Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Published byLoraine McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger."— Presentation transcript:

1 1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger

2 Agenda u FISMA - It’s about enabling mission success through the protection of our sensitive agency information. Ø Federal Legislation & Directives Ø BIG PICTURE u Roles and Responsibilities Ø Mission Executives & Chief Information Officers Ø System Owners & Information System Security Managers u Certification & Accreditation  Assessments, Audits, Evaluations and Testing  Plans of Actions and Milestones u Enabling Efficient Mission Delivery and Success  Mission Efficiency through Business and Information Technology Integration  Integrating Risk Management into the Enterprise

3 Federal Legislation & Directives - Driving IT Security Improvements - u E-Government Act of 2002 - Public Law 107-347  Enhance management and promote e-Gov services/processes u Title III - FISMA  Development and maintain minimum controls to protect Federal systems u Section 208 – Privacy Provisions  Protect the privacy of personal information u OMB Circular A-130 (Office of Management and Budget)  Policy for the management of Federal information resources.  Requires protection commensurate with risk and magnitude of harm  Requires security’s role be explicit in IT investments and capital programming u Appendix III - Security of Federal Automated Information Resources  Minimum set of controls for Federal information security programs  Requires a security plan for information systems  Requires reviews of security controls

4 Big Picture Federal Information Security Management Act E-Government Act Presidential Management Agenda C&ACIRTSATEPM Assess- ments CIP EA (IS) Capital Planning Patch Mgmt System & Program POA&Ms Asset Inventory Security Program E-Gov: Enhance management and promote electronic Government services and processes Establish a Federal CIO in OMB Establish a framework of measures Enhance citizen access to Government information and services E-Gov: Enhance management and promote electronic Government services and processes Establish a Federal CIO in OMB Establish a framework of measures Enhance citizen access to Government information and services FISMA (Title III of E-gov): Comprehensive framework to ensure effectiveness of system controls Recognize highly networked nature of Federal computing Minimum controls required to protect Federal Information FISMA (Title III of E-gov): Comprehensive framework to ensure effectiveness of system controls Recognize highly networked nature of Federal computing Minimum controls required to protect Federal Information PMA: Strategic management of human capital Budget and performance integration Competitive sourcing Electronic-Government Improved financial management PMA: Strategic management of human capital Budget and performance integration Competitive sourcing Electronic-Government Improved financial management

5 u FISMA – Programs that make a comprehensive security program. u Protecting our Critical Infrastructure, responding quickly to incidents, educating the community, assess ourselves, Planning for security from the start, and of course documenting proof of what we have done and performing risk analysis and management through C&A. These are just a few of the elements that FISMA mandates, but how do we know it’s effective? u E-Gov – It measures how well we are managing our e-business, and how well is our business serving the U.S. citizens. E-Govs mandates the reporting how well we are managing electronic services, but how do we know we are working toward the same goal as the rest of the Federal Government? u PMA – Managing human capital, budget and performance, competitive sourcing, and the financial services we provide is essential to carrying out an efficient, accurate, and effective mission, for which we are accountable. The electronic-Government mission is the common thread that runs through all missions. It supports them all, so it must be planned for, properly implemented, protected, and reviewed periodically, all in an efficient manner. u Integration is the key to making this all work together, and to optimize resources.

6 Roles & Responsibilities  Mission Executives (Business Process Owners)  Responsible to ensure security controls commensurate with risk (control the budget and the requirements)  Missions require the deployment of systems before relevant IT security disciplines are defined, integrated, and standardized  Chief Information Officers  Ensure compliance with security requirements while enabling the mission  Provide assurance of security effectiveness

7 Roles & Responsibilities  System owner  Procures, implements, and integrates information systems  Represents mission priorities and security requirements to the Designated Approving Authority (DAA) supporting risk-based decisions  Makes judgments on independent advise of reasonable risk  Information System Security Manager  Ensures systems are Certified and Accredited  Implements agency policies and standards  Coordinates with system owners and business process owners  Balances mission risk in consideration of IT Security Risks

8 Certification and Accreditation Accountability for:  Adequate safeguards and countermeasures are employed within information systems.  Information system safeguards and countermeasures are effective in their application.  Risk to organizational operations, assets, individuals, other organizations, and the Nation is explicitly understood and accepted by leaders at all levels.

