Presentation is loading. Please wait.

Presentation is loading. Please wait.

Government Laws FITSP-A Module 2

Similar presentations


Presentation on theme: "Government Laws FITSP-A Module 2"— Presentation transcript:

1 Government Laws FITSP-A Module 2
We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control… But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure… This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better. – President Obama, May 29, 2009 Government Laws

2 Pre-assessment Questions for Module 2: Government Laws
The following legislation requires federal agencies to establish capital planning and investment control policies and procedures when procuring information technology: E-Government Act of 2002 Federal Information Security Management Act (FISMA) Government Information Security Reform Act (GISRA) Clinger-Cohen Act  The following legislation requires federal agencies to appoint a Chief Information Officer: Clinger-Cohen Act  The following legislation requires federal agencies to develop, document and implement an agency-wide information security program: E-Government Act of 2002, Section 208  The following legislation requires federal agencies to prepare Privacy Impact Assessments (PIAs) when developing or procuring new information technology: Privacy Act, 1974  The following legislation requires each agency with an Inspector General to conduct an annual evaluation of agency’s information security program, or to appoint an independent external auditor, to conduct the evaluation on their behalf: E-Government Act of 2002, Title I

3 The Secretary of ___________ (department or agency) was delegated the responsibility FISMA to prescribe standards and guidelines pertaining to federal information systems to improve the efficiency of operation or security of Federal information systems: Department of Homeland Security Defense Department Commerce Department National Security Agency The following OMB guidance established the requirement for federal agencies to review the security controls in each system when significant modifications are made to the system, but at least every three years. This guidance also requires federal agencies to re-authorize information systems every three years. OMB Circular No. A-123- Management Accountability and Control OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources OMB Circular No. A-127, Financial Management Systems OMB Circular No. A-136, Financial Management Reporting Requirements As part of monitoring the security posture of agency desktops, OMB requires federal agencies to use vulnerability scanning tools that leverage the ________ protocol. SNMP SMTP SCAP LDAP Following the loss of 26 million records containing PII at the Department of Veteran Affairs, OMB released M Protection of Sensitive Agency Information. This memo required all of the following except: Encryption of all data on mobile computers/devices Permits remote access only with two-factor authentication where one factor is provided by a device separate from the computer gaining access Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; Encryption of all server backup tapes

4 Leadership Government likes to begin things – to declare grand new programs and causes and national objectives. But good beginnings are not the measure of success. What matters in the end is completion. Performance. Results. Not just making promises, but making good on promises. In my Administration, that will be the standard from the farthest regional office of government to the highest office of the land. President George W. Bush My Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government. - President Barack Obama The issue of cyber security, cyber competitiveness, and cyber warfare has weighed heavily on the minds of policymakers as the severity and complexity of malicious cyber-attacks have intensified over the past decade. Our government must place more emphasis on developing leaders who are competent to engage in these issues. This will require a professional development system that can provide a program of education, assignment, and accreditation to develop a corps of experienced, dedicated service professionals who have an expertise in the breadth of issues related to the cyber environment. Any program must be backed by effective public-private partnerships that produce cutting-edge research, development, and capabili­ties to operate with freedom, safety, and security in the cyber world.

5 FITSP-A Exam Objectives: Security Topic: Regulatory & Standards Compliance
A FITSP-Auditor is expected to understand and to be able to apply: Audit strategies for compliance with the organization’s information security program Identify and stay current on all laws, regulations, standards, and best practices applicable to the organization Oversee relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholders Keep informed on pending information security changes, trends, and best practices by participating in collaborative settings Review information security compliance performance measurement components The FITSP-Auditor is focused on the FBK issues related to the high-level knowledge a manager must possess to successfully manage and oversee cost-effective, risk-based IT security of systems operated by or on behalf of the federal government. The following are representative task and knowledge statements, as well as the objectives in each of the 21 IT security topic areas that a FITSP-Auditor is expected to understand and to be able to apply. The topic area most relevant in this module is Regulatory and Standards Compliance, for which the following objectives are covered: Audit strategies for compliance with the organization’s information security program Identify and stay current on all laws, regulations, standards, and best practices applicable to the organization Establish relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholders Keep informed on pending information security changes, trends, and best practices by participating in collaborative settings Review information security compliance performance measurement components

6 Government Laws Module Overview
Section A: Congress & The President Federal Information Security Management Act of 2002 (Title III of the E-Government Act) Evolution of Compliance Elements of a Security Program Reporting Metrics Section B: NIST – National Institute of Standards & Technologies Computer Security Division Risk Management Framework Section C: OMB – Office of Management & Budget Circular A-130 Memorandum Section D: DHS – Department of Homeland Security Cybersecurity Responsibilities Presidential Directives Section E: HHS – Health & Human Services HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health While the infrastructure of the US Government is reconstructing, Federal IT professionals pay very little mind to the federal laws, mandates, standards and guidelines that have a direct bearing on their responsibilities. IT professionals have their hands full just staying current with the ever-changing technology itself. Federal IT Security Professionals need to keep pace with the Federal mandates that are reshaping the way we operate and secure Federal information systems.

7 President: Agenda (PMA)
DHS Liaison: Cybesecurity Coordinator OMB Liaison: Federal CIO Congress: Legislation OMB: Oversight DHS: Authority HSA PRA HIPAA, HITECH CSA , FISMA HIPAA Security Rule CNSS 1253 HHS/CMS OCR Authority, Guidance, Oversight RMF CNSS Guidance The President has an agenda; in 2001, President Bush published his agenda as The Presidents Management Agenda, which focused on five major areas of improvement. Sometimes Congress will pass laws to promote the President’s agenda, and those laws delegate special oversight authority or responsibilities to various agencies such as the Office of Management and Budget: Paperwork Reduction Act (PRA) – Granted OMB the responsibility to develop Government-wide policies to help other federal agencies comply with the congressional mandates. Homeland Security Act (HSA) – Created the Department of Homeland Security and delegated authority to that agency for carrying out various tasks for protecting the Homeland. In 2009, President Obama created two positions on his staff; the Federal CIO and the Cybersecurity Coordinator, to act as liaisons to the OMB and DHS respectively. Health Insurance Portability and Accountability Act (HIPAA) - Required the Secretary of Department of Health and Human Services (HHS) to adopt security standards for certain health information. These standards, known as the HIPAA Security Rule, were published on February 20, 2003. Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule. Computer Security Act (CSA) & Federal Information Security Management Act (FISMA) – Delegated responsibility to NIST and the NSA to create standards and guidelines to help federal agencies comply with congressional mandates. NIST provides standards and guidelines in the Risk Management Framework (RMF), and the Committee on National Security Systems (CNSS) spin-off of RMF, is the CNSS 1253, which provides compliance for CNSS Policy 22 (IARMP) and National Security Directive (#42) on Security of National Security Systems. NIST Guidance Federal Agencies

8 Congress and the President
Section A Congress and the President

9 Legislative History There exists a history of information assurance regulations that date back to 1983… two years after International Business Machines introduced the IBM PC. The Computer Security Act of 1987, for example, was the first piece of legislation from Congress to address computer security. It initially tasked NIST to provide guidelines and standards for implementing computer security. NIST has since published many Special Publications (SP) or guidelines to the computer security community. Good information systems security is good business and IT professionals would be hard pressed to find a better source of information pertaining to all aspects of computer security than in the documents issued by NIST. The substance of these laws and regulations, as they apply to IT professionals, is that IT professionals understand their expanding roles and responsibilities so they may interface successfully with other aspects of managing the Government like a business. Their actions and decisions must align with the business goals of the organization.

10 Another stellar piece of legislation is the Clinger-Cohen Act of 1996, which requires government agencies to use performance-based management principals for acquiring and managing information technology. This slide presents a graphical representation of the link between implementing systems security and management using elements of the Clinger-Cohen Act. All aspects of capital planning are taken into consideration just as they would be in a private business: Cost/benefit analysis Performance Standards Accountability Life expectancy Multiple uses The Clinger-Cohen Act also demands agency Chief Information Officers (CIOs) to develop integrated information technology architecture. The Federal Enterprise Architecture (FEA) is an OMB program that intends to comply with the Clinger-Cohen Act and provide a model for sharing information and resources across all Federal agencies. This will reduce overall spending and provided continuity in Government services.

