1 / 55

Tenacity Solutions Incorporated

Introductions

winfred
Download Presentation

Tenacity Solutions Incorporated

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Tenacity Solutions Incorporated David Comings, Ph.D. Risk Management Framework Applied to Cross-Domain Solutions - Additional Information on Tenacity Solutions, Inc. (Tenacity Solutions): 1835 Alexander Bell Drive - Suite 210 Reston, Virginia 20191 Phone: 703.673.3100 Fax: 703.707.0680 www.tenacitysolutions.net Tenacity Solutions award winning staff offers the skills, clearances, and tenacity necessary to achieve IT innovations that others cannot or will not. Tenacity engineers routinely deliver the impossible: whether in the deserts of Iraq, or the office in DC. Whenever your mission’s success hinges on IT, turn to Tenacity for assured success. Our staff offers the skills and clearances necessary to address your organization's requirements for the comprehensive protection of your information & communications systems. Our solutions are among the most reliable, cost-effective data and hardware security solutions on the market today. Additional Information on Tenacity Solutions, Inc. (Tenacity Solutions): 1835 Alexander Bell Drive - Suite 210 Reston, Virginia 20191 Phone: 703.673.3100 Fax: 703.707.0680 www.tenacitysolutions.net Tenacity Solutions award winning staff offers the skills, clearances, and tenacity necessary to achieve IT innovations that others cannot or will not. Tenacity engineers routinely deliver the impossible: whether in the deserts of Iraq, or the office in DC. Whenever your mission’s success hinges on IT, turn to Tenacity for assured success. Our staff offers the skills and clearances necessary to address your organization's requirements for the comprehensive protection of your information & communications systems. Our solutions are among the most reliable, cost-effective data and hardware security solutions on the market today.

    2. Introductions & Objectives (Agenda) 2 Tenacity Solutions – Experience in the area of Certification & Accreditation: Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process Student Input & Feedback: Interaction & productive discussions are encouraged An open forum for the exchange of ideas and experiences Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updatedTenacity Solutions – Experience in the area of Certification & Accreditation: Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process Student Input & Feedback: Interaction & productive discussions are encouraged An open forum for the exchange of ideas and experiences Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updated

    3. Presentation Scope 3 Tenacity Solutions – Experience in the area of Certification & Accreditation: Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process Student Input & Feedback: Interaction & productive discussions are encouraged An open forum for the exchange of ideas and experiences Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updatedTenacity Solutions – Experience in the area of Certification & Accreditation: Tenacity Solutions Engineers have extensive experience in the practice of Certification & Accreditation of US Intelligence Community Information Systems Tenacity Solutions Engineers have been intimately involved in the C&A Transformation Effort since its inception Tenacity Solutions Engineers have been members of or led drafting teams responsible for key/critical policy & procedural documents related to the new C&A process Tenacity Solutions Engineers have been presenters at RSA, DODIIS Worldwide, UCDMO, and other IC/DoD Conferences supporting customers on the subject of the new C&A process Student Input & Feedback: Interaction & productive discussions are encouraged An open forum for the exchange of ideas and experiences Please provide honest, specific, constructive feedback on all course content so that all future students (and the overall Intelligence Community) may benefit; course content and associated materials will routinely be updated

    4. Risk Management Framework – 6 Steps 4 Additional Information: NIST Special Publications - http://csrc.nist.gov/publications/PubsSPs.html NIST Public Drafts - http://csrc.nist.gov/publications/PubsDrafts.html CNSS - http://www.cnss.gov/Additional Information: NIST Special Publications - http://csrc.nist.gov/publications/PubsSPs.html NIST Public Drafts - http://csrc.nist.gov/publications/PubsDrafts.html CNSS - http://www.cnss.gov/

