and Privacy reporting instructions, including the Frequently Asked Questions (FAQ) section, to identify changes in OMB guidance and prioritizes.
18Knowledge CheckThis law gave OMB the authority to define policies for US Government Agencies.This law assigned responsibilities to NIST for creating standards and guidelines relating to securing Federal information systems.This OMB program provides a structure for Agencies to identify business processes.
19NIST - National Institute of Standards and Technology Section BNIST - National Institute of Standards and Technology
20NIST, Computer Security Division Federal Information Security Management Act (FISMA) Implementation Project Protecting the Nation's Critical Information InfrastructureStandards for categorizing (FIPS 199)Standards for minimum security requirements (FIPS 200)Guidance for selecting security controls (SP )Guidance for assessing security controls (SP a)Guidance for the security authorization (SP )Guidance for monitoring the security controls (SP )Guidance for identifying National Security Systems (800-59)Title II of the E-Government Act (Public Law ), titled the Federal Information Security Management Act (FISMA), tasked National Institute of Standards and Technology (NIST) to develop:Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;Guidelines recommending the types of information and information systems to be included in each category; andMinimum information security requirements (such as management, operational, and technical controls), for information and information systems in each such category.Vision StatementTo promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act including:Standards for categorizing information and information systems by mission impactStandards for minimum security requirements for information and information systemsGuidance for selecting appropriate security controls for information systemsGuidance for assessing security controls in information systems and determining security control effectivenessGuidance for the security authorization of information systemsGuidance for monitoring the security controls and the security authorization of information systems
21Risk Management Framework The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications , , and Additional security guidance documents are being developed in support of the project including NIST Special Publications , , and A. It should be noted that the Computer Security Division continues to produce other security standards and guidelines in support of FISMA. These publications can be located by visiting the division's Publications page at:
22OMB – Office of management and budget Section COMB – Office of management and budget
23The Management Side of OMB Office of Federal Financial ManagementOffice of Federal Procurement PolicyOffice of E-Government and Information TechnologyOffice of Performance and Personnel ManagementOffice of Information and Regulatory AffairsThe Office of Federal Financial Management (OFFM) develops and provides direction to improve financial management and systems; to reduce improper payments; to improve grants management; and to “right-size” Federal real property. OFFM also coordinates the activities of the Chief Financial Officers, and Senior Real Property Officers.The Office of Federal Procurement Policy (OFPP) works with agencies to improve Federal procurement practices that affect the full range of Federal acquisitions.The Office of E-Government and Information Technology, headed by the Federal Government’s Chief Information Officer (currently Steven VanRoekel), develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation.The Office of Performance and Personnel Management (OPPM) works with agencies to encourage use and communication of performance information and to improve results and transparency. OPPM also works closely with OPM to advance effective personnel practices.The Office of Information and Regulatory Affairs (OIRA) has a number of functions, including information policy, statistical policy, and regulatory policy.
24OMB Instructions Circulars “A-” Memoranda “M-” Budget State and Local GovernmentsEducational and Non-Profit InstitutionsFederal ProcurementFederal Financial ManagementFederal Information Resources / Data CollectionOther Special PurposeMemoranda “M-”Providing further explanation and guidanceCirculars are instructions or information issued by OMB to Federal agencies. These are expected to have a continuing effect of two years or more. The system of Circulars and Bulletins, established in 1948, are employed to communicate various instructions and information to the executive departments and establishments.The Circular series is used when the nature of the subject matter is of continuing effect. Circulars are identified by the letter "A" and a number.
25OMB Circular A-130Establishes policy for the Management of Federal Information ResourcesIssued under the authority of the Paperwork Reduction Act and Clinger-Cohen ActAppendix I Federal Agency Responsibilities for Maintaining Records about Individuals – Guidance for implementing Privacy Act of 1974Appendix III Security of Federal Automated Information ResourcesEstablishes concept of a minimum set of security controlsEstablishes key definitions used by NIST Special PublicationsCircular A-130 was first issued in December of 1985 to meet information resource management requirements that were included in the Paperwork Reduction Act (PRA) of 1980.Specifically, the PRA assigned responsibility to the OMB Director to develop and maintain a comprehensive set of information resources management policies for use across the Federal government, and to promote the application of information technology to improve the use and dissemination of information in the operation of Federal programs.The initial release of the Circular provided a policy framework for information resources management (IRM) across the Federal government. Since the time of the Circular's first release in 1985, Congress has enacted several additional laws and OMB issued several guidance documents that related to information technology management in federal agencies. To account for these new laws and guidance, OMB has revised the Circular three times, in 1994, 1996, and 2000.As aptly expressed in the CIO Council's Architecture Alignment and Assessment Guide (2000), Circular A-130 can be thought of as a "...one-stop shopping document for OMB policy and guidance on information technology management"
26OMB A-130 Background Privacy Act of 1974 Paperwork Reduction Act 1980 Computer Security Act of 1987Clinger-Cohen Act of 1996Gov’t Paperwork Elimination Act of 1998OMB draws its authority to establish specific requirements for federal information systems by citing the following legislation.Privacy Act of 1974 – Federal agency responsibilities for maintaining records about individuals. A key requirement of the Privacy Act is the publication of a Systems of Record Notice in the Federal Register prior to collecting information in identifiable (IFF) form. OMB defines IIF as information in an information system or an on-line collection that directly identifies an individual (e.g., name, address, Social Security number (SSN), or other identifying code, telephone number, address, etc.) or by which an agency intends to identify specific individuals in conjunction with other data elements. OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, introduces the term Personally Identifiable Information (PII) as a replacement for IIF.Paperwork Reduction Act 1980 – Emphasize a risk-based policy for cost-effective security.Computer Security Act of 1987 – Requires the establishment of security plans by all operators of federal computer systems that contain sensitive information and mandatory periodic training for all persons involved in management, use or operation of those systems.Clinger-Cohen Act of 1996 – Security of federal automated information resources. The Clinger-Cohen Act, also known as Information Technology Management Reform Act of 1996, grants to the Director of OMB various authorities for overseeing the acquisition, use, and disposal of information technology by the federal government, so as to improve the productivity, efficiency, and effectiveness of federal programs. It supplements the information resources management (IRM) policies contained in the Paperwork Reduction Act of 1980.Government Paperwork Elimination Act of 1998 – Provides for the optional use and acceptance of electronic documents and signatures, and electronic record keeping where practicable.