9 Certification and Accreditation Federal Information Systems  An information system used or operated by an executive agency (of the federal government), by a contractor of an executive agency, or by another organization on behalf of an executive agency.  Federal information systems process, store, and/or transmit federal information.  Authorization decisions for federal information systems are an inherently federal responsibility and cannot be delegated to other than federal officials.

10 Certification and Accreditation Accreditation Boundary  All components of an organizational information system to be accredited by an authorizing official; excludes separately accredited systems, to which the information system is connected.  Defines the scope of protection for the organizational information system (i.e., what the organization agrees to protect under its direct control).  Includes the people, processes, and technologies that are part of the information system supporting enterprise missions and business processes.

11 Certification and Accreditation Four Phase C&A Process  Initiation Phase  Certification Phase  Accreditation Phase  Continuous Monitoring Phase Expressed within the context of the NIST Risk Management Framework as follows…

12 C&A Risk Management Framework ASSESS Security Controls MONITOR Security Controls DOCUMENT Security Controls AUTHORIZE Information System SUPPLEMENT Security Controls SELECT Security Controls IMPLEMENT Security Controls CATEGORIZE Information System Starting Point

13 Management Controls Security Planning Risk Assessment System and Services Acquisition Certification, Accreditation, and Security Assessments Operational Controls Security Awareness and Training Configuration Management Contingency Planning Media Protection Physical and Environmental Protection System and Information Integrity Incident Response System Maintenance Personnel Security Technical Controls Access Control Auditing and Accountability Identification and Authentication System and Communications Protection Types of Controls

14 Assessments, Audits, Evaluations and Testing Part of IT Security Program

15 Plans of Actions and Milestones u Audit or Assessment Findings:  Identified vulnerabilities and weaknesses  Documented on program- or system-level POA&Ms  Corrective/mitigating action plans tracked to resolution I found a weakness!

16 IT System Lifecycle PlanDesignBuildTestDeployOperateDispose Mission Customers SuppliersPartners Employees

17 IT Security Lifecycle PlanDesignBuildTestDeployOperate Identify Risks Implement Controls Inspect Controls Capital Planning & Investment Resolve Weaknesses Dispose Monitor & Respond

18 Enabling Efficient Mission Delivery and Success u “Baking-in” IT Security & Privacy Protections  Information security requirements must be considered first order requirements and are critical to mission and business success.  An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle.

19 Enabling Mission Efficiency through Information Technology u Mission – Provide what’s needed to get the job done u Challenge – Meet mission and security needs and remain effective  Critical assets are frequently updated and customized  Business solutions require interconnections to internal and external systems  Security of interconnections relies on cooperation and integration Mission Customers SuppliersPartners Employees

20 NIST Computer Security Division & OMB Sites u Computer Security Resource Center (CSRC) library  http://csrc.nist.gov/index.html http://csrc.nist.gov/index.html u Federal Information Processing Standard (FIPS) publications  FIPS 199 and 200  http://csrc.nist.gov/publications/fips http://csrc.nist.gov/publications/fips u Special Publications (SP)  800 Series (primarily 800-18, 34, 37, 47, 53, 53A and 60)  http://csrc.nist.gov/publications/nistpubs/index.html http://csrc.nist.gov/publications/nistpubs/index.html u OMB Memoranda  Memoranda M07-19, 06-19, 05-15, 04-25 and 03-19  http://www.whitehouse.gov/omb/memoranda/index.html http://www.whitehouse.gov/omb/memoranda/index.html

Download ppt "1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
1 2004 OMB Exhibit 53 Changes Briefing Presented by the Office of the Chief Information Officer June 5, 2002.

OMB Exhibit 53 Changes Briefing Presented by the Office of the Chief Information Officer June 5, 2002.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Keystone Technology Plan Presentation to Chesapeake Bay Program Information Management Subcommittee May 19, 2004 Nancie L. Imler Chief Information Officer.

Keystone Technology Plan Presentation to Chesapeake Bay Program Information Management Subcommittee May 19, 2004 Nancie L. Imler Chief Information Officer.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google