    5. RMF Step 1 - Categorize 5 Additional Information: NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf Guidance: Descriptive information about the information system is typically documented in the system identification section of the security plan, included in attachments to the plan or referenced in other standard sources for the information generated as part of the SDLC. System identification information can also be provided by reference. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security category of the information system in accordance with FIPS 199 or CNSS Instruction 1199/1253 (i.e., the level of detail in the plan increases as the potential impact on organizational operations and assets, individuals, other organizations, and the Nation increases). Information may be added to the information system description as it becomes available during the security authorization process. Additional Information: NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf Guidance: Descriptive information about the information system is typically documented in the system identification section of the security plan, included in attachments to the plan or referenced in other standard sources for the information generated as part of the SDLC. System identification information can also be provided by reference. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security category of the information system in accordance with FIPS 199 or CNSS Instruction 1199/1253 (i.e., the level of detail in the plan increases as the potential impact on organizational operations and assets, individuals, other organizations, and the Nation increases). Information may be added to the information system description as it becomes available during the security authorization process.

    6. RMF Step 1 – Categorize (cont.) 6 Additional Information: It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every “Initial Stakeholder Meeting” as part of the Categorization process. However, for the Categorization step to be “as effective as possible”, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!Additional Information: It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every “Initial Stakeholder Meeting” as part of the Categorization process. However, for the Categorization step to be “as effective as possible”, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!

    7. RMF Step 1 – Categorize (cont.) 7 Additional Information: It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every “Initial Stakeholder Meeting” as part of the Categorization process. However, for the Categorization step to be “as effective as possible”, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!Additional Information: It will obviously be difficult (if not impossible) to ensure that ALL appropriate representatives throughout the organization are present at every “Initial Stakeholder Meeting” as part of the Categorization process. However, for the Categorization step to be “as effective as possible”, organizations should strive to ensure that there is representation from as many parts of the organization as possible; security, mission, business areas being key!

    8. RMF Step 1 – Categorize (cont.) 8 Additional Information: Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process! Additional Information: Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!

    9. RMF Step 1 – Categorize (cont.) 9 Additional Information: Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process! Additional Information: Information, Information, Information! - Information is key at this critical stage of the RMF! The more information that is available about the information system in question, the more likely the organization is to make the correct decision(s) regarding the impact levels and initial control selection; this sets the stage for the rest of the process!

    10. RMF Step 2 - Select 10 Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)

    11. RMF Step 2 – Select (cont.) 11 Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)

    12. RMF Step 2 – Select (cont.) 12 Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!) Additional Information: NIST SP 800-53: based on agreements made at the 2009 CNSS Conference between the IC, DOD, and NIST, NIST SP 800-53 will contain ALL control! CNSSI 1253: this document will contain information on the Categorization process as it applies to National Security Systems, as well as control tailoring guidance and profiles for National Security Systems (all controls for National Security Systems WILL be in NIST SP 800-53!)

    13. RMF Step 3 - Implement 13 Additional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

    14. RMF Step 3 – Implement (cont.) 14 Additional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

    15. RMF Step 3 – Implement (cont.) 15 Additional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtmlAdditional Information: NIST SP 800-70, found here - http://csrc.nist.gov/publications/drafts/800-70-rev1/Draft-SP800-70-r1.pdf Center for Internet Security (Hardening Guides) – http://www.cisecurity.org/ NSA Security Configuration Guides – http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

    16. RMF Step 4 - Assess 16 Additional Information: The intention is to make NIST SP 800-53A the “single authoritative source” for the “how do I evaluate” criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on “indefinite hold” until it is determined if there will be a need for a separate document for the National Security Community. Additional Information: The intention is to make NIST SP 800-53A the “single authoritative source” for the “how do I evaluate” criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on “indefinite hold” until it is determined if there will be a need for a separate document for the National Security Community.