27OMB A-130, Appendix III Definitions Assignment of Responsibilities GSS General Support SystemMA Major ApplicationAdequate securityAssignment of ResponsibilitiesReportingDeficiencies & Corrective ActionsSecurity Plan SummaryThis appendix establishes key definitions used in subsequent NIST security publications and federal legislation.Adequate security is security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.General support system or system is an interconnected set of information resources under the same direct management control which shares common functionality.Major application is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.Agency Designated Approving Authority (DAA) has specific requirements and responsibilities provided by this circular. It is required that this individual should be a management official, knowledgeable in the information and processes supported by the system. The individual should also know the management, personnel, operational, and technical controls used in the protection of this system. Establishes the requirement that DAA must re-authorize the information system every three years in writing. Subsequently, NIST builds upon this specific requirement that information systems must be Certified and Accredited (C&A) every three years in NIST SP to ensure a senior agency official is responsible for the security of the information system.Finally, A-130 establishes the requirement that security controls for federal information systems must be tested when there are significant modifications to the system.
28OMB Memoranda General Guidance Reporting Guidance Policies POAMsContinuity PlansFDCCTrusted Internet ConnectionsReporting GuidanceGISRAFISMAIncidents involving PIIPoliciesFederal Agency Public Websites“File Sharing” TechnologyImplementation GuidanceGovernment Paperwork Elimination ActE-Government ActHSPDsTrusted Internet ConnectionFISM Trusted Internet Connections (TIC) Reference Architecture v2.0 (also known as Einstein Program)M – Update on the Trusted Internet Connections InitiativeM Guidance for Trusted Internet Connection (TIC) ComplianceM – Guidance for Trusted Internet Connection Statement of Capability Form (SOC)M Implementation of Trusted Internet Connections (TIC)FISMA ReportingM-14-04, FY2013 Reporting Instructions for FISMA and Agency Privacy Management (Nov 18, 2013)M-12-20, FY2012 Reporting Instructions for FISMA and Agency Privacy Management (Sept 27, 2012)FISM signed - FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy ManagementM-11-33, FY 2011 Reporting Instructions [Note: Also FISM 11-02] *M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (April 21, 2010) (27 pages, 275 kb)FDCCM Guidance on the Federal Desktop Core Configuration (FDCC) [Note, FDCC evolved into US Gov’t Configuration Baseline. SeeM Ensuring New Acquisitions Include Common Security ConfigurationsM Implementation of Commonly Accepted Security Configurations for Windows Operating Systems* The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve federal information security policies.
29PrivacyM – New FISMA Privacy Reporting Requirements for FY 2008M Safeguarding Against and Responding to the Breach of Personally Identifiable InformationM Validating and Monitoring Agency Issuance of Personal Identity Verification CredentialsRecommendations for Identity Theft Related Data Breach NotificationM Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology InvestmentsM Protection of Sensitive Agency InformationM Safeguarding Personally Identifiable InformationM Designation of Senior Agency Officials for PrivacyM OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002M Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal PrivacyHSPD-12M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12–Policy for a Common Identification Standard for Federal Employees and Contractors (February 3, 2011) (6 pages, 205 kb)M HSPD-12 Implementation StatusM Acquisition of Products and Services for Implementation of HSPD-12M Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive (HSPD) 12M Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors
30WikileaksM-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated SystemsM-11-06, WikiLeaks - Mishandling of Classified InformationData SharingM-11-02, Sharing Data While Protecting PrivacyM Personal Use Policies and "File Sharing" TechnologyIT Project ReviewM-10-31, Immediate Review of Information Technology ProjectsM-10-30, Science and Technology Priorities for the FY 2012 BudgetM-10-25, Reforming the Federal Government's Efforts to Manage Information Technology ProjectsCybersecurity ResponsibilitiesM-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland SecurityWebM-10-23, Guidance for Agency Use of Third-Party Websites and ApplicationsM-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010) (9 pages, 130 kb)M Policies for Federal Agency Public WebsitesM E-Authentication Guidance for Federal AgenciesM Privacy Policies on Federal Web SitesHealth InformationM-10-10, Federal Agency Coordination on Health Information Technology (HIT)Governance FrameworkM Information Technology Management Structure and Governance FrameworkDNSSECM Securing the Federal Government’s Domain Name System InfrastructureIntegrityM Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
31Business ContinuityM Regulation on Maintaining Telecommunication Services During a Crisis or Emergency in Federally-owned BuildingsM Development of Homeland Security Presidential Directive (HSPD) - 7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key ResourcesM Business Continuity and Contingency Planning for the Year 2000M Day One Planning and Request for Updated Business Continuity and Contingency PlansMISCM Software AcquisitionM Implementation Guidance for the E-Government Act of 2002M Guidance for Preparing and Submitting Security Plans of Action and MilestonesM OMB Procedures and Guidance on Implementing the Government Paperwork Elimination ActM Incorporating and Funding Security in Information Systems InvestmentsM Security of Federal Automated Information Resources
32Trusted Internet Connections M-09-32 Inventory External ConnectionsMeet TIC Critical Technical CapabilitiesImplement Critical TIC capabilitiesAcquire Telecommunications Connectivity Through Networx ContractConsolidate External Connections Through Approved Access Points (TICAPS)Introducing Federal Information Security Memorandum from DHSFISM Trusted Internet Connections (TIC) Reference Architecture v2.0M – Update on the Trusted Internet Connections InitiativeM Guidance for Trusted Internet Connection (TIC) ComplianceM – Guidance for Trusted Internet Connection Statement of Capability Form (SOC)M Implementation of Trusted Internet Connections (TIC)In November 2007, OMB announced the Trusted Internet Connections (TIC) Initiative to consolidate the number of external access points, including Internet connections; and ensure that all external connections are routed through an OMB-approved TIC.Based on solicited agency Statements of Capability, OMB also designated twenty agencies as TIC Access Providers (TICAPS). Each TICAP agency was authorized two locations where they must reduce and consolidate all external connections. Initiative is currently managed by DHS’s Network and Infrastructure Security (NIS) branch. NIS branch overseas the deployment of EINSTEIN 2 capability – an automated cyber surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification of malicious activity.