11 The Business Reference Model
The Business Reference Model of the FEA represents the business of Government using a function-driven approach. Horizontal Lines of Business (LoB) reform previous managerial practices that use stovepipe, agency-centric management. For example, every agency provides IT training and awareness programs that have the same general requirements, yet are implemented differently according to the culture and politics of each individual agency. IT training is a function that is an easily identifiable Line of Business. This is a service that should come from a single source, providing consistency and continuity to the rest of the Federal Government. IT professionals must recognize that the Government of the future will be a competitive one. Stability and complacency in government positions and wasteful, inefficient management will be outdated as agencies compete for these Lines of Business. Risk Management and the Clinger-Cohen Act How exactly does a system administrator’s responsibility for computer security tie into the Clinger-Cohen Act? For starters, pursuant to CCA and FISMA, NIST issues Federal Information Processing Standards (FIPS) with which all agencies must comply. For example, FIPS 199 requires that all agencies categorize their information systems according to the information stored, processed or transmitted by those systems. Information is categorized from a catalog of information types listed in NIST SP , Guide for Mapping Types of Information and Information Systems to Security Categories. These information types tie to Lines of Business in the Business Reference Model. The simple act of categorizing an information system accomplishes so many goals that lend to the accomplishment of an efficient, well-managed business. First, it identifies the importance of that system based on the information it stores, processes or transmits. If you know the value of the system, you know how much effort should be required to protect that system. Second, system categorization will associate that asset with Lines of Business within the agency’s enterprise architecture, which reduces administrative overhead for other tasks such as budgeting and capital planning.

12 One of the five government wide initiatives of the PMA is Expanded Electronic Government, codified by the E-Government Act of Title III of the E-Government Act, Information Security, has the most direct impact on defining and expanding the responsibilities of those involved in operating, managing and securing Government Agency information systems. Other considerable components of E-Government, that IT professionals should be aware of, include supporting the goals of developing IT enterprise architecture and taking a business-minded approach to managing Federal IT systems. Expanding E- Government The Expanding E-Government initiative of the President’s Management Agenda is more than just information security; it is employing technology to improve how the Government serves its citizens, businesses and state and local governments. The information policy of E-Government provides an agenda for Federal information systems to include not just security, but also privacy and capital planning as well as a standardized model for an information technology architecture that lends to the overarching goal of function-driven business in Government. In hopes of attaining these goals, the OMB is taking a business-motivated approach in developing enterprise architecture. To that end, OMB is identifying opportunities to simplify and consolidate work into lines of business across the Federal Government.

13 E-Government Act of 2002 Public Law 107-347
Establishes Office of E-Gov within OMB Areas of E-Gov: Capital planning and investment control for information technology Development of enterprise architectures (FEA) Information Security (Title III) Access to government information Establishes CIO Counsel in the Executive branch The purpose of this Act is to enhance the management and promotion of electronic government services and processes by establishing a federal Chief Information Officer (CIO) within OMB, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to government information and services and for other purposes. This law codifies OMB’s role, which is to provide an E-Gov administrator through the Office of E-Government that requires agencies to support cross-agency initiatives such as Federal Enterprise Architecture. There is also a requirement for agencies to make annual reports to Congress as to the progress made on the agency’s systems security program. Agencies must establish and operate IT training programs for their personnel. Under Section 208 of the E-Government Act, Agencies must conduct Privacy Impact Assessments (PIA) for new IT investments and on-line information collections. The intent of PIAs is to prompt federal agencies to consider the risks of collecting PII prior to its collection. Subsequent to the passage of the E-Government Act, OMB requires agencies to make their PIAs publically available to interested citizens in the interest of promoting transparency in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, OMB M provides detailed implementation guidance on Section 208 and outlines required disclosures.

14 What is FISMA? Title III of E-Gov Act of 2002
Requires Each Federal Agency to Implement an Information Security Program Report annually to OMB Adequacy of security program Address adequacy in plans and reports relating to annual budgets Significant deficiency Continuously Evolving The Federal Information Security Management Act of 2002 recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has receive much criticism, for requiring a huge effort and budget, for documenting and reporting the C&A process. I contend that is was a process that needed to begin. We needed crawl before we could stumble through those first, unstable, baby steps of securing our federal information systems. The process is maturing, and it will continue to grow, and become ever more effective in elevating our security posture and lowering our risk.

15 The Evolution of FISMA Compliance
This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security. Continuous Monitoring Timely, and Role-relevant Information Outcome-based Metrics “metrics are a policy statement about what Federal entities should concentrate resources on” Monthly Data Feeds Directly from Security Management Tools (CyberScope) Government-wide Benchmarking on Security Posture (Questionnaire) Agency-specific interviews (CyberStat with DHS) Beginning in FY 2010, FISMA reporting for agencies transitioned from multiple MS Excel spreadsheets from the CIO, Senior Agency Official for Privacy (SAOP), and Office of Inspector General (OIG) to a modern information system called CyberScope. In the first year, agency responses were due November 15, 2010 and corresponded with the submission date of the agencies audited financial statements, Performance and Accountability Reports (PAR), and other reports to Congress. In the first year, agencies followed a three-tiered approach in CyberScope: Data feeds directly from security management tools (first quarterly and then monthly) Government-wide benchmarking on security posture Agency-specific interviews This three-tiered approach is a result of the task force established in September 2009 to develop new, outcome-focused metrics for information security performance for Federal agencies. This task force concentrated on developing metrics that would advance the security posture of agencies and departments. The metrics effort continues to evolve today and is led by DHS’ Continuous Diagnostics and Mitigation (CDM) Program. (http://www.dhs.gov/cdm) CyberScope is the platform for the current FISMA submissions. Agencies must use a Personnel Identity Verification (PIV) card, compliant with Homeland Security Presidential Directive 12, access CyberScope via the OMB portal. FISMA submissions for non-national security information systems will not be accepted outside of CyberScope. National Security Systems and other DoD systems utilize similar security metrics as those found in DHS’s CyberScope; however, that classified system has additional security measures and reporting metrics.

16 Continuous Monitoring to Provide Timely, Relevant Information
Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management all need to have different levels of this information presented to them in ways that enable timely decision making. Data feeds directly from security management tools Agencies are already required to report each quarter. Beginning with the 3rd quarter of FY2010, agencies were required to report new information and beginning January 1, 2011, agencies were required to report on this new information monthly. The new data feeds will include summary information, not detailed information, in the following areas for CIOs: Inventory Systems and Services Hardware Software External Connections Security Training Identity Management and Access If agencies are unable to provide direct feeds from their security management tools, they are required to provide a data feed through an Excel template as an XML uploaded to CyberScope. Government-wide benchmarking on security posture A set of questions on the security posture of the agencies will also be asked in CyberScope. All agencies, except microagencies, will be required to respond to these questions in addition to the data feeds. Agency-specific interviews As a follow-up to the questions described above, a team of government security specialists will interview all agencies individually on their respective security postures. These interviews will be focused on specific threats that each agency faces as a function of its unique mission. The information collected in these interviews will also inform the FY 2010 Report on FISMA to the Congress. This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security.