    17. RMF Step 4 – Assess (cont.) 17 Additional Information: The intention is to make NIST SP 800-53A the “single authoritative source” for the “how do I evaluate” criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on “indefinite hold” until it is determined if there will be a need for a separate document for the National Security Community.Additional Information: The intention is to make NIST SP 800-53A the “single authoritative source” for the “how do I evaluate” criteria in relation to security controls that are assigned to information systems through the execution of the Risk Management Framework. CNSSI 1253A development is on “indefinite hold” until it is determined if there will be a need for a separate document for the National Security Community.

    18. RMF Step 5 - Authorize 18 Additional Information: When Step 5 is fully implemented in the Intelligence Community as part of the C&A Transformation Effort and the adoption of the Risk Management Framework as “the process” that all will follow, the previous traditional “authorization decisions”, Interim Approval to Test (IATT), and Interim Approval to Operate (IATO) will no longer be utilized. The only authorization decisions that will be issued will be Authorization to Operate (ATO) or Denial to Operate.Additional Information: When Step 5 is fully implemented in the Intelligence Community as part of the C&A Transformation Effort and the adoption of the Risk Management Framework as “the process” that all will follow, the previous traditional “authorization decisions”, Interim Approval to Test (IATT), and Interim Approval to Operate (IATO) will no longer be utilized. The only authorization decisions that will be issued will be Authorization to Operate (ATO) or Denial to Operate.

    19. RMF Step 6 – Monitor 19 Additional Information: Continuous Monitoring is a key/critical step in the execution of the Risk Management Framework! Effective continuous monitoring saves both time and money, as well as gathering data about the status of an organizations information systems, that supports “other” necessary/required reporting (aka FISMA). http://www.onpointcorp.com/documents/IA_Continuous_Monitoring.pdfAdditional Information: Continuous Monitoring is a key/critical step in the execution of the Risk Management Framework! Effective continuous monitoring saves both time and money, as well as gathering data about the status of an organizations information systems, that supports “other” necessary/required reporting (aka FISMA). http://www.onpointcorp.com/documents/IA_Continuous_Monitoring.pdf

    20. 20

    21. 21

    22. 22

    23. 23 Additional Information: C&A transformation is about changing the way the national security community manages IA risk. This means breaking down unnecessary barriers between community members and improving information sharing among the security, IT provider, and IT user communities. Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdfAdditional Information: C&A transformation is about changing the way the national security community manages IA risk. This means breaking down unnecessary barriers between community members and improving information sharing among the security, IT provider, and IT user communities. Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdf

    24. The Global Threat is Real 24 Information on Dr. Ross: NIST Computer Security Division Rolodex on Dr. Ross: http://csrc.nist.gov/staff/rolodex/ross_ron.html * Project leader, FISMA Implementation Project * FISMA-related standards and guidelines * Security controls development and implementation * Security certification and accreditation Full Bio on Dr. Ross: http://csrc.nist.gov/staff/Ross/biography_ross_10-21-2007.pdf Information on Dr. Ross: NIST Computer Security Division Rolodex on Dr. Ross: http://csrc.nist.gov/staff/rolodex/ross_ron.html * Project leader, FISMA Implementation Project * FISMA-related standards and guidelines * Security controls development and implementation * Security certification and accreditation Full Bio on Dr. Ross: http://csrc.nist.gov/staff/Ross/biography_ross_10-21-2007.pdf

    25. U.S. IC Infrastructure 25 USA Patriot Act: Full Text of Enrolled (Final) Version can be found at the Library of Congress: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3162.ENR: USA Patriot Act: Full Text of Enrolled (Final) Version can be found at the Library of Congress: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3162.ENR:

    26. C&A Transformation Effort 26 Additional Information: Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdfAdditional Information: Official DNI Press Release: www.dni.gov/press_releases/20070327_1_release.pdf