33CIO Reporting Metric #7 Boundary Protection Target Level for 2014Since FY 2012, the annual FISMA security metrics have included performance metrics related to TIC capabilities. For FY 2014, federal agencies should pass 95% of their network traffic through a TIC provider and a 100% of the federal agencies must use a TIC-accredited provider. OMB continues to encourage federal agencies to use a TIC provider and the EINSTEIN 2 intrusion detection capability as NSA and other intelligence agencies build custom “detection signatures” that are not available to commercial IDS providers.
34Reporting Instructions (Changes) OMB M-11-33/ FISM 11-02/FISM 12-02 CyberScope…collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities.Monthly Data FeedsQuarterly ReportingAnnual Reporting (Mid-November)Information Security QuestionsCyberStat Review (Conducted by DHS) Sessions and Agency InterviewsFAQ (9) Must the DoD and the ODNI follow OMB policy and NIST guidelines? YES!!FAQ (34) Is Reauthorization Required Every 3 Years… NO!FAQ (42) Mandatory use of secure configurations (USGCB)Historically released once a year:M … GISRA and Updated Guidance on Security Plans of Action and MilestonesM FY 2003 … FISMA and Quarterly IT Security ReportingM – FY 2004 … FISMA and Quarterly IT Security ReportingM FY 2005 …M FY 2006 …M – FY 2007 …M – FY 2008 … “New FISMA Privacy Reporting Requirements”M FY 2009 … “the means of collection have changed substantially. This year, rather than using spreadsheets, the annual FISMA report data collection will occur via an automated reporting tool.”M – FY (The automated reporting tool has a name: CyberScope)** Newest ** M – FY 2013 Reporting Instructions for FISMA and Agency Privacy Management, dated November 18, 2013Introducing Federal Information Security Memorandum from DHS(OMB Memo) M – FY 2011 (Handing responsibility over to DHS)Updates are found atDHS Memo System - FISM FY2011 Reporting Instructions for the FISMA and Agency Privacy ManagementFISM – FY2012 FISMA Reporting InstructionsFISM – FY2013 Reporting Instructions for FISMA and Agency Privacy
35To maximize the timeliness and fidelity of security-related information, the collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities. As stated in previous FISMA guidance, agencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information - delivered more quickly than ever before.To comply with this guidance, agencies will carry out the following activities:Establish monthly data feeds to CyberScope;Respond to security posture questions; andParticipate in CyberStat accountability sessions and agency interviewsMonthly Data Feeds Agencies must load data from their automated security management tools into CyberScope on a monthly basis for a limited number of data elements. While full implementation of automated security management tools across agencies will take time, agencies should report what they can using output from their automated security management tools. These reporting requirements will mature over time.Information Security Questions In addition to providing the data feeds described above, agencies are also required to answer a set of information security questions in CyberScope. These questions address areas of risk and are designed to assess the implementation of security capabilities and measure their effectivenessCyberStat Review Sessions and Agency Interviews Building on the TechStat model, DHS launched CyberStat accountability sessions in January Through CyberStat, DHS cybersecurity experts engage with selected agencies to help them develop focused actions plans for improving their information security posture. CyberStat is grounded in analysis that is based on data provided through CyberScope and other key data sources. The development of clear and consistent metrics for CyberScope has improved the ability of agencies to have more accountability for outcomes. As DHS works with agencies to improve data quality, the insights provided through CyberStat and CyberScope will enable DHS to assist agencies in quickly addressing problems that pose risks.DHS-led CyberStat sessions promote accountability and assist Federal civilian agencies in driving progress with key strategic enterprise cybersecurity capabilities. Specifically, CyberStat is designed to:Highlight capability areas where agencies must place additional focus;Help agencies remove roadblocks to meeting requirement standards; andRecognize agencies in those areas where they are meeting requirement standards.
36Effective Dates of Compliance: Monthly Data Feeds: Agencies are required to submit information security data to CyberScope by close of business on the fifth calendar day of each month. Small and micro agencies are not required to submit monthly reports, although they are highly encouraged to do so.Quarterly Reporting: Moving forward, agencies will be expected to submit metrics data for 1st, 2nd and 3rd quarters.For 1st quarter, agencies must submit their updates to CyberScope between January 1st and January 15th.For 2nd quarter, agencies must submit their updates to CyberScope between April 1st and April 15th .For 3rd quarter, agencies must submit their updates to CyberScope between July 1st and July 15th .Agencies are not expected to submit metrics data for 4th quarters, other than what is required for the annual report.Annual Reporting: The due date for annual FISMA reporting through CyberScope is generally November 15 and coincides with the due dates for annual financial statements.Frequently Asked Questions about FISMA Reporting (DELTAS)Must the Department of Defense (DoD) and the Office of the Director of National Intelligence (ODNI) follow OMB policy and NIST guidelines?Yes, for non-national security systems DOD and ODNI are to incorporate OMB policy and NIST guidelines into their internal policies.For national security systems, the Joint Task Force Transformation Initiative (JTFTI) Interagency Working Group with representatives from the Civil, Defense and Intelligence Communities (IC) started an on-going effort in FY2009 to produce a unified information security framework for the Federal Government. Under this effort, DoD and ODNI jointly issued with NIST the following publications:NIST SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010.NIST SP A, Recommendation for Block Cipher Modes of Operation, December 2001.NIST SP , Managing Information Security Risk: Organization, Mission, and Information System View, March 2011.NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.NIST SP , Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.Because these guidelines are jointly issued, DOD and ODNI policies for national security systems should incorporate these guidelines.
37Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130?No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to make ongoing authorization decisions for information systems by leveraging security-related information gathered through the implementation of ISCM programs. The implementation of ISCM and ongoing authorization thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary.What are minimally acceptable system configuration requirements?In FY 2007, OMB issued policy (M-07-11) for agencies to adopt security configurations for Windows XP and VISTA, as well as policy for ensuring new acquisitions include common security configurations.In FY 2010, the CIO Council announced the creation of the United States Government Configuration Baselines (USGCB) which is maintained by the CIO Council's Technology Infrastructure Subcommittee. Baselines developed by the USGCB should be applied to Federal systems. See for more information.Supplemental Information about USGCB, not in OMB’s Annual InstructionsThe USGCB settings replace the Federal Desktop Core Configuration (FDCC) settings and provide the recommended security baselines for Information Technology products widely deployed across the agencies. The first platforms addressed by USGCB are Microsoft’s Windows 7, Windows 7 Firewall, and Internet Explorer 8. NIST revised initial configuration settings for Windows Vista, Vista Firewall, Windows XP, XP Firewall, and Internet Explorer 7 from those proposed originally in FDCC. In January 2014, NIST released settings for Red Hat Enterprise Linux 5 desktop. Candidate settings for Mac OS X and Windows 8 should be available soon.
38Reporting Instructions (Changes) FY2013 and FY2014 OMB Guidance Continues to evolve in MKey changes occurred in the following areas:Increased emphasis on privacy controlsAuthorizations to Operate (ATO) require Senior Agency Official for Privacy to sign off.SP Rev 4 – Appendix J Privacy Controls added to mandatory controls baselinePOA&Ms now only track security weaknesses that will be remediated.Monthly and quarterly reporting of CIO metrics required of all “CIO Council member agencies” vs. smaller list of 24 CFO Act agencies.Responses to OMB’s Frequently Asked Questions (FAQ) in the annual FISMA and Privacy memorandum illustrate the changing priorities and guidance. Below are a few of the more significant changes for FY2014.Privacy:Annual Privacy Report should now also include “the description of the agency’s privacy training for employees and contractors” which is submitted via CyberScope.Senior Agency Officials for Privacy (SAOP) are responsible for implementation of NIST , Appendix J (Privacy Controls) and the assessment of the controls must be conducted by the SAOP or designated representative.Appendix J (Privacy Controls) can be treated as common controls with determination made by SAOP in collaboration with other agency officials in charge of risk management decisionsSAOP approval is required as precondition for the issuance of an ATO for agency information systems.Plans of Actions and Milestones (POA&M): POA&Ms should now track security weaknesses that will be remediated. Previously agencies were required to track all security weaknesses in the POA&M, even those in which the risk would be accepted.CIO Reporting via CyberScope: Expanded monthly and quarterly reporting of security metrics to OMB large and small federal agencies. Only CIOs of micro-agencies (i.e. less than 100 employees) are exempt from monthly and quarterly reporting.
39Reporting Instructions (Changes) FY2013 and FY2014 Continuous Monitoring – rebranded as Information Security Continuous Monitoring (ISCM)Security Overlays – Develop set of security controls to address unique threat profile for community-wide use (health care, intelligence, industrial control systems, cloud computing). New concept from Rev 4.Mobile Device Security – added emphasis that data protection (i.e. encryption) and remote access security controls apply to mobile devices4. OMB adopts terminology and acronym ISCM used in NIST SP Information Security Continuous Monitoring for Federal Information Systems and Organizations . FAQ #35 emphasizes that agencies must develop and implement ISCM strategies.5. Security Overlays – OMB advocates that the federal agencies should utilize “security overlays” when the standard security control baselines (L, M, H) from NIST SP do not address unique threat profile. The security controls mandated by GSA’s FedRAMP program are an example of tailored set of security controls that blend the Moderate and High control baselines. Additional details are found in Section 3.3 and Appendix I of SP Rev.46. Emphasis on Mobile Device Security: Agencies can leverage guidance in the Federal Mobile Security Baseline, Mobile Computing Decision Framework, and Mobile Security Reference Architecture to help secure agency mobile devices (iPads, iPhones, Android, etc.). It was issued in May 2013 by the Federal Chief Information Officer (CIO) Council
40Standardized Desktop OS Configuration Settings Federal Desktop Core Configuration (FDCC)Windows XP & VistaUS Gov’t Baseline Configuration (USGBC)Windows 7 & IE 8Red Hat Enterprise Desktop LinuxIn Development: Mac OS X & Windows 8Security Content Automation Protocol (S-CAP)M Guidance on the Federal Desktop Core Configuration (FDCC)M Ensuring New Acquisitions Include Common Security ConfigurationsM Implementation of Commonly Accepted Security Configurations for Windows Operating SystemsIn March 2007, OMB Memorandum M announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,” directing agencies with Windows XP TM deployed and/or plan to upgrade to the Vista TM operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate M Candidate settings for Mac OS X and Windows 8 should be available soon.The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information. For more information about SCAP please see NIST SP Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2 and SP The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version The USGCB, like its predecessor FDCC, uses SCAP-based technology to assess that systems are properly configured according to the recommended USGCB baseline settings.
41Privacy & Privacy Reporting M-07-16 Safeguarding PIIBreach Notification PolicySAOP Reporting Metrics FY2012Information Security Systems (w/PII)PIAs and SORNsPrivacy TrainingPIA and Web Privacy Policies and ProcessesWritten Privacy ComplaintsSAOP Advice and GuidanceAgency Use of Web Management and Customization Technologies (e.g., “cookies,” “tracking technologies”)M Safeguarding Personally Identifiable InformationM Designation of Senior Agency Officials for PrivacyM OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002M Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal PrivacyM Safeguarding Against and Responding to the Breach of Personally Identifiable InformationSafeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public.As part of the work of the Identity Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy within 120 days.M – New FISMA Privacy Reporting Requirements for FY 2008To maintain a comprehensive context for security and privacy of Federal information across government, the Office of Management and Budget is planning to add the requirement below to agencies’ existing annual reporting mechanisms. This memorandum provides advance notice to agencies about information which will be incorporated into the annual reporting requirements for fiscal year 2008 under the Federal Information Security Management Act (FISMA) to be issued next summer.
