Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISSM 101 Break-Out Session

Published byDustin Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "ISSM 101 Break-Out Session"— Presentation transcript:

1 ISSM 101 Break-Out Session
CINCO DE MAYO 2016 Anna Nye-Schaffroth, Leidos ISSM Introduce myself. Introduce session: overview of how to obtain accreditation and maintain compliance with NISPOM Chapter 8 Slides posted on ISAC web site HOLD QUESTIONS UNTIL Q&A SD ISAC Information System Security Subcommittee (IS3)

2 ISSM 101 Outline DSS ODAA Documentation How to Obtain Accreditation
How to Maintain Compliance Introduction to RMF by Alan Polley, Leidos Senior ISSO OBMS Demonstration Q&A Panel Go over outline. Due to RMF, some of info will be changing in future.

3 DSS Office of the Designated Approving Authority (ODAA) Documentation
First, go over documentation. Point out what ODAA stands for.

4 DSS ODAA Documentation
DSS ISFO ODAA Manual for the Certification and Accreditation of Classified Systems under the NISPOM (Version 3.2, 11/15/13) AKA, “ODAA Process Manual” or “ISFO Process Manual” Soon to be replaced with the DSS Assessment and Authorization Process Manual (July 2016) Baseline Technical Security Configuration of Microsoft Windows 7 and Microsoft Server 2008 R2 (Version 1.0, July 2013) System Security Plan Templates (5/29/14) System Security Plan (SSP) Information System (IS) Profile IS Security Package Submission and Certification Statement First on list: ISSM “Bible” published in 2013 contains lots of info including: Roles & responsibilities Data spills Media protection Non-OS specific technical controls “Baseline Standards” Contains specific security settings to comply with NISPOM requirements DSS won’t be creating these standards documents anymore For Windows versions beyond Windows 7/2008 use DISA STIGs (Security Technical Implementation Guides) or vendor docs SSP Templates In the “old” days we had to create our own SSP text. Certification Statement Certifying that all information in SSP & IS Profile are accurate. Security settings have been tested & are working properly.

5 How to Obtain Accreditation

6 How to Obtain Accreditation
Verify Contract & DD254 Closed Area Approval (DSS Form 147), if applicable Obtain hardware Install software Configure security settings Test security settings Prepare SSP paperwork Submit paperwork via OBMS Obtain 180-day IATO DSS on-site certification visit Obtain 3-year ATO Created 11 steps based on my own experience. Before starting certification process, need to verify contract info – next slide.

7 Verify Contract & DD254 Contract DD254
Authorized to work on contract at your location? Period of Performance (POP) expired? DD254 Box 1b Box 11c I’m sure you all know more about contracts & DD254s than I do. I always like to check a few things before starting the IS approval process.

8 How to Obtain Accreditation
Verify Contract & DD254 Closed Area Approval (DSS Form 147), if applicable Obtain hardware Install software Configure security settings Test security settings Prepare SSP paperwork Submit paperwork via OBMS Obtain 180-day IATO DSS on-site certification visit Obtain 3-year ATO Closed area needs to have an approved DSS Form 147 BEFORE you submit your SSP. Obtain hardware from a reputable vendor like Dell or HP. These days, “supply chain integrity” is more important than ever. Ensure all software, including antivirus software and OS patches, is installed BEFORE configuring security settings. We discovered the hard way that installing MS Office after security lock-down is painful. Manually can take hours. A script can take minutes. Use SCAP Tool. NCMS created benchmark for NISPOM. Security Content Automation Protocol (SCAP) Compliance Checker Download templates from OBMS web site and fill in blanks. Demo Not sure how this will change with RMF.

9 How to Maintain Compliance

10 How to Maintain Compliance
Weekly Review automated audit logs and check seals Keep for one year or one inspection cycle, whichever is longer Monthly Update virus definitions (every 30 days) Install Microsoft patches (“Patch Tuesday”) WSUS Offline Update tool SRO fix tool Re-run SCAP tool Tasks req’d to maintain compliance normally done by ISSO -> ISSM -> YOU Audit review: Gone for a week? Get a backup. Don’t have a backup? Inform DSS. WSUS Offline Update tool Determines which updates are needed and installs them for you. SRO fix tool: Windows file auditing settings may change after installing Windows updates. Cecil King, ISSM at AMSEC, created a tool to reset the auditing settings on the 200+ files. Send to Cecil to obtain tool. SCAP tool: Re-run to verify auditing settings have been fixed. Security Content Automation Protocol

11 How to Maintain Compliance (continued)
Bi-monthly (every 60 days) Change backup-admin/root passwords Periodically Backup audit logs MUSA – quarterly LAN – automated weekly Self-Inspection Minimum - yearly Preferred - biannually Built-in admin account disabled, but can create generic backup-admin account. Audit log backups: If HDD crashes, you lose audit logs and you will get dinged on DSS SVA. MUSA – backup to DVD LAN – backup to network drive

12 How to Maintain Compliance (continued)
Annually Rebrief users and ISSOs (and re-sign user briefing forms) Always Media/Equipment classification labeling Hardware/Software Baselines up-to-date SSP Binder Annual rebriefing: Do not just have users re-sign briefing forms. We actually ask users questions since they should already know the requirements. Media/Equipment Labeling: check every week during audit review Hardware/Software Baselines: don’t wait until right before DSS SVA to update baselines SSP Binder: neat, logs complete, info up-to-date

13 Introduction to RMF ALAN Polley | CISSP Leidos Senior ISSO

14 What is RMF? C&A revitalization
Basically, it’s the new means for obtaining authorization to process classified information. Working with it for a couple years and have sought several authorizations under RMF. I’ll be speaking from experience versus intent. Disclaimer: This is a high-level sample of RMF and does not speak to DSS implementation or templates.