    27. Seven (7) Transformation Goals 27 Additional Information: 1) Reduce the varying numbers of IC Protection Levels and DoD Mission Assurance Categories (MAC) by defining a common set of trust levels the IC and DoD can jointly apply to systems eliminating conflicting criteria used to apply security controls that currently inhibit systems' interconnection and information sharing. 2) Adopt reciprocity, in the sense of cooperation, as normal business rather the exception to facilitate re-use of systems developed and approved by other organizations. This transformation will reduce duplicative expenditures on multiple systems development efforts. 3) Define common security controls, using NIST Special Publication 800-53 as a starting point, enabling the IC and DoD to develop systems to the same protection standards. In doing so, this facilitates reciprocity of approvals and reuse of systems across the IC and DoD communities.Additional Information: 1) Reduce the varying numbers of IC Protection Levels and DoD Mission Assurance Categories (MAC) by defining a common set of trust levels the IC and DoD can jointly apply to systems eliminating conflicting criteria used to apply security controls that currently inhibit systems' interconnection and information sharing. 2) Adopt reciprocity, in the sense of cooperation, as normal business rather the exception to facilitate re-use of systems developed and approved by other organizations. This transformation will reduce duplicative expenditures on multiple systems development efforts. 3) Define common security controls, using NIST Special Publication 800-53 as a starting point, enabling the IC and DoD to develop systems to the same protection standards. In doing so, this facilitates reciprocity of approvals and reuse of systems across the IC and DoD communities.

    28. Seven (7) Transformation Goals (cont.) 28 Additional Information: 4) Define a common lexicon (common language and common understanding), using the Committee on National Security Systems (CNSS) 4009 glossary as a baseline, for establishing reuse and reciprocity across the IC and DoD. 5) Look broader than individual systems or events when making risk decisions. Therefore, implement a senior risk executive function to base decisions on an "enterprise" view of risk considering all factors, including mission, IT, budget, and security. This view of risk enables Approval Authorities to make informed decisions. 6) Design and operate Information Assurance within the enterprise operational environments, as a coherent whole across the IC and DoD, enabling IA situational awareness and command and control. Additional Information: 4) Define a common lexicon (common language and common understanding), using the Committee on National Security Systems (CNSS) 4009 glossary as a baseline, for establishing reuse and reciprocity across the IC and DoD. 5) Look broader than individual systems or events when making risk decisions. Therefore, implement a senior risk executive function to base decisions on an "enterprise" view of risk considering all factors, including mission, IT, budget, and security. This view of risk enables Approval Authorities to make informed decisions. 6) Design and operate Information Assurance within the enterprise operational environments, as a coherent whole across the IC and DoD, enabling IA situational awareness and command and control.

    29. Seven (7) Transformation Goals (cont.) 29 Additional Information: 7) Institute a common process for the IC and DoD incorporating security engineering within "lifecycle" processes. This eliminates current security-specific processes by incorporating security processes within development and system acceptance. The common process will be adaptable to various development environments. Coupled with an ongoing validation process based on strict configuration management, continuous risk assessment, continuous monitoring, and periodic and/or ad-hoc audits this change eliminates the need for "re accreditation" as a paperwork exercise. This process reduces the existing redundant C&A activities, unnecessary documentation, and shortens the overall process of approving systems. Additional Information: 7) Institute a common process for the IC and DoD incorporating security engineering within "lifecycle" processes. This eliminates current security-specific processes by incorporating security processes within development and system acceptance. The common process will be adaptable to various development environments. Coupled with an ongoing validation process based on strict configuration management, continuous risk assessment, continuous monitoring, and periodic and/or ad-hoc audits this change eliminates the need for "re accreditation" as a paperwork exercise. This process reduces the existing redundant C&A activities, unnecessary documentation, and shortens the overall process of approving systems.