17 FISMA Reporting Metrics
Administration Priorities (AP) Key FISMA Metrics (KFM) Baseline Questions (Base) The Federal cybersecurity defensive posture is a constantly moving target. It is constantly shifting because of the relentless dynamic threat environment, emerging technologies, and new vulnerabilities. Many threats can be mitigated by following established cybersecurity best practices, but advanced attackers often search for poor cybersecurity practices and target associated vulnerabilities. The FY12 FISMA Metrics, discussed in the following sections, establish baseline security practices as an entry level requirement for all Federal agencies. However, mitigating advanced attackers requires personnel with advanced cybersecurity knowledge and awareness of the agency’s enterprise security posture. Because cybersecurity is a very important factor for agencies to be able to provide unimpeded essential services to citizens, in FY11 the Administration identified 3 FISMA priorities. They are defined as: Continuous Monitoring, Trusted Internet Connection (TIC) capabilities and traffic consolidation, and Homeland Security Presidential Directive (HSPD)-12, implementation for logical access control. In FY12, these priorities continue to provide emphasis on FISMA metrics that are identified as having the greatest probability of success in mitigating cybersecurity risks to agency information systems. In FY 2013, the Administrative Priorities were: Continuous Monitoring Trusted Internet Connection v2.0 Capabilities Multi-factor authentication in accordance with HSPD-12 Due to the changing threat landscape, administrative priorities shifted slightly in FY2014 with OMB’s top priority becoming TIC capacities followed by multi-factor authentication and then Continuous Monitoring. OMB’s priorities and delegated responsibilities to DHS are described in detail each year in an annual reporting instructions. The most recent, dated November 18, 2013 is titled, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. Information security professionals should closely read the annual OMB FISMA and Privacy reporting instructions, including the Frequently Asked Questions (FAQ) section, to identify changes in OMB guidance and prioritizes.

18 Knowledge Check This law gave OMB the authority to define policies for US Government Agencies. This law assigned responsibilities to NIST for creating standards and guidelines relating to securing Federal information systems. This OMB program provides a structure for Agencies to identify business processes.

19 NIST - National Institute of Standards and Technology
Section B NIST - National Institute of Standards and Technology

20 NIST, Computer Security Division
Federal Information Security Management Act (FISMA) Implementation Project Protecting the Nation's Critical Information Infrastructure Standards for categorizing (FIPS 199) Standards for minimum security requirements (FIPS 200) Guidance for selecting security controls (SP ) Guidance for assessing security controls (SP a) Guidance for the security authorization (SP ) Guidance for monitoring the security controls (SP ) Guidance for identifying National Security Systems (800-59) Title II of the E-Government Act (Public Law ), titled the Federal Information Security Management Act (FISMA), tasked National Institute of Standards and Technology (NIST) to develop: Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; Guidelines recommending the types of information and information systems to be included in each category; and Minimum information security requirements (such as management, operational, and technical controls), for information and information systems in each such category. Vision Statement To promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act including: Standards for categorizing information and information systems by mission impact Standards for minimum security requirements for information and information systems Guidance for selecting appropriate security controls for information systems Guidance for assessing security controls in information systems and determining security control effectiveness Guidance for the security authorization of information systems Guidance for monitoring the security controls and the security authorization of information systems

21 Risk Management Framework
The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications , , and Additional security guidance documents are being developed in support of the project including NIST Special Publications , , and A. It should be noted that the Computer Security Division continues to produce other security standards and guidelines in support of FISMA. These publications can be located by visiting the division's Publications page at:

22 OMB – Office of management and budget
Section C OMB – Office of management and budget

23 The Management Side of OMB
Office of Federal Financial Management Office of Federal Procurement Policy Office of E-Government and Information Technology Office of Performance and Personnel Management Office of Information and Regulatory Affairs The Office of Federal Financial Management (OFFM) develops and provides direction to improve financial management and systems; to reduce improper payments; to improve grants management; and to “right-size” Federal real property. OFFM also coordinates the activities of the Chief Financial Officers, and Senior Real Property Officers. The Office of Federal Procurement Policy (OFPP) works with agencies to improve Federal procurement practices that affect the full range of Federal acquisitions. The Office of E-Government and Information Technology, headed by the Federal Government’s Chief Information Officer (currently Steven VanRoekel), develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation. The Office of Performance and Personnel Management (OPPM) works with agencies to encourage use and communication of performance information and to improve results and transparency. OPPM also works closely with OPM to advance effective personnel practices. The Office of Information and Regulatory Affairs (OIRA) has a number of functions, including information policy, statistical policy, and regulatory policy.

24 OMB Instructions Circulars “A-” Memoranda “M-” Budget
State and Local Governments Educational and Non-Profit Institutions Federal Procurement Federal Financial Management Federal Information Resources / Data Collection Other Special Purpose Memoranda “M-” Providing further explanation and guidance Circulars are instructions or information issued by OMB to Federal agencies. These are expected to have a continuing effect of two years or more. The system of Circulars and Bulletins, established in 1948, are employed to communicate various instructions and information to the executive departments and establishments. The Circular series is used when the nature of the subject matter is of continuing effect. Circulars are identified by the letter "A" and a number.

25 OMB Circular A-130 Establishes policy for the Management of Federal Information Resources Issued under the authority of the Paperwork Reduction Act and Clinger-Cohen Act Appendix I Federal Agency Responsibilities for Maintaining Records about Individuals – Guidance for implementing Privacy Act of 1974 Appendix III Security of Federal Automated Information Resources Establishes concept of a minimum set of security controls Establishes key definitions used by NIST Special Publications Circular A-130 was first issued in December of 1985 to meet information resource management requirements that were included in the Paperwork Reduction Act (PRA) of 1980. Specifically, the PRA assigned responsibility to the OMB Director to develop and maintain a comprehensive set of information resources management policies for use across the Federal government, and to promote the application of information technology to improve the use and dissemination of information in the operation of Federal programs. The initial release of the Circular provided a policy framework for information resources management (IRM) across the Federal government. Since the time of the Circular's first release in 1985, Congress has enacted several additional laws and OMB issued several guidance documents that related to information technology management in federal agencies. To account for these new laws and guidance, OMB has revised the Circular three times, in 1994, 1996, and 2000. As aptly expressed in the CIO Council's Architecture Alignment and Assessment Guide (2000), Circular A-130 can be thought of as a "...one-stop shopping document for OMB policy and guidance on information technology management"

26 OMB A-130 Background Privacy Act of 1974 Paperwork Reduction Act 1980
Computer Security Act of 1987 Clinger-Cohen Act of 1996 Gov’t Paperwork Elimination Act of 1998 OMB draws its authority to establish specific requirements for federal information systems by citing the following legislation. Privacy Act of 1974 – Federal agency responsibilities for maintaining records about individuals. A key requirement of the Privacy Act is the publication of a Systems of Record Notice in the Federal Register prior to collecting information in identifiable (IFF) form. OMB defines IIF as information in an information system or an on-line collection that directly identifies an individual (e.g., name, address, Social Security number (SSN), or other identifying code, telephone number, address, etc.) or by which an agency intends to identify specific individuals in conjunction with other data elements. OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, introduces the term Personally Identifiable Information (PII) as a replacement for IIF. Paperwork Reduction Act 1980 – Emphasize a risk-based policy for cost-effective security. Computer Security Act of 1987 – Requires the establishment of security plans by all operators of federal computer systems that contain sensitive information and mandatory periodic training for all persons involved in management, use or operation of those systems. Clinger-Cohen Act of 1996 – Security of federal automated information resources. The Clinger-Cohen Act, also known as Information Technology Management Reform Act of 1996, grants to the Director of OMB various authorities for overseeing the acquisition, use, and disposal of information technology by the federal government, so as to improve the productivity, efficiency, and effectiveness of federal programs. It supplements the information resources management (IRM) policies contained in the Paperwork Reduction Act of 1980. Government Paperwork Elimination Act of 1998 – Provides for the optional use and acceptance of electronic documents and signatures, and electronic record keeping where practicable.

27 OMB A-130, Appendix III Definitions Assignment of Responsibilities
GSS General Support System MA Major Application Adequate security Assignment of Responsibilities Reporting Deficiencies & Corrective Actions Security Plan Summary This appendix establishes key definitions used in subsequent NIST security publications and federal legislation. Adequate security is security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. General support system or system is an interconnected set of information resources under the same direct management control which shares common functionality. Major application is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Agency Designated Approving Authority (DAA) has specific requirements and responsibilities provided by this circular. It is required that this individual should be a management official, knowledgeable in the information and processes supported by the system. The individual should also know the management, personnel, operational, and technical controls used in the protection of this system. Establishes the requirement that DAA must re-authorize the information system every three years in writing. Subsequently, NIST builds upon this specific requirement that information systems must be Certified and Accredited (C&A) every three years in NIST SP to ensure a senior agency official is responsible for the security of the information system. Finally, A-130 establishes the requirement that security controls for federal information systems must be tested when there are significant modifications to the system.