42Privacy & Privacy Reporting M-14-04 & DHS Privacy Metrics Privacy in OMB’s FY2014 InstructionsNIST SP Appendix J Privacy Controls implementation is mandatory.Privacy Controls and practices may be considered an agency “common control.”SOAP approval required for ATO of GSS or MADHS FY2014 SAOP FISMA Privacy Metrics10 questions covering privacy requirements from the Privacy Act of 1974, E-Gov’t Act of 2002, and Federal Agency Data Mining Reporting Act of 2007The annual FISMA questions for the Senior Agency Official for Privacy (SAOP) have changed very little since FY There were no changes to the annual performance metrics from FY2013 to FY2014.The 10 Privacy Metric areas are as follows:Inventory of Information Systems containing PIIPIAs and SORNsSOAP ResponsibilitiesPrivacy TrainingPIA and Web Privacy Policies and ProcessesConduct of Mandates Privacy Reviews from the Privacy Act, E-Gov’t Act, and Federal Agency Data Mining Reporting Act of 2007.Written Privacy ComplaintsPolicy Compliance ReviewsSAOP Advice and GuidanceAgency Use of Web Management and Customization Technology (e.g. persistent cookies and tracking technology)The Federal Agency Data Mining Report Act of 2007 is a relatively new privacy reporting mandate. The law requires all federal agencies using or developing data mining programs to report annually to Congress on pattern-based analyses of electronic databases used to identify predictive patterns or anomalies that indicate terrorist or criminal activity. The act excludes analyses that are subject-based, that use personal identifiers or inputs associated with individuals, and those that are solely to detect fraud, waste, and abuse in government agencies or programs, or for government computer security. Implementation of the law primarily affects DHS, DOJ (FBI), ODNI, CIA, and NSA.
43Knowledge CheckThis document provides a policy framework for information resources management across the Federal government.This OMB memo requires that agencies safeguard against and respond to breaches of personally identifiable information.Name an initiative to create security configuration baselines for Information Technology products widely deployed across the federal agencies.Agencies are required to adhere to DHS’ direction to report data through this automated reporting tool. What is the required frequency of these data feeds?The OMB A-130’s stated requirement for reauthorization is at least once every 3 years. What must an agency do to waive that requirement?
44DHS - Department of Homeland Security Section DDHS - Department of Homeland Security
45DHS – Department of Homeland Security Prevent Terrorism and Enhance SecuritySecure and Manage our BordersEnforce and Administer our Immigration LawsSafeguard and Secure CyberspaceEnsure Resilience to DisastersAnd now… Cybersecurity!The Department's mission is to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards. DHS has five Departmental missions:Prevent terrorism and enhance security;Secure and manage our borders;Enforce and administer our immigration laws;Safeguard and secure cyberspace;Ensure resilience to disasters;1. Prevent Terrorism and Enhance SecurityProtecting the American people from terrorist threats is our founding principle and our highest priority. The Department's counterterrorism responsibilities focus on three goals:Prevent terrorist attacks;Prevent the unauthorized acquisition, importation, movement, or use of chemical, biological, radiological, and nuclear materials and capabilities within the United States; andReduce the vulnerability of critical infrastructure and key resources, essential leadership, and major events to terrorist attacks and other hazards.
462. Secure and Manage our Borders The Department secures the nation's air, land and sea borders to prevent illegal activity while facilitating lawful travel and trade. The Department's border security and management efforts focus on three interrelated goals:Effectively secure U.S. air, land, and sea points of entry;Safeguard and streamline lawful trade and travel; andDisrupt and dismantle transnational criminal and terrorist organizations.3. Enforce and Administer our Immigration LawsThe Department is focused on smart and effective enforcement of U.S. immigration laws while streamlining and facilitating the legal immigration process.The Department has fundamentally reformed immigration enforcement, prioritizing the identification and removal of criminal aliens who pose a threat to public safety and targeting employers who knowingly and repeatedly break the law.4. Safeguard and Secure CyberspaceThe Department has the lead for the federal government for securing civilian government computer systems, and works with industry and state, local, tribal and territorial governments to secure critical infrastructure and information systems. The Department works to:Analyze and reduces cyber threats and vulnerabilities;Distribute threat warnings; andCoordinate the response to cyber incidents to ensure that our computers, networks, and cyber systems remain safe.5. Ensure Resilience to DisastersThe Department provides the coordinated, comprehensive federal response in the event of a terrorist attack, natural disaster or other large-scale emergency while working with federal, state, local, and private sector partners to ensure a swift and effective recovery effort. The Department builds a ready and resilient nation through efforts to:Bolster information sharing;Provide grants, plans and training to our homeland security and law enforcement partners; andFacilitate rebuilding and recovery along the Gulf Coast.
47Cybersecurity Responsibilities M-10-28 Office of Management and BudgetAnnual FISMA Report to CongressCybersecurity Portions of the President’s BudgetCybersecurity CoordinatorCybersecurity Strategy and Policy DevelopmentDepartment of Homeland SecurityCritical Infrastructure ProtectionUS-CERTTrusted Internet Connection InitiativePrimary Responsibility for the Operational Aspects of CybersecurityThis memorandum outlines and clarifies the responsibilities of the OMB, the Cybersecurity Coordinator, and DHS, with respect to the Federal Government’s implementation of the FISMA.DHS oversees critical infrastructure protection, operates the US-CERT, oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector. OMB has a number of cybersecurity responsibilities, principally in connection with FISMA reporting. The Cybersecurity Coordinator leads the interagency process for cybersecurity strategy and policy development.DHS will exercise primary responsibility within the Executive Branch for the operational aspects of Federal agency cybersecurity with respect to the Federal information systems that fall within FISMA. DHS activities will include (but will not be limited to):Overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance;Overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;Overseeing the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;Overseeing the agencies’ cybersecurity operations and incident response and providing appropriate assistance; andAnnually reviewing the agencies’ cybersecurity programs.All departments and agencies shall coordinate and cooperate with DHS as it carries out its cybersecurity responsibility and activities as noted here.