15 What is RMF? Six step process that provides a more holistic and strategic risk management process throughout the system’s life cycle. Goals Common framework, language and policy derivatives NIST Publications (800 series) Basically, it’s the new means for obtaining authorization to process classified information. Working with it for a couple years and have sought several authorizations under RMF. I’ll be speaking from experience versus intent. Disclaimer: This is a high-level sample of RMF and does not speak to DSS implementation or templates.

16 What’s Changing? Terms Documentation Guidance
Regional Designated Accrediting Authority (RDAA) | Regional Authorizing Official (RAO) ISSP | Security Control Assessor (SCA) Program Manager (PM) | Information System Owner (ISO) Documentation MSSP | Information Assurance Standard Operating Procedures (IA SOP) SSP/Profile | System Security Plan (SSP) Risk Assessment Report (RAR) Security Controls Traceability Matrix (SCTM) Plan of Action and Milestones (POAM) Guidance Joint SAP Implementation Guide (JSIG Rev 4 April ‘16) DSS uses for SAPs DSS Authorization and Assessment Process Manual (DAAPM) Due July ‘16 A lot of new roles and responsibilities | Know right now Customer Provided Templates SSP Trimmed down compared to current template SCTM

17 Current Authorization Process

18 RMF Authorization Process
Work with your SCA to bring your system to an acceptable level of risk for the AO.

19 Steps of RMF (Step 1): Categorize
Assigning values to information and information systems based on protection needs determined by the impact from a loss of Confidentiality, Integrity, and Availability (CIA). Impact Levels: Low, Moderate, or High Work with ISO, ISSM, Facilities and SCA to create a BODY OF EVIDENCE for determining security category. Information System Type Boundaries User Base Overlays

20 Steps of RMF (Step 2): Select Controls
Controls are safeguards and countermeasures prescribed for the IS. 18 Control Families with 864 total controls Types: Common, System Specific, and Hybrid Security Controls Traceability Matrix (SCTM) Families Access Control Account Management Audit Policies Configuration management IA SOP, Privileged Users Guide

21 Steps of RMF (Step 3 & 4): Implement Controls Assess SCTM Updated
Control Status Reference documents Assess Security Assessment Plan (if required) Results of control implementation Methods Testing, Examine, or Interview Submit results Security Assessment Report (SAR) Provided by SCA Details the results of your BoE and recommended corrective actions (POA&M) Implement Controls Control status (Implemented, Planned, or Tailored) Reference Documents IA SOP PUG Assess Work with SCA to determine assessment type Test Automated Tools SCAP, WASSP, etc Examine Review documentation Facility SOP, Guard SOP Interview Discussion with knowledgeable staff IT Manager, general user, FSO

22 Steps of RMF (Step 5): Authorize Security Authorization Package
ISO to SCA to AO BOE IA, SOP, SSP, RAR, SCTM, POA&M, etc. Authorization Decision Authorization to Operate (ATO) Interim Authorization to Test (IATT) Denial of Authorization to Operate (DATO)

23 Steps of RMF (Step 6): Monitor Configuration Management Monitor
Continuous Monitoring (ConMon) Information System Continuous Monitoring Plan (ISCM) Frequency determined in SCTM template Monitor like you test Self-Inspections Configuration Management Manage changes to the IS Update POA&M and SSP Configuration Control Board (CCB) ISO, ISSM/ISSO, IT Manager, FSO Monitor

24 Summary RMF is coming August 1st Start now! Guidance
Review RMF documentation NIST 800 Publications Joint SAP Implementation Guide (JSIG) Rev 4 published in April Training (CDSE) Guidance New process manual (DAAPM) July ‘16 Familiarize yourself with the JSIG and templates Attend training Work with your ISSOs and IT staff to come up with solid baseline for standard systems Figure out where you can access platforms STIGs and security benchmarks

25 ODAA Business Management System (OBMS) Demonstration

26 OBMS Demonstration “OBMS is a secure, web-based system, designed to automate and streamline the Certification and Accreditation (C&A) process for timeliness, accuracy, and efficiency.” Demonstrate submittal of an SSP package for a Multi-User Standalone (MUSA) Information System (IS)

27 Q&A Panel Tim Weaver, Western Regional Authorizing Official (RAO)
Rick Disney, Information System Security Professional (ISSP) Anna Nye-Schaffroth, ISSM (Leidos) Alan Polley, Senior ISSO (Leidos) Introduce DSS

Download ppt "ISSM 101 Break-Out Session"

Similar presentations

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
The New TNI Laboratory Accreditation Standards Requirements for an Accreditation Body.

The New TNI Laboratory Accreditation Standards Requirements for an Accreditation Body.
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
PAGE www.fedramp.gov Agency ATO Quick Guide 1 December 23, 2014 www.fedramp.gov.

PAGE Agency ATO Quick Guide 1 December 23,
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
PAGE www.fedramp.gov Agency ATO Quick Guide 1 May 1, 2015 www.fedramp.gov.

PAGE Agency ATO Quick Guide 1 May 1,
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Similar presentations

Ads by Google