28 OMB Memoranda General Guidance Reporting Guidance Policies
POAMs Continuity Plans FDCC Trusted Internet Connections Reporting Guidance GISRA FISMA Incidents involving PII Policies Federal Agency Public Websites “File Sharing” Technology Implementation Guidance Government Paperwork Elimination Act E-Government Act HSPDs Trusted Internet Connection FISM Trusted Internet Connections (TIC) Reference Architecture v2.0 (also known as Einstein Program) M – Update on the Trusted Internet Connections Initiative M Guidance for Trusted Internet Connection (TIC) Compliance M – Guidance for Trusted Internet Connection Statement of Capability Form (SOC) M Implementation of Trusted Internet Connections (TIC) FISMA Reporting M-14-04, FY2013 Reporting Instructions for FISMA and Agency Privacy Management (Nov 18, 2013) M-12-20, FY2012 Reporting Instructions for FISMA and Agency Privacy Management (Sept 27, 2012) FISM signed - FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management M-11-33, FY 2011 Reporting Instructions [Note: Also FISM 11-02] * M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (April 21, 2010) (27 pages, 275 kb) FDCC M Guidance on the Federal Desktop Core Configuration (FDCC) [Note, FDCC evolved into US Gov’t Configuration Baseline. See M Ensuring New Acquisitions Include Common Security Configurations M Implementation of Commonly Accepted Security Configurations for Windows Operating Systems * The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve federal information security policies.

29 Privacy M – New FISMA Privacy Reporting Requirements for FY 2008 M Safeguarding Against and Responding to the Breach of Personally Identifiable Information M Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials Recommendations for Identity Theft Related Data Breach Notification M Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments M Protection of Sensitive Agency Information M Safeguarding Personally Identifiable Information M Designation of Senior Agency Officials for Privacy M OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 M Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy HSPD-12 M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12–Policy for a Common Identification Standard for Federal Employees and Contractors (February 3, 2011) (6 pages, 205 kb) M HSPD-12 Implementation Status M Acquisition of Products and Services for Implementation of HSPD-12 M Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive (HSPD) 12 M Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors

30 Wikileaks M-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems M-11-06, WikiLeaks - Mishandling of Classified Information Data Sharing M-11-02, Sharing Data While Protecting Privacy M Personal Use Policies and "File Sharing" Technology IT Project Review M-10-31, Immediate Review of Information Technology Projects M-10-30, Science and Technology Priorities for the FY 2012 Budget M-10-25, Reforming the Federal Government's Efforts to Manage Information Technology Projects Cybersecurity Responsibilities M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security Web M-10-23, Guidance for Agency Use of Third-Party Websites and Applications M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010) (9 pages, 130 kb) M Policies for Federal Agency Public Websites M E-Authentication Guidance for Federal Agencies M Privacy Policies on Federal Web Sites Health Information M-10-10, Federal Agency Coordination on Health Information Technology (HIT) Governance Framework M Information Technology Management Structure and Governance Framework DNSSEC M Securing the Federal Government’s Domain Name System Infrastructure Integrity M Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services

31 Business Continuity M Regulation on Maintaining Telecommunication Services During a Crisis or Emergency in Federally-owned Buildings M Development of Homeland Security Presidential Directive (HSPD) - 7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources M Business Continuity and Contingency Planning for the Year 2000 M Day One Planning and Request for Updated Business Continuity and Contingency Plans MISC M Software Acquisition M Implementation Guidance for the E-Government Act of 2002 M Guidance for Preparing and Submitting Security Plans of Action and Milestones M OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act M Incorporating and Funding Security in Information Systems Investments M Security of Federal Automated Information Resources

32 Trusted Internet Connections M-09-32
Inventory External Connections Meet TIC Critical Technical Capabilities Implement Critical TIC capabilities Acquire Telecommunications Connectivity Through Networx Contract Consolidate External Connections Through Approved Access Points (TICAPS) Introducing Federal Information Security Memorandum from DHS FISM Trusted Internet Connections (TIC) Reference Architecture v2.0 M – Update on the Trusted Internet Connections Initiative M Guidance for Trusted Internet Connection (TIC) Compliance M – Guidance for Trusted Internet Connection Statement of Capability Form (SOC) M Implementation of Trusted Internet Connections (TIC) In November 2007, OMB announced the Trusted Internet Connections (TIC) Initiative to consolidate the number of external access points, including Internet connections; and ensure that all external connections are routed through an OMB-approved TIC. Based on solicited agency Statements of Capability, OMB also designated twenty agencies as TIC Access Providers (TICAPS). Each TICAP agency was authorized two locations where they must reduce and consolidate all external connections. Initiative is currently managed by DHS’s Network and Infrastructure Security (NIS) branch. NIS branch overseas the deployment of EINSTEIN 2 capability – an automated cyber surveillance system that monitors federal internet traffic for malicious intrusions and provides near real-time identification of malicious activity.

33 CIO Reporting Metric #7 Boundary Protection
Target Level for 2014 Since FY 2012, the annual FISMA security metrics have included performance metrics related to TIC capabilities. For FY 2014, federal agencies should pass 95% of their network traffic through a TIC provider and a 100% of the federal agencies must use a TIC-accredited provider. OMB continues to encourage federal agencies to use a TIC provider and the EINSTEIN 2 intrusion detection capability as NSA and other intelligence agencies build custom “detection signatures” that are not available to commercial IDS providers.

34 Reporting Instructions (Changes) OMB M-11-33/ FISM 11-02/FISM 12-02
CyberScope …collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities. Monthly Data Feeds Quarterly Reporting Annual Reporting (Mid-November) Information Security Questions CyberStat Review (Conducted by DHS) Sessions and Agency Interviews FAQ (9) Must the DoD and the ODNI follow OMB policy and NIST guidelines? YES!! FAQ (34) Is Reauthorization Required Every 3 Years… NO! FAQ (42) Mandatory use of secure configurations (USGCB) Historically released once a year: M … GISRA and Updated Guidance on Security Plans of Action and Milestones M FY 2003 … FISMA and Quarterly IT Security Reporting M – FY 2004 … FISMA and Quarterly IT Security Reporting M FY 2005 … M FY 2006 … M – FY 2007 … M – FY 2008 … “New FISMA Privacy Reporting Requirements” M FY 2009 … “the means of collection have changed substantially. This year, rather than using spreadsheets, the annual FISMA report data collection will occur via an automated reporting tool.” M – FY (The automated reporting tool has a name: CyberScope) ** Newest ** M – FY 2013 Reporting Instructions for FISMA and Agency Privacy Management, dated November 18, 2013 Introducing Federal Information Security Memorandum from DHS (OMB Memo) M – FY 2011 (Handing responsibility over to DHS) Updates are found at DHS Memo System - FISM FY2011 Reporting Instructions for the FISMA and Agency Privacy Management FISM – FY2012 FISMA Reporting Instructions FISM – FY2013 Reporting Instructions for FISMA and Agency Privacy

35 To maximize the timeliness and fidelity of security-related information, the collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities. As stated in previous FISMA guidance, agencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information - delivered more quickly than ever before. To comply with this guidance, agencies will carry out the following activities: Establish monthly data feeds to CyberScope; Respond to security posture questions; and Participate in CyberStat accountability sessions and agency interviews Monthly Data Feeds Agencies must load data from their automated security management tools into CyberScope on a monthly basis for a limited number of data elements. While full implementation of automated security management tools across agencies will take time, agencies should report what they can using output from their automated security management tools. These reporting requirements will mature over time. Information Security Questions In addition to providing the data feeds described above, agencies are also required to answer a set of information security questions in CyberScope. These questions address areas of risk and are designed to assess the implementation of security capabilities and measure their effectiveness CyberStat Review Sessions and Agency Interviews Building on the TechStat model, DHS launched CyberStat accountability sessions in January Through CyberStat, DHS cybersecurity experts engage with selected agencies to help them develop focused actions plans for improving their information security posture. CyberStat is grounded in analysis that is based on data provided through CyberScope and other key data sources. The development of clear and consistent metrics for CyberScope has improved the ability of agencies to have more accountability for outcomes. As DHS works with agencies to improve data quality, the insights provided through CyberStat and CyberScope will enable DHS to assist agencies in quickly addressing problems that pose risks. DHS-led CyberStat sessions promote accountability and assist Federal civilian agencies in driving progress with key strategic enterprise cybersecurity capabilities. Specifically, CyberStat is designed to: Highlight capability areas where agencies must place additional focus; Help agencies remove roadblocks to meeting requirement standards; and Recognize agencies in those areas where they are meeting requirement standards.