48Presidential Decision Directives PDDPresidential Decision Directives1993–2001ClintonNSPDNational Security Presidential Directives2001–2009G. W. BushHSPDHomeland Security Presidential Directives2001-G. W. Bush and ObamaPSDPresidential Study Directives2009-ObamaPPDPresidential Policy DirectivesPresidential Directives, better known as Presidential Decision Directives or PDD are a form of an executive order issued by the President of the United States with the advice and consent of the National Security Council. As a National Security instrument, the PDD articulates the executive's policy, carries the "full force and effect of law", and throughout the terms of presidents, have taken on various titles or intents towards national security policy.Since many of the Presidential Directives pertain to the national security of the United States, many were or are promulgated as classified. Various presidents since the administration of John F. Kennedy have issued such directives but under different names.
49Homeland Security Presidential Directives HSPD-3 – Homeland Security Advisory SystemHSPD-5 – Management of Domestic IncidentsHSPD-7 – Critical Infrastructure Identification, Prioritization, and ProtectionPDD-8 – National PreparednessHSPD-12 – Policy for a Common Identification Standard for Federal Employees and ContractorsHSPD-20/NSPD-51 – National Continuity PolicyHSPD-24 – Biometrics for Identification and Screening to Enhance National SecurityHomeland Security Presidential Directives are issued by the President on matters pertaining to Homeland Security.Homeland Security Presidential Directive 1 creates the Homeland Security Council (HSC) and enumerates its functions. The purpose of the HSC is twofold: to coordinate homeland security-related efforts across executive departments and agencies of all levels throughout the country, and to implement the Department’s policies through eleven Policy Coordination Committees.
50HHS – Health & Human Services Section EHHS – Health & Human Services
51History of HIPAA1996: Health Insurance Portability and Accountability Act (HIPAA)Directed Secretary of HHS to Develop Standards for Protecting (e-PHI)Feb 2003: HHS Published the Security Rule StandardOct 2008: SP r1 An Introductory Resource Guide for Implementing the HIPAA Security RuleDuplication of Effort… Stove piping?e-PHI - Electronic Protected Health InformationSP , D.14 - Health2009: Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA)On AUG. 21, 1996, Congress enacted the Administrative Simplification (part of Title II) provisions of HIPAA (PL ) to, among other things, promote efficiency in the healthcare industry through the use of standardized electronic transactions, while protecting the privacy and security of health information. Pursuant to the Administrative Simplification provisions of HIPAA, the Secretary of HHS adopted standards relating to:Electronic healthcare transactions and code sets;Privacy of protected health information;Security of electronic protected health information (EPHI); andUnique health identifiers.On February 20, 2003, published those standards as Health Insurance Reform: Security Standards; Final Rule.From the SP , information type D.14, Health, includes the direct provision of health care services and immunizations as well as the monitoring and tracking of public health indicators for the detection of trends and identification of widespread illnesses/diseases. It also includes both earned and unearned health care benefit programs.Some information associated with health care involves confidential patient information subject to the Privacy Act and to HIPAA. The Privacy Act Information provisional impact levels are documented in the Personal Identity and Authentication information type.
52This slide shows all the components of HIPAA and illustrates that the focus of this document is on the security rule. [HIPAA Administrative Simplification PART 164 – SECURITY AND PRIVACY, SUBPART C – Security Standards for the Protection of Electronic Protected Health Information]The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.However, the preamble of the Security Rule states that HHS does not rate or endorse the use of industry-developed guidelines and/or models. Organizations are not required to use NIST special publications. If organizations choose to use NIST guidance, they must determine the value of its content for implementing the Security Rule standards in their environments.HIPAA Privacy & Security Audit ProgramThe American Recovery and Reinvestment Act of 2009, in Section of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, Office of Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began in November 2011 and were to conclude by December In the final rule issued by HHS, breaches (i.e. unauthorized disclosures) affecting protected healthcare information of more than 500 individuals require notification to the individual and the Secretary of HHS.HITECH = Auditing
53ARRA/HITECH: Game Changers Electronic Health Record (EHR) System – Incentives to Accelerate Adoption of EHR Systems among ProvidersEnforcement – Requires Audits for HIPAA Compliance!Notification of Breach - Now Imposes Data Breach Notification RequirementsElectronic Health Record Access – For Providers implementing HER, Patients Have the Right to Obtain PHI in an Electronic Format (i.e. ePHI).Business Associates, (Software vendors providing EHR systems) now, Directly "On The Compliance Hook"The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers.Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.Why? Because under the HITECH Act there are significant taxpayer dollars appropriated in the form of incentive funding that directly target a provider's adoption of an EHR system. Regulators, patients and other stakeholders are certain to demand more transparency and accountability. If a provider wants to receive the benefit of incentives, or at a minimum wants to avoid any subsequent penalties, then they appear to have little choice, other than to increase their literacy regarding HIPAA's Privacy and Security Rules and the new provisions of the Act.
