Presentation is loading. Please wait.

Presentation is loading. Please wait.

FISMA 2.0: A CISO Perspective

Published byFrancis McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "FISMA 2.0: A CISO Perspective"— Presentation transcript:

1 FISMA 2.0: A CISO Perspective
Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC

2 INTRODUCTION FISMA 1.0: Focus on compliance rather than proven security measures. “FISMA 2.0” Senate Bill S. 3474, Senator Tom Carper Approved by Senate Homeland Security and Governmental Affairs Committee in September Purpose: Strengthen federal IT security

3 SIGNIFICANT CHANGES Annual independent audits rather than evaluations
Increased responsibility for the CISO Requirement for Operational Evaluations by DHS Establishment of a CISO Council Requirement for standard, government-wide contract language Annual DHS reports to Congress

4 ANNUAL INDEPENDENT AUDIT REQUIREMENT
Changes in auditing standards Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems Audit report must include overall conclusion about effectiveness of security controls

5 CISO RESPONSIBILITIES
Appointment by the agency head Separation of duties between CIO and CISO mandated Quarterly submission of “security architecture framework documentation” to US-CERT CISO directly responsible for security programs of subordinate organizations Responsible for creating IT security performance measurement system Authority to disconnect agency IT systems CISO granted enforcement authority

6 OPERATIONAL EVALUATIONS
To be conducted at least annually by DHS Agencies to establish security controls testing protocols Findings to be reported to the agency head, CIO, and CISO CISO to respond to results with corrective action plan within 30 days to agency head and CIO

7 CISO COUNCIL Purpose is to establish best practices and recommendations for operational evaluations Promote the development and use of standard performance metrics Recommend CISO qualifications

8 CONTRACT LANGUAGE OMB to publish standard security contract language in coordination with NIST Include standard terms for security of systems collection and transmission of information incident response procedures COTS products must comply with security requirements

9 ANNUAL DHS REPORT TO CONGRESS
DHS to report on results of operational evaluations and testing protocols Provide detailed information on agency evaluation including results and pending corrective actions Describe effectiveness of testing protocols Describe information security posture of the federal government

10 SIGNIFICANT CHANGES Annual Audits rather than Evaluations
Increased responsibility for the CISO Requirement for Operational Evaluations by DHS Establishment of a CISO Council Requirement for standard, government-wide contract language DHS annual report to Congress

11 QUESTIONS ?

Download ppt "FISMA 2.0: A CISO Perspective"

Similar presentations

U.S Constitution: Creates Sovereign Power

U.S Constitution: Creates Sovereign Power
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Environmental Affairs 1 Introduction; Corporate Compliance… Accountability for Environmental Matters “Environmental liability is strict liability….”

Environmental Affairs 1 Introduction; Corporate Compliance… Accountability for Environmental Matters “Environmental liability is strict liability….”
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Module 11 Federal Funds and Single Audits Convery 20131.

Module 11 Federal Funds and Single Audits Convery
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
CENDI/NFAIS Quality Workshop: The Importance of Quality and Integrity Kevin Kirby, Enterprise Data Architect US Environmental Protection Agency Office.

CENDI/NFAIS Quality Workshop: The Importance of Quality and Integrity Kevin Kirby, Enterprise Data Architect US Environmental Protection Agency Office.
Ensuring Compliance Part 2 JAQUELINE REESE AND RICHARD SHEAFFER | MAY 12, 2014.

Ensuring Compliance Part 2 JAQUELINE REESE AND RICHARD SHEAFFER | MAY 12, 2014.
Proposed Maturity Model for

Proposed Maturity Model for
Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.

Effective Internal Control, Establishing an Internal Audit Function, and Compliance Plans 2014 Governmental Accounting For Local Public Health September.
Protected Areas Conservation Trust’s (PACT) Accreditation to the Adaptation Fund Board: The Process and experience. By: Kerry Belisle (PACT)

Protected Areas Conservation Trust’s (PACT) Accreditation to the Adaptation Fund Board: The Process and experience. By: Kerry Belisle (PACT)
Chapter 15 section1: The Federal Bureaucracy

Chapter 15 section1: The Federal Bureaucracy
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
PPA 573 – Emergency Management and Homeland Security Lecture 4c – Planning, Training, and Exercising.

PPA 573 – Emergency Management and Homeland Security Lecture 4c – Planning, Training, and Exercising.
Session 121 National Incident Management Systems Session 12 Slide Deck.

Session 121 National Incident Management Systems Session 12 Slide Deck.
Purpose of the Standards

Purpose of the Standards
Vers. national spatial data infrastructure training program Geospatial Business Planning Introduction to FGDC Initiatives Related to Geospatial Business.

Vers. national spatial data infrastructure training program Geospatial Business Planning Introduction to FGDC Initiatives Related to Geospatial Business.
Federal IT Security Professional - Manager FITSP-M Module 1.

Federal IT Security Professional - Manager FITSP-M Module 1.

Similar presentations

Ads by Google