36 Effective Dates of Compliance:
Monthly Data Feeds: Agencies are required to submit information security data to CyberScope by close of business on the fifth calendar day of each month. Small and micro agencies are not required to submit monthly reports, although they are highly encouraged to do so. Quarterly Reporting: Moving forward, agencies will be expected to submit metrics data for 1st, 2nd and 3rd quarters. For 1st quarter, agencies must submit their updates to CyberScope between January 1st and January 15th. For 2nd quarter, agencies must submit their updates to CyberScope between April 1st and April 15th . For 3rd quarter, agencies must submit their updates to CyberScope between July 1st and July 15th . Agencies are not expected to submit metrics data for 4th quarters, other than what is required for the annual report. Annual Reporting: The due date for annual FISMA reporting through CyberScope is generally November 15 and coincides with the due dates for annual financial statements. Frequently Asked Questions about FISMA Reporting (DELTAS) Must the Department of Defense (DoD) and the Office of the Director of National Intelligence (ODNI) follow OMB policy and NIST guidelines? Yes, for non-national security systems DOD and ODNI are to incorporate OMB policy and NIST guidelines into their internal policies. For national security systems, the Joint Task Force Transformation Initiative (JTFTI) Interagency Working Group with representatives from the Civil, Defense and Intelligence Communities (IC) started an on-going effort in FY2009 to produce a unified information security framework for the Federal Government. Under this effort, DoD and ODNI jointly issued with NIST the following publications: NIST SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010. NIST SP A, Recommendation for Block Cipher Modes of Operation, December 2001. NIST SP , Managing Information Security Risk: Organization, Mission, and Information System View, March 2011. NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009. NIST SP , Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Because these guidelines are jointly issued, DOD and ODNI policies for national security systems should incorporate these guidelines.

37 Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? No. Rather than enforcing a static, three-year reauthorization process, agencies are expected to make ongoing authorization decisions for information systems by leveraging security-related information gathered through the implementation of ISCM programs. The implementation of ISCM and ongoing authorization thus fulfill the three-year security reauthorization requirement, so a separate re-authorization process is not necessary. What are minimally acceptable system configuration requirements? In FY 2007, OMB issued policy (M-07-11) for agencies to adopt security configurations for Windows XP and VISTA, as well as policy for ensuring new acquisitions include common security configurations. In FY 2010, the CIO Council announced the creation of the United States Government Configuration Baselines (USGCB) which is maintained by the CIO Council's Technology Infrastructure Subcommittee. Baselines developed by the USGCB should be applied to Federal systems. See for more information. Supplemental Information about USGCB, not in OMB’s Annual Instructions The USGCB settings replace the Federal Desktop Core Configuration (FDCC) settings and provide the recommended security baselines for Information Technology products widely deployed across the agencies. The first platforms addressed by USGCB are Microsoft’s Windows 7, Windows 7 Firewall, and Internet Explorer 8. NIST revised initial configuration settings for Windows Vista, Vista Firewall, Windows XP, XP Firewall, and Internet Explorer 7 from those proposed originally in FDCC. In January 2014, NIST released settings for Red Hat Enterprise Linux 5 desktop. Candidate settings for Mac OS X and Windows 8 should be available soon.

38 Reporting Instructions (Changes) FY2013 and FY2014
OMB Guidance Continues to evolve in M Key changes occurred in the following areas: Increased emphasis on privacy controls Authorizations to Operate (ATO) require Senior Agency Official for Privacy to sign off. SP Rev 4 – Appendix J Privacy Controls added to mandatory controls baseline POA&Ms now only track security weaknesses that will be remediated. Monthly and quarterly reporting of CIO metrics required of all “CIO Council member agencies” vs. smaller list of 24 CFO Act agencies. Responses to OMB’s Frequently Asked Questions (FAQ) in the annual FISMA and Privacy memorandum illustrate the changing priorities and guidance. Below are a few of the more significant changes for FY2014. Privacy: Annual Privacy Report should now also include “the description of the agency’s privacy training for employees and contractors” which is submitted via CyberScope. Senior Agency Officials for Privacy (SAOP) are responsible for implementation of NIST , Appendix J (Privacy Controls) and the assessment of the controls must be conducted by the SAOP or designated representative. Appendix J (Privacy Controls) can be treated as common controls with determination made by SAOP in collaboration with other agency officials in charge of risk management decisions SAOP approval is required as precondition for the issuance of an ATO for agency information systems. Plans of Actions and Milestones (POA&M): POA&Ms should now track security weaknesses that will be remediated. Previously agencies were required to track all security weaknesses in the POA&M, even those in which the risk would be accepted. CIO Reporting via CyberScope: Expanded monthly and quarterly reporting of security metrics to OMB large and small federal agencies. Only CIOs of micro-agencies (i.e. less than 100 employees) are exempt from monthly and quarterly reporting.

39 Reporting Instructions (Changes) FY2013 and FY2014
Continuous Monitoring – rebranded as Information Security Continuous Monitoring (ISCM) Security Overlays – Develop set of security controls to address unique threat profile for community-wide use (health care, intelligence, industrial control systems, cloud computing). New concept from Rev 4. Mobile Device Security – added emphasis that data protection (i.e. encryption) and remote access security controls apply to mobile devices 4. OMB adopts terminology and acronym ISCM used in NIST SP Information Security Continuous Monitoring for Federal Information Systems and Organizations . FAQ #35 emphasizes that agencies must develop and implement ISCM strategies. 5. Security Overlays – OMB advocates that the federal agencies should utilize “security overlays” when the standard security control baselines (L, M, H) from NIST SP do not address unique threat profile. The security controls mandated by GSA’s FedRAMP program are an example of tailored set of security controls that blend the Moderate and High control baselines. Additional details are found in Section 3.3 and Appendix I of SP Rev.4 6. Emphasis on Mobile Device Security: Agencies can leverage guidance in the Federal Mobile Security Baseline, Mobile Computing Decision Framework, and Mobile Security Reference Architecture to help secure agency mobile devices (iPads, iPhones, Android, etc.). It was issued in May 2013 by the Federal Chief Information Officer (CIO) Council

40 Standardized Desktop OS Configuration Settings
Federal Desktop Core Configuration (FDCC) Windows XP & Vista US Gov’t Baseline Configuration (USGBC) Windows 7 & IE 8 Red Hat Enterprise Desktop Linux In Development: Mac OS X & Windows 8 Security Content Automation Protocol (S-CAP) M Guidance on the Federal Desktop Core Configuration (FDCC) M Ensuring New Acquisitions Include Common Security Configurations M Implementation of Commonly Accepted Security Configurations for Windows Operating Systems In March 2007, OMB Memorandum M announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,” directing agencies with Windows XP TM deployed and/or plan to upgrade to the Vista TM operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS). The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate M Candidate settings for Mac OS X and Windows 8 should be available soon. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information. For more information about SCAP please see NIST SP Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2 and SP The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version The USGCB, like its predecessor FDCC, uses SCAP-based technology to assess that systems are properly configured according to the recommended USGCB baseline settings.