54EnforcementAmong other things, HHS is now required to conduct periodic audits of covered entities and business associates.Notification of BreachThe HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information (e.g. banking and credit card data).Electronic Health Record AccessIn the case where a provider has implemented an EHR system, the Act provides individuals with a right to obtain their PHI in an electronic format (i.e. ePHI). Incentives will be provided to providers who implement EHR systems.Business Associates and Business Associate AgreementsUnder the HITECH Act, business associates are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the HIPAA Security Rule (SR). Software vendors providing EHR systems will clearly qualify as business associates
55Cybersecurity Legislative Proposal Many New Cyber-related BillsProtecting the American PeopleProtecting our Nation’s Critical InfrastructureProtecting Federal Government Computers and NetworksThe Administration proposal would update FISMA and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise.New NIST Cybersecurity Framework, February 2014Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated. Despite many new cyber-related bills in Congress, none have passed both the House and Senate to become law as of February Members of both parties in Congress have also recognized a need for updated legislations and introduced approximately 50 cyber-related bills in the FY 2012 session of Congress. To bypass the gridlock in Congress, the President issued an Executive Order directing NIST to develop a voluntary framework for reducing cyber risks to critical infrastructure. In February 2014, NIST released the first version, Framework for Improving Critical Infrastructure Cybersecurity, a collaborative effort between NIST and companies in the private sector. The guidelines in the framework are voluntary measures that organizations that support elements of the country's critical infrastructure can use to develop their information security programs. However, because the program offers no financial incentives to help companies reduce the costs of implementing the guidelines, companies may opt not to participate. While the guidelines are voluntary for private industry, it is likely that they will be required for government contractors.
56Cybersecurity Framework Pictured above is the Cybersecurity Framework Core. The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk.The broader Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Many security professionals will recognize close alignment of the Cybersecurity Framework with NIST SP control families and the NIST Risk Management Framework. Private sector security frameworks from ISACA’s Control Objectives for Information Technology (COBIT) and ISO series are also woven into the framework. More information is available at
57Government Laws Key Concepts & Vocabulary Legislative MilestonesPaperwork Reduction Act of 1980Computer Security Act of 1987Clinger-Cohen Act of 1996Homeland Security Act & E-Government Act of 2002 (Title III FISMA)NIST Standards & GuidelinesNIST SP r1 – Risk Management FrameworkOMB MemorandumsM Cybersecurity Responsibilities of DHSFISM Trusted Internet ConnectionsM PrivacyDHS & CybersecurityM Configuration BaselinesFISM 12-02/M FISMA Reporting GuidelinesCyberScopeCCA – Clinger-Cohen Act of 1996The Clinger–Cohen Act (CCA), formerly the Information Technology Management Reform Act of 1996 (ITMRA), is a 1996 United States federal law, designed to improve the way the federal government acquires, uses and disposes information technology (IT).The Clinger–Cohen Act supplements the information resources management policies by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources, by:Focusing information resource planning to support their strategic missions;Implementing a capital planning and investment control process that links to budget formulation and execution; andRethinking and restructuring the way they do their work before investing in information systems.The Act directed the development and maintenance of Information Technology Architectures (ITAs) by federal agencies to maximize the benefits of information technology (IT) within the Government. In subsequent guidance on implementing the Act, the Office of Management and Budget stipulated that agency ITA's "...should be consistent with Federal, agency, and bureau information architectures."In keeping with this mandate, in 1999 the US Federal CIO Council initiated the Federal Enterprise Architecture, essentially a federal-wide ITA that would "... develop, maintain, and facilitate the implementation of the top-level enterprise architecture for the Federal Enterprise.
58CIO – Chief Information Officer Chief information officer (CIO), or information technology (IT) director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals.Circular A-130 Appendix III - Security of Federal Automated Information ResourcesEstablishes a minimum set of controls to be included in Federal automated information security programs; assigns Federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems established in accordance with OMB Circular No. A-123.CISO – Chief Information Security OfficerA chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance.CNSS – Committee on National Security SystemsA United States intergovernmental organization that sets policy for the security of the US security systems.CSA – Computer Security Act of 1987It was passed to improve the security and privacy of sensitive information in Federal computer systems and to establish a minimum acceptable security practices for such systems. It requires the creation of computer security plans, and the appropriate training of system users or owners where the systems house sensitive information.CyberScopeAgencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information -delivered more quickly than ever before.DHS – Department of Homeland SecurityDHS oversees critical infrastructure protection, operates the US-CERT, oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector. OMB has a number of cybersecurity responsibilities, principally in connection with FISMA reporting. The Cybersecurity Coordinator leads the interagency process for cybersecurity strategy and policy development.
59FDCC – Federal Desktop Core Configuration In March 2007, OMB Memorandum M announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,” directing agencies with Windows XP TM deployed and/or plan to upgrade to the Vista TM operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS).FISM – Federal Information Security MemorandumThe Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve federal information security policies.FISMA – Federal Information Security Management ActFISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.FISMA ReportProvides the annual status of Federal-wide and Agency-specific information security initiatives with respect to Federal compliance with FISMA requirements.FITSI – Federal Information Technology Security InstituteFITSI is the Federal IT Security Institute which is a non-profit organization managing and administering the FITSP certification program. FITSP stands for the Federal IT Security Professional and is broken into four individual IT security certification programs targeted at the Federal workforce based upon role.FITSP - Federal Information Technology Security ProfessionalFITSP is an IT security certification program targeted at the Federal workforce (civilian personnel, military and contractors). This certification program synergizes the knowledge of other security certifications with the standards and practices that are being used by the United States Federal government. There are four different IT security roles that FITSP covers: Manager, Designer, Operator and Auditor.HSA – Homeland Security Act of 2002HSA created both the United States Department of Homeland Security and the new cabinet-level position of Secretary of Homeland Security.
