NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.

Slides:

Advertisements

Similar presentations

MONITORING OF SUBGRANTEES

Advertisements

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

CIP Cyber Security – Security Management Controls

MODULE B - PROCESS B1.ASME Organizational Structure B2.Standards Development: Staff and Volunteer Roles and Responsibilities B3.Conformity Assessment:

OMB Circular A-123 Update: Where We Are and Where We Are Going Dana James Office of Federal Financial Management Office of Management and Budget May 8,

IT Security Law for Federal Agencies As of: 30 December 2002.

THE NSF BUDGET Overview of Agency Funding Processes Presented by Beth Blue National Science Foundation Office of Budget, Finance, and Award Management.

Verification and Independent Assurance Assessments, Audits, Standards and Processes The Global Initiative Presenter: Kris Chambers.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

Data Ownership Responsibilities & Procedures

SPēD Certification Program Executive Overview. 2April 2012Executive Overview Purpose Outline the SPēD Program Provide SPēD Program update Provide SPēD.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Information Systems Security Officer

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Office of Inspector General (OIG) Internal Audit

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.

Complying With The Federal Information Security Act (FISMA)

Peer Information Security Policies: A Sampling Summer 2015.

PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.

KEEP System Stakeholder Advisory Team Meeting September 15, 2010.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.

Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.

NIST Special Publication Revision 1

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.

1 Status Report: Task Force on FAMU Finance and Operational Control Issues Derry Harper, Inspector General & Director of Compliance December 6, 2007.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Risk and Subaward Management under the Uniform Guidance U.S. Department of Education.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

Strategies for Success in the IRS March 22, 2010 Soft-Con Enterprises Incorporated.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Federal Aviation Administration Presented to: By: Date: Oversight Throughout the Supply Chain: Is It Adequate? DOT OIG Audit: Assessment of FAA's Risk-Based.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

M u l t I b e a m III W o r k s h o p M u l t I b e a m III W o r k s h o p National Geophysical Data Center / World Data Centers NOAA Slide 1 End-to-End.

Managing a Small Audit Office: The Office of Inspector General at the SEC ( )

Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.

Office of Management and Budget NDIA Program Management Systems Committee May 3, 2005 EVMS Compliance Requirements David Muzio.

University of Maryland University College (UMUC) 3/11/2004 POA&M and FISMA What does it really mean? FISSEA Annual Conference.

OMB Memorandum M Implementation of the Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) September 2013.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.

Title IV Administration is a Team Sport

Public Law Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) REPORTS December 2013.

OMB Status 4/11//03 Monday, December 1, 2003 OMB Progress 4/11/03 Vicki Novak Tom Luedtke Gwen BrownPat DunningtonSteve Isakowitz Steps to Green Steps.

Presented by Eliot Christian, USGS Accessibility, usability, and preservation of government information (Section 207 of the E-Government Act) April 28,

Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.

Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

OMB Status 09/30/04 Monday, November 15, 2004 OMB Progress 09/30/04 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonSteve Isakowitz Best in Government!

OMB Status 03/31/05 Monday, June 6, 2005 OMB Progress 03/31/05 Vicki Novak Tom Luedtke Gwen SykesPat DunningtonGwen Sykes Best in Government! Steps to.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]

OMB Status 06/30/04 Monday, October 18, 2004 OMB Progress 06/30/04 Vicki Novak Tom Luedtke Gwen BrownPat DunningtonSteve Isakowitz Best in Government!

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Agenda FISMA – an introduction Roles and Responsibilities

Lifecycle Services for Advanced Wireless LAN (LCSAWLAN) practice-questions.html.

IT Development Initiative: Status and Next Steps

USAID/Peru Risk Assessment In-Briefing

Fy18-19 Compliance Plan Review & Board Member Training

SHARE Special Project SHARE Benefits Optimization

Presentation transcript:

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO

2 NMS Security Requirements FFMIA Report and OMB Circular A-130 Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB USAID identified 10 material weaknesses, including NMS security and access controls, in its CY-1997 Report. The Agency CFO indicated remedial actions would be completed within 3 years (by FY-2001). “ The material weakness resulted from the level at which controls are implemented in the system, the design of access controls implemented in the system, audit trails of system activity, user identification and password administration, and access to sensitive Privacy Act information.” OMB Circular A-130, Appendix III: Security of Federal Automated Information Resources "Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications." OMB Circular A-130 defines 4 new Federal agency requirements for managing and protecting their information resources:  Assigning responsibility for security  Completing security plans for general support systems and major applications  Periodically reviewing security controls  Authorizing processing

3 NMS C&A Tasks 1. Conduct Risk Assessment 2. Technical Fixes 3. NMS Security Plan Actions 4. Certification and Accreditation (C&A) Policy Approved 5. Certification and Accreditation (C&A) Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training (Users, Administrators, and Managers) 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness)

4 Certification and Accreditation Tasks Conduct Risk Assessment  NMS Security Team (TAC 22) assisted by the ISS Team (TAC 07)  Establish risks for NMS operations at USAID/W, progressively including –PRIME, T-Hub –Beltsville –81 Foreign Missions –Communications with foreign missions via DTS-PO, VSAT, and Internet  Deliver report on risk assessment and recommendations - Could be done as part of Certification Report 2. Technical Fixes  5 Key Security Vulnerabilities  Build Test Scenarios/Scripts - Certification 3. NMS Security Plan Actions  Review and approve remaining NMS Security Plan action items for implementation to bring NMS into compliance with security requirements from ADS, OMB A-130, FISCAM, and OIG Audit Reports. Initial action items include: –Implement NMS audit trails –Implement Operational and Management Change Procedures

5 Certification and Accreditation Tasks C&A Policy Approved  Approve C&A Policy for NMS 5. C&A Plan  C&A Plan  C&A Definition  C&A Verification  C&A Validation  Prepare Certification Report and Accreditation Recommendation for ISSO and IRM director approval  C&A Post Accreditation Support 6. Roles & Responsibilities Approved  Delegate accreditation authority for core financial systems to the CFO  Assign the accreditation of general support systems to the CIO  Assign responsibility to the Director, IRM, for ISSPP and general support systems  Assign authority and responsibility to the USAID ISSO for ISSPP implementation 7. Delegate Systems Security Manager  Designate a security official to implement NMS C&A 8. NMS Security Training  Provide security input into current NMS training for users, administrators, and managers

6 Certification and Accreditation Tasks Certification by IV&V Contractor  CFO selects IV&V contractor  CFO reviews and accepts IV&V contractor 10. Security Accreditation of NMS by CFO  Authorize NMS for processing 11. Audit by OIG  Verify substantial removal of the NMS security and access controls material weakness 12. Executive Brief and Close NMS Security Material Weakness  Include removal of NMS Security material weakness in the FFMIA annual report.

7 Certification and Accreditation Implementation Schedule Feb Mar Apr May Jun Jul Aug Sep Conduct Risk Assessment 2. Technical Fixes 3. NMS Security Plan Actions 4. C&A Policy Approved 5. C&A Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness) NMS 4.81 NMS 4.82

8 Next Step: Implement Similar Process for IFMS Authorization to Process Cairo & San Salvador AWACSMomentum AID/W IV&V FFMIA C&A NMS IFMS OIG Implementation of NMS Sec. Plan Policy O.k. ADS 05-01

9 Goal: Favorable OIG Audits and Reports to Congress Confirmation of substantial removal of security material weakness by the Inspector General’s Office to the Administrator FFMIA 2000 Report by the CFO to OMB asserting the removal of the security material weakness from 1997 Semiannual Report to Congress by the OIG confirming substantial removal of security material weakness