41 Privacy & Privacy Reporting M-07-16
Safeguarding PII Breach Notification Policy SAOP Reporting Metrics FY2012 Information Security Systems (w/PII) PIAs and SORNs Privacy Training PIA and Web Privacy Policies and Processes Written Privacy Complaints SAOP Advice and Guidance Agency Use of Web Management and Customization Technologies (e.g., “cookies,” “tracking technologies”) M Safeguarding Personally Identifiable Information M Designation of Senior Agency Officials for Privacy M OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 M Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy M Safeguarding Against and Responding to the Breach of Personally Identifiable Information Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. As part of the work of the Identity Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy within 120 days. M – New FISMA Privacy Reporting Requirements for FY 2008 To maintain a comprehensive context for security and privacy of Federal information across government, the Office of Management and Budget is planning to add the requirement below to agencies’ existing annual reporting mechanisms. This memorandum provides advance notice to agencies about information which will be incorporated into the annual reporting requirements for fiscal year 2008 under the Federal Information Security Management Act (FISMA) to be issued next summer.

42 Privacy & Privacy Reporting M-14-04 & DHS Privacy Metrics
Privacy in OMB’s FY2014 Instructions NIST SP Appendix J Privacy Controls implementation is mandatory. Privacy Controls and practices may be considered an agency “common control.” SOAP approval required for ATO of GSS or MA DHS FY2014 SAOP FISMA Privacy Metrics 10 questions covering privacy requirements from the Privacy Act of 1974, E-Gov’t Act of 2002, and Federal Agency Data Mining Reporting Act of 2007 The annual FISMA questions for the Senior Agency Official for Privacy (SAOP) have changed very little since FY There were no changes to the annual performance metrics from FY2013 to FY2014. The 10 Privacy Metric areas are as follows: Inventory of Information Systems containing PII PIAs and SORNs SOAP Responsibilities Privacy Training PIA and Web Privacy Policies and Processes Conduct of Mandates Privacy Reviews from the Privacy Act, E-Gov’t Act, and Federal Agency Data Mining Reporting Act of 2007. Written Privacy Complaints Policy Compliance Reviews SAOP Advice and Guidance Agency Use of Web Management and Customization Technology (e.g. persistent cookies and tracking technology) The Federal Agency Data Mining Report Act of 2007 is a relatively new privacy reporting mandate. The law requires all federal agencies using or developing data mining programs to report annually to Congress on pattern-based analyses of electronic databases used to identify predictive patterns or anomalies that indicate terrorist or criminal activity. The act excludes analyses that are subject-based, that use personal identifiers or inputs associated with individuals, and those that are solely to detect fraud, waste, and abuse in government agencies or programs, or for government computer security. Implementation of the law primarily affects DHS, DOJ (FBI), ODNI, CIA, and NSA.

43 Knowledge Check This document provides a policy framework for information resources management across the Federal government. This OMB memo requires that agencies safeguard against and respond to breaches of personally identifiable information. Name an initiative to create security configuration baselines for Information Technology products widely deployed across the federal agencies. Agencies are required to adhere to DHS’ direction to report data through this automated reporting tool. What is the required frequency of these data feeds? The OMB A-130’s stated requirement for reauthorization is at least once every 3 years. What must an agency do to waive that requirement?

44 DHS - Department of Homeland Security
Section D DHS - Department of Homeland Security

45 DHS – Department of Homeland Security
Prevent Terrorism and Enhance Security Secure and Manage our Borders Enforce and Administer our Immigration Laws Safeguard and Secure Cyberspace Ensure Resilience to Disasters And now… Cybersecurity! The Department's mission is to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards. DHS has five Departmental missions: Prevent terrorism and enhance security; Secure and manage our borders; Enforce and administer our immigration laws; Safeguard and secure cyberspace; Ensure resilience to disasters; 1. Prevent Terrorism and Enhance Security Protecting the American people from terrorist threats is our founding principle and our highest priority. The Department's counterterrorism responsibilities focus on three goals: Prevent terrorist attacks; Prevent the unauthorized acquisition, importation, movement, or use of chemical, biological, radiological, and nuclear materials and capabilities within the United States; and Reduce the vulnerability of critical infrastructure and key resources, essential leadership, and major events to terrorist attacks and other hazards.

46 2. Secure and Manage our Borders
The Department secures the nation's air, land and sea borders to prevent illegal activity while facilitating lawful travel and trade. The Department's border security and management efforts focus on three interrelated goals: Effectively secure U.S. air, land, and sea points of entry; Safeguard and streamline lawful trade and travel; and Disrupt and dismantle transnational criminal and terrorist organizations. 3. Enforce and Administer our Immigration Laws The Department is focused on smart and effective enforcement of U.S. immigration laws while streamlining and facilitating the legal immigration process. The Department has fundamentally reformed immigration enforcement, prioritizing the identification and removal of criminal aliens who pose a threat to public safety and targeting employers who knowingly and repeatedly break the law. 4. Safeguard and Secure Cyberspace The Department has the lead for the federal government for securing civilian government computer systems, and works with industry and state, local, tribal and territorial governments to secure critical infrastructure and information systems. The Department works to: Analyze and reduces cyber threats and vulnerabilities; Distribute threat warnings; and Coordinate the response to cyber incidents to ensure that our computers, networks, and cyber systems remain safe. 5. Ensure Resilience to Disasters The Department provides the coordinated, comprehensive federal response in the event of a terrorist attack, natural disaster or other large-scale emergency while working with federal, state, local, and private sector partners to ensure a swift and effective recovery effort. The Department builds a ready and resilient nation through efforts to: Bolster information sharing; Provide grants, plans and training to our homeland security and law enforcement partners; and Facilitate rebuilding and recovery along the Gulf Coast.

47 Cybersecurity Responsibilities M-10-28
Office of Management and Budget Annual FISMA Report to Congress Cybersecurity Portions of the President’s Budget Cybersecurity Coordinator Cybersecurity Strategy and Policy Development Department of Homeland Security Critical Infrastructure Protection US-CERT Trusted Internet Connection Initiative Primary Responsibility for the Operational Aspects of Cybersecurity This memorandum outlines and clarifies the responsibilities of the OMB, the Cybersecurity Coordinator, and DHS, with respect to the Federal Government’s implementation of the FISMA. DHS oversees critical infrastructure protection, operates the US-CERT, oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector. OMB has a number of cybersecurity responsibilities, principally in connection with FISMA reporting. The Cybersecurity Coordinator leads the interagency process for cybersecurity strategy and policy development. DHS will exercise primary responsibility within the Executive Branch for the operational aspects of Federal agency cybersecurity with respect to the Federal information systems that fall within FISMA. DHS activities will include (but will not be limited to): Overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance; Overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity; Overseeing the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report; Overseeing the agencies’ cybersecurity operations and incident response and providing appropriate assistance; and Annually reviewing the agencies’ cybersecurity programs. All departments and agencies shall coordinate and cooperate with DHS as it carries out its cybersecurity responsibility and activities as noted here.

48 Presidential Decision Directives
PDD Presidential Decision Directives 1993–2001 Clinton NSPD National Security Presidential Directives 2001–2009 G. W. Bush HSPD Homeland Security Presidential Directives 2001- G. W. Bush and Obama PSD Presidential Study Directives 2009- Obama PPD Presidential Policy Directives Presidential Directives, better known as Presidential Decision Directives or PDD are a form of an executive order issued by the President of the United States with the advice and consent of the National Security Council. As a National Security instrument, the PDD articulates the executive's policy, carries the "full force and effect of law", and throughout the terms of presidents, have taken on various titles or intents towards national security policy. Since many of the Presidential Directives pertain to the national security of the United States, many were or are promulgated as classified. Various presidents since the administration of John F. Kennedy have issued such directives but under different names.

49 Homeland Security Presidential Directives
HSPD-3 – Homeland Security Advisory System HSPD-5 – Management of Domestic Incidents HSPD-7 – Critical Infrastructure Identification, Prioritization, and Protection PDD-8 – National Preparedness HSPD-12 – Policy for a Common Identification Standard for Federal Employees and Contractors HSPD-20/NSPD-51 – National Continuity Policy HSPD-24 – Biometrics for Identification and Screening to Enhance National Security Homeland Security Presidential Directives are issued by the President on matters pertaining to Homeland Security. Homeland Security Presidential Directive 1 creates the Homeland Security Council (HSC) and enumerates its functions. The purpose of the HSC is twofold: to coordinate homeland security-related efforts across executive departments and agencies of all levels throughout the country, and to implement the Department’s policies through eleven Policy Coordination Committees.