60HSPD - Homeland Security Presidential Directive Presidential Directives, are a form of an executive order issued by the President of the United States with the advice and consent of the National Security Council. As a National Security instrument, the PDD articulates the executive's policy, carries the "full force and effect of law", and throughout the terms of presidents, have taken on various titles or intents towards national security policy.NIST – National Institute of Standards and TechnologyNIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.OIG – Office of Inspector GeneralThe Office of Inspector General (OIG) seeks to improve the efficiency and effectiveness of the Agency programs and operations. OIG also endeavors to detect and deter waste, fraud, and abuse.OMB– Office of Management and BudgetThe Office of E-Government and Information Technology, headed by the Federal Government’s Chief Information Officer (currently Steven VanRoekel), develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation.PRA – Paperwork Reduction Act of 1980Gave authority over the collection of certain information to the Office of Management and Budget (OMB). Within the OMB, the Office of Information and Regulatory Affairs (OIRA) was established with specific authority to regulate matters regarding federal information and to establish information policies. These information policies were intended to reduce the total amount of paperwork handled by the United States government and the general public.TIC – Trusted Internet ConnectionIn November 2007, OMB announced the Trusted Internet Connections (TIC) Initiative to consolidate the number of external access points, including Internet connections; and ensure that all external connections are routed through an OMB-approved TIC.Based on solicited agency Statements of Capability, OMB also designated twenty agencies as TIC Access Providers (TICAPS). Each TICAP agency was authorized two locations where they must reduce and consolidate all external connections.USGCB – US Government Configuration BaselineThe purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate MThe first platforms addressed by USGCB were Microsoft’s Windows 7, Windows 7 Firewall, and Internet Explorer 8. Red Hat Enterprise Desktop Linux was added in January Since the rollout of USGCB, NIST has reconciled the differences to the prior FDCC platforms of Windows Vista, Vista Firewall, Windows XP, XP Firewall, and Internet Explorer 7 to establish a uniform configuration standard.
61Lab Activity 1 – Searching for Guidance DHSAuthority - HSPDsCNSSOMB Oversight – Policy OMB A-130NISTGuidance – Standards (FIPS), Guidelines (SP)Lab Activity 1: Searching for GuidanceUsing Internet search engines, find the following information:So far, DHS has issued two FISMs (Federal Information Security Memorandums) for FY2011, and two for FY Find those FISMs and answer the following:The subject for FISM is _________________________________The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve _________________ _________________ _________________ _________________ [hint: FISM footnote]The subject of FISM is __________________________________Continuous monitoring is the next stage in the evolution of FISMA compliance. On the NIST website (csrc.nist.gov) you can find a wealth of information relating to the technical aspects of FISMA compliance. Open the latest document regarding Continuous Monitoring.What is the document number?Referencing the “Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains” Table of Contents, what is this document’s Relationship to Existing Standards and Specifications… Please list the other 3 document numbers relating to CM:______________________________
62Do a search for “OMB Memorandum” Do a search for “OMB Memorandum”. Navigate to the White House Memorandum (current year). This is one of the key areas for dissemination of information relating to all OMB policies, including information security and systems security.The OBM memorandums are organized by ______________________There is a memo from 2011 that clarifies Chief Information Officer Authorities (and responsibilities); Agency CIOs will be held accountable for lowering operational costs, terminating and turning around troubled projects, and delivering meaningful functionality at a faster rate while enhancing the security of information systems. What are the four areas of responsibilities?______________________________Every year, the OMB releases updated reporting instructions for FISMA.The memo number for 2011 is ___________________________.The first page of this memo emphasizes “…Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), " What is on the 2nd page of this memo? ______________________________ And what is the significance of that second page? ___________________________________________________________________________________!The most significant portion of this memo is the “Frequently Asked Questions”, which tend to be a slight variation of the FAQs from the previous year. Please make note of the following questions, and their corresponding answers… They represent a considerable shift in compliance in FY2011: #9, #10, #28.
63Post-assessment Questions for Module 2: Government Laws The following OMB guidance established the requirement for federal agencies to review the security controls in each system when significant modifications are made to the system, but at least every three years. This guidance also requires federal agencies to re-authorize information systems every three years.OMB Circular No. A-123- Management Accountability and ControlOMB Circular No. A-130, Appendix III, Security of Federal Automated Information ResourcesOMB Circular No. A-127, Financial Management SystemsOMB Circular No. A-136, Financial Management Reporting RequirementsAs part of monitoring the security posture of agency desktops, OMB requires federal agencies to use vulnerability scanning tools that leverage the ________ protocol.SNMPSMTPSCAPLDAPFollowing the loss of 26 million records containing PII at the Department of Veteran Affairs, OMB released M Protection of Sensitive Agency Information. This memo required all of the following except:Encryption of all data on mobile computers/devicesPermits remote access only with two-factor authentication where one factor is provided by a device separate from the computer gaining accessUse a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity;Encryption of all server backup tapesThis Homeland Security Presidential Directive requires all federal agencies to adopt a standard, government wide card to reduce identity fraud, protect personal privacy, and provide for authentication. This directive was called:Real-ID ActHSPD-12 – Common Identification StandardCritical Infrastructure Protection ActHSPD 24 – Biometrics to Enhance National Security Act
64Post-assessment Questions Continued Which act of Congress defined Federal agency responsibilities for maintaining records about individuals?Computer Security Act of 1987Privacy Act of 1974Federal Information Security Management Act of 2002Clinger-Cohen Act of 1996Which act of Congress granted to the Director of OMB various authorities for overseeing the acquisition, use, and disposal of information technology by the federal government, so as to improve the productivity, efficiency, and effectiveness of federal programs?What type of system is an interconnected set of information resources under the same direct management control which shares common functionality?System BoundaryMinor ApplicationMajor ApplicationGeneral Support SystemAccording to the OMB A-130, this individual has specific requirements and responsibilities; It is required that this individual should be a management official, knowledgeable in the information and processes supported by the system. The individual should also know the management, personnel, operational, and technical controls used in the protection of this system.Agency Authorizing OfficialChief Information OfficerInformation System OwnerChief Information Security Officer
65Post-assessment Questions Continued The following OMB memo announced implementation of commonly accepted security configurations for windows operating systems.M-07-18M-09-32M-10-28M-07-11This OMB memo provides e-authentication guidance for federal agencies.M-08-09M-08-22M-04-04M-05-04With the publication of OMB M-14-04, Fiscal Year 2013 Reporting Instructions for FISMA and Agency Privacy Management, the signatures of the following two individuals are required to authorize a new information system containing PII to operate (select two):CISOCIODAASAOP