50 HHS – Health & Human Services
Section E HHS – Health & Human Services

51 History of HIPAA 1996: Health Insurance Portability and Accountability Act (HIPAA) Directed Secretary of HHS to Develop Standards for Protecting (e-PHI) Feb 2003: HHS Published the Security Rule Standard Oct 2008: SP r1 An Introductory Resource Guide for Implementing the HIPAA Security Rule Duplication of Effort… Stove piping? e-PHI - Electronic Protected Health Information SP , D.14 - Health 2009: Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) On AUG. 21, 1996, Congress enacted the Administrative Simplification (part of Title II) provisions of HIPAA (PL ) to, among other things, promote efficiency in the healthcare industry through the use of standardized electronic transactions, while protecting the privacy and security of health information. Pursuant to the Administrative Simplification provisions of HIPAA, the Secretary of HHS adopted standards relating to: Electronic healthcare transactions and code sets; Privacy of protected health information; Security of electronic protected health information (EPHI); and Unique health identifiers. On February 20, 2003, published those standards as Health Insurance Reform: Security Standards; Final Rule. From the SP , information type D.14, Health, includes the direct provision of health care services and immunizations as well as the monitoring and tracking of public health indicators for the detection of trends and identification of widespread illnesses/diseases. It also includes both earned and unearned health care benefit programs. Some information associated with health care involves confidential patient information subject to the Privacy Act and to HIPAA. The Privacy Act Information provisional impact levels are documented in the Personal Identity and Authentication information type.

52 This slide shows all the components of HIPAA and illustrates that the focus of this document is on the security rule. [HIPAA Administrative Simplification PART 164 – SECURITY AND PRIVACY, SUBPART C – Security Standards for the Protection of Electronic Protected Health Information] The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. However, the preamble of the Security Rule states that HHS does not rate or endorse the use of industry-developed guidelines and/or models. Organizations are not required to use NIST special publications. If organizations choose to use NIST guidance, they must determine the value of its content for implementing the Security Rule standards in their environments. HIPAA Privacy & Security Audit Program The American Recovery and Reinvestment Act of 2009, in Section of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, Office of Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began in November 2011 and were to conclude by December In the final rule issued by HHS, breaches (i.e. unauthorized disclosures) affecting protected healthcare information of more than 500 individuals require notification to the individual and the Secretary of HHS. HITECH = Auditing

53 ARRA/HITECH: Game Changers
Electronic Health Record (EHR) System – Incentives to Accelerate Adoption of EHR Systems among Providers Enforcement – Requires Audits for HIPAA Compliance! Notification of Breach - Now Imposes Data Breach Notification Requirements Electronic Health Record Access – For Providers implementing HER, Patients Have the Right to Obtain PHI in an Electronic Format (i.e. ePHI). Business Associates, (Software vendors providing EHR systems) now, Directly "On The Compliance Hook" The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule. ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement. Why? Because under the HITECH Act there are significant taxpayer dollars appropriated in the form of incentive funding that directly target a provider's adoption of an EHR system. Regulators, patients and other stakeholders are certain to demand more transparency and accountability. If a provider wants to receive the benefit of incentives, or at a minimum wants to avoid any subsequent penalties, then they appear to have little choice, other than to increase their literacy regarding HIPAA's Privacy and Security Rules and the new provisions of the Act.

54 Enforcement Among other things, HHS is now required to conduct periodic audits of covered entities and business associates. Notification of Breach The HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." These notification requirements are similar to many state data breach laws related to personally identifiable financial information (e.g. banking and credit card data). Electronic Health Record Access In the case where a provider has implemented an EHR system, the Act provides individuals with a right to obtain their PHI in an electronic format (i.e. ePHI). Incentives will be provided to providers who implement EHR systems. Business Associates and Business Associate Agreements Under the HITECH Act, business associates are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the HIPAA Security Rule (SR). Software vendors providing EHR systems will clearly qualify as business associates

55 Cybersecurity Legislative Proposal
Many New Cyber-related Bills Protecting the American People Protecting our Nation’s Critical Infrastructure Protecting Federal Government Computers and Networks The Administration proposal would update FISMA and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise. New NIST Cybersecurity Framework, February 2014 Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated. Despite many new cyber-related bills in Congress, none have passed both the House and Senate to become law as of February Members of both parties in Congress have also recognized a need for updated legislations and introduced approximately 50 cyber-related bills in the FY 2012 session of Congress. To bypass the gridlock in Congress, the President issued an Executive Order directing NIST to develop a voluntary framework for reducing cyber risks to critical infrastructure. In February 2014, NIST released the first version, Framework for Improving Critical Infrastructure Cybersecurity, a collaborative effort between NIST and companies in the private sector. The guidelines in the framework are voluntary measures that organizations that support elements of the country's critical infrastructure can use to develop their information security programs. However, because the program offers no financial incentives to help companies reduce the costs of implementing the guidelines, companies may opt not to participate. While the guidelines are voluntary for private industry, it is likely that they will be required for government contractors.

56 Cybersecurity Framework
Pictured above is the Cybersecurity Framework Core. The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk. The broader Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Many security professionals will recognize close alignment of the Cybersecurity Framework with NIST SP control families and the NIST Risk Management Framework. Private sector security frameworks from ISACA’s Control Objectives for Information Technology (COBIT) and ISO series are also woven into the framework. More information is available at

57 Government Laws Key Concepts & Vocabulary
Legislative Milestones Paperwork Reduction Act of 1980 Computer Security Act of 1987 Clinger-Cohen Act of 1996 Homeland Security Act & E-Government Act of 2002 (Title III FISMA) NIST Standards & Guidelines NIST SP r1 – Risk Management Framework OMB Memorandums M Cybersecurity Responsibilities of DHS FISM Trusted Internet Connections M Privacy DHS & Cybersecurity M Configuration Baselines FISM 12-02/M FISMA Reporting Guidelines CyberScope CCA – Clinger-Cohen Act of 1996 The Clinger–Cohen Act (CCA), formerly the Information Technology Management Reform Act of 1996 (ITMRA), is a 1996 United States federal law, designed to improve the way the federal government acquires, uses and disposes information technology (IT). The Clinger–Cohen Act supplements the information resources management policies by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources, by: Focusing information resource planning to support their strategic missions; Implementing a capital planning and investment control process that links to budget formulation and execution; and Rethinking and restructuring the way they do their work before investing in information systems. The Act directed the development and maintenance of Information Technology Architectures (ITAs) by federal agencies to maximize the benefits of information technology (IT) within the Government. In subsequent guidance on implementing the Act, the Office of Management and Budget stipulated that agency ITA's "...should be consistent with Federal, agency, and bureau information architectures." In keeping with this mandate, in 1999 the US Federal CIO Council initiated the Federal Enterprise Architecture, essentially a federal-wide ITA that would "... develop, maintain, and facilitate the implementation of the top-level enterprise architecture for the Federal Enterprise.

58 CIO – Chief Information Officer
Chief information officer (CIO), or information technology (IT) director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. Circular A-130 Appendix III - Security of Federal Automated Information Resources Establishes a minimum set of controls to be included in Federal automated information security programs; assigns Federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems established in accordance with OMB Circular No. A-123. CISO – Chief Information Security Officer A chief information security officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected.   The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. CNSS – Committee on National Security Systems A United States intergovernmental organization that sets policy for the security of the US security systems. CSA – Computer Security Act of 1987 It was passed to improve the security and privacy of sensitive information in Federal computer systems and to establish a minimum acceptable security practices for such systems. It requires the creation of computer security plans, and the appropriate training of system users or owners where the systems house sensitive information. CyberScope Agencies are required to adhere to Department of Homeland Security (DHS) direction to report data through CyberScope. This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information -delivered more quickly than ever before. DHS – Department of Homeland Security DHS oversees critical infrastructure protection, operates the US-CERT, oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector. OMB has a number of cybersecurity responsibilities, principally in connection with FISMA reporting. The Cybersecurity Coordinator leads the interagency process for cybersecurity strategy and policy development.

59 FDCC – Federal Desktop Core Configuration
In March 2007, OMB Memorandum M announced the “Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,” directing agencies with Windows XP TM deployed and/or plan to upgrade to the Vista TM operating system to adopt the Federal Desktop Core Configuration (FDCC) security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS). FISM – Federal Information Security Memorandum The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve federal information security policies. FISMA – Federal Information Security Management Act FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. FISMA Report Provides the annual status of Federal-wide and Agency-specific information security initiatives with respect to Federal compliance with FISMA requirements. FITSI – Federal Information Technology Security Institute FITSI is the Federal IT Security Institute which is a non-profit organization managing and administering the FITSP certification program. FITSP stands for the Federal IT Security Professional and is broken into four individual IT security certification programs targeted at the Federal workforce based upon role. FITSP - Federal Information Technology Security Professional FITSP is an IT security certification program targeted at the Federal workforce (civilian personnel, military and contractors). This certification program synergizes the knowledge of other security certifications with the standards and practices that are being used by the United States Federal government. There are four different IT security roles that FITSP covers: Manager, Designer, Operator and Auditor. HSA – Homeland Security Act of 2002 HSA created both the United States Department of Homeland Security and the new cabinet-level position of Secretary of Homeland Security.

60 HSPD - Homeland Security Presidential Directive
Presidential Directives, are a form of an executive order issued by the President of the United States with the advice and consent of the National Security Council. As a National Security instrument, the PDD articulates the executive's policy, carries the "full force and effect of law", and throughout the terms of presidents, have taken on various titles or intents towards national security policy. NIST – National Institute of Standards and Technology NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. OIG – Office of Inspector General The Office of Inspector General (OIG) seeks to improve the efficiency and effectiveness of the Agency programs and operations. OIG also endeavors to detect and deter waste, fraud, and abuse. OMB– Office of Management and Budget The Office of E-Government and Information Technology, headed by the Federal Government’s Chief Information Officer (currently Steven VanRoekel), develops and provides direction in the use of Internet-based technologies to make it easier for citizens and businesses to interact with the Federal Government, save taxpayer dollars, and streamline citizen participation. PRA – Paperwork Reduction Act of 1980 Gave authority over the collection of certain information to the Office of Management and Budget (OMB). Within the OMB, the Office of Information and Regulatory Affairs (OIRA) was established with specific authority to regulate matters regarding federal information and to establish information policies. These information policies were intended to reduce the total amount of paperwork handled by the United States government and the general public. TIC – Trusted Internet Connection In November 2007, OMB announced the Trusted Internet Connections (TIC) Initiative to consolidate the number of external access points, including Internet connections; and ensure that all external connections are routed through an OMB-approved TIC. Based on solicited agency Statements of Capability, OMB also designated twenty agencies as TIC Access Providers (TICAPS). Each TICAP agency was authorized two locations where they must reduce and consolidate all external connections. USGCB – US Government Configuration Baseline The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate M The first platforms addressed by USGCB were Microsoft’s Windows 7, Windows 7 Firewall, and Internet Explorer 8. Red Hat Enterprise Desktop Linux was added in January Since the rollout of USGCB, NIST has reconciled the differences to the prior FDCC platforms of Windows Vista, Vista Firewall, Windows XP, XP Firewall, and Internet Explorer 7 to establish a uniform configuration standard.

61 Lab Activity 1 – Searching for Guidance
DHS Authority - HSPDs CNSS OMB Oversight – Policy OMB A-130 NIST Guidance – Standards (FIPS), Guidelines (SP) Lab Activity 1: Searching for Guidance Using Internet search engines, find the following information: So far, DHS has issued two FISMs (Federal Information Security Memorandums) for FY2011, and two for FY Find those FISMs and answer the following: The subject for FISM is _________________________________ The Department of Homeland Security issues Federal Information Security Memoranda to inform federal departments and agencies of their responsibilities, required actions, and effective dates to achieve _________________ _________________ _________________ _________________ [hint: FISM footnote] The subject of FISM is __________________________________ Continuous monitoring is the next stage in the evolution of FISMA compliance. On the NIST website (csrc.nist.gov) you can find a wealth of information relating to the technical aspects of FISMA compliance. Open the latest document regarding Continuous Monitoring. What is the document number? Referencing the “Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains” Table of Contents, what is this document’s Relationship to Existing Standards and Specifications… Please list the other 3 document numbers relating to CM: ______________________________

62 Do a search for “OMB Memorandum”
Do a search for “OMB Memorandum”. Navigate to the White House Memorandum (current year). This is one of the key areas for dissemination of information relating to all OMB policies, including information security and systems security. The OBM memorandums are organized by ______________________ There is a memo from 2011 that clarifies Chief Information Officer Authorities (and responsibilities); Agency CIOs will be held accountable for lowering operational costs, terminating and turning around troubled projects, and delivering meaningful functionality at a faster rate while enhancing the security of information systems. What are the four areas of responsibilities? ______________________________ Every year, the OMB releases updated reporting instructions for FISMA. The memo number for 2011 is ___________________________. The first page of this memo emphasizes “…Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), " What is on the 2nd page of this memo? ______________________________ And what is the significance of that second page? ­­­­­­­­­­­­­­­­___________________________________________________________________________________! The most significant portion of this memo is the “Frequently Asked Questions”, which tend to be a slight variation of the FAQs from the previous year. Please make note of the following questions, and their corresponding answers… They represent a considerable shift in compliance in FY2011: #9, #10, #28.

63 Post-assessment Questions for Module 2: Government Laws
The following OMB guidance established the requirement for federal agencies to review the security controls in each system when significant modifications are made to the system, but at least every three years. This guidance also requires federal agencies to re-authorize information systems every three years. OMB Circular No. A-123- Management Accountability and Control OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources OMB Circular No. A-127, Financial Management Systems OMB Circular No. A-136, Financial Management Reporting Requirements As part of monitoring the security posture of agency desktops, OMB requires federal agencies to use vulnerability scanning tools that leverage the ________ protocol. SNMP SMTP SCAP LDAP Following the loss of 26 million records containing PII at the Department of Veteran Affairs, OMB released M Protection of Sensitive Agency Information. This memo required all of the following except: Encryption of all data on mobile computers/devices Permits remote access only with two-factor authentication where one factor is provided by a device separate from the computer gaining access Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; Encryption of all server backup tapes This Homeland Security Presidential Directive requires all federal agencies to adopt a standard, government wide card to reduce identity fraud, protect personal privacy, and provide for authentication. This directive was called: Real-ID Act HSPD-12 – Common Identification Standard Critical Infrastructure Protection Act HSPD 24 – Biometrics to Enhance National Security Act

64 Post-assessment Questions Continued
Which act of Congress defined Federal agency responsibilities for maintaining records about individuals? Computer Security Act of 1987 Privacy Act of 1974 Federal Information Security Management Act of 2002 Clinger-Cohen Act of 1996 Which act of Congress granted to the Director of OMB various authorities for overseeing the acquisition, use, and disposal of information technology by the federal government, so as to improve the productivity, efficiency, and effectiveness of federal programs? What type of system is an interconnected set of information resources under the same direct management control which shares common functionality? System Boundary Minor Application Major Application General Support System According to the OMB A-130, this individual has specific requirements and responsibilities; It is required that this individual should be a management official, knowledgeable in the information and processes supported by the system. The individual should also know the management, personnel, operational, and technical controls used in the protection of this system. Agency Authorizing Official Chief Information Officer Information System Owner Chief Information Security Officer

65 Post-assessment Questions Continued
The following OMB memo announced implementation of commonly accepted security configurations for windows operating systems. M-07-18 M-09-32 M-10-28 M-07-11 This OMB memo provides e-authentication guidance for federal agencies. M-08-09 M-08-22 M-04-04 M-05-04 With the publication of OMB M-14-04, Fiscal Year 2013 Reporting Instructions for FISMA and Agency Privacy Management, the signatures of the following two individuals are required to authorize a new information system containing PII to operate (select two): CISO CIO DAA SAOP

66 Next Module: Risk Management Framework
Questions? Next Module: Risk Management Framework


Download ppt "Government Laws FITSP-A Module 2"

Similar presentations


Ads by Google