    30. C&A Transformation & the 500-Day Plan 30 Additional Information: Directorate of National Intelligence 500-Day Plan: www.dni.gov/500-day-plan.pdf HPSCI 500-Day Plan Hearing: intelligence.house.gov/Media/PDFS/Kerr120607.pdfAdditional Information: Directorate of National Intelligence 500-Day Plan: www.dni.gov/500-day-plan.pdf HPSCI 500-Day Plan Hearing: intelligence.house.gov/Media/PDFS/Kerr120607.pdf

    31. C&A Transformation Partnership 31 Additional Information: “One Government, One Set of Standards” http://fcw.com/microsites/security-directives/one-government.aspx “Transforming IA Certification and Accreditation Across the National Security Community” http://www.stsc.hill.af.mil/crosstalk/2008/07/0807King.htmlAdditional Information: “One Government, One Set of Standards” http://fcw.com/microsites/security-directives/one-government.aspx “Transforming IA Certification and Accreditation Across the National Security Community” http://www.stsc.hill.af.mil/crosstalk/2008/07/0807King.html

    32. C&A Transformation Partnership (cont.) 32 Additional Information: NIST Computer Security Division Annual Report http://csrc.nist.gov/publications/nistir/ir7442/NIST-IR-7442_2007CSDAnnualReport.pdf CNSS Annual Report http://www.cnss.gov/Assets/pdf/CNSS_Report_07-08.pdf Additional Information: NIST Computer Security Division Annual Report http://csrc.nist.gov/publications/nistir/ir7442/NIST-IR-7442_2007CSDAnnualReport.pdf CNSS Annual Report http://www.cnss.gov/Assets/pdf/CNSS_Report_07-08.pdf

    33. Unifying the C&A Process 33 Additional Information: Information Sharing Environment Report to Congress - http://www.docstoc.com/docs/5793760/Annual-Report-to-Congress-on-the-Information-Sharing-Environment DNI/DOD Reciprocity & Re-Use Memorandum can be located on most Unclassified Government networks!!!Additional Information: Information Sharing Environment Report to Congress - http://www.docstoc.com/docs/5793760/Annual-Report-to-Congress-on-the-Information-Sharing-Environment DNI/DOD Reciprocity & Re-Use Memorandum can be located on most Unclassified Government networks!!!

    34. 34 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    35. DNI Approach to Policy & Standards 35 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    36. ICD 503 36 Intelligence Community Directive (ICD) 503: Section B, Para 2 - This ICD rescinds and replaces the Director of Central Intelligence Directive (DCID) 6/3 Policy, Protecting Sensitive Compartmented Information within Information Systems, and the associated DCID 6/3 Manual having the same title. It also rescinds the DCID 6/5 Implementation Manual for the Protection of Certain non-Sensitive Compartmented Information (SCI) Sources and Methods Information (SAMI). Appendix E in the DCID 6/3 Manual, Access by Foreign Nationals to Systems Processing Intelligence, shall remain in effect until subsequent issuances supersede it. Section E - EFFECTIVE DATE: This ICD becomes effective on the date of signature. IC elements may continue to operate systems and items of information technology currently certified and accredited under pre-existing policies, guidelines and standards; any certification, recertification, accreditation, or reaccreditation of existing and currently certified and accredited systems or items of information technology undertaken after the date of signature must, however, be accomplished in accordance with the policies set forth in this Directive. Any information systems or items of information technology placed into service after the date of signature shall be certified and accredited in accordance with the policies set forth in this Directive. Intelligence Community Directive (ICD) 503: Section B, Para 2 - This ICD rescinds and replaces the Director of Central Intelligence Directive (DCID) 6/3 Policy, Protecting Sensitive Compartmented Information within Information Systems, and the associated DCID 6/3 Manual having the same title. It also rescinds the DCID 6/5 Implementation Manual for the Protection of Certain non-Sensitive Compartmented Information (SCI) Sources and Methods Information (SAMI). Appendix E in the DCID 6/3 Manual, Access by Foreign Nationals to Systems Processing Intelligence, shall remain in effect until subsequent issuances supersede it. Section E - EFFECTIVE DATE: This ICD becomes effective on the date of signature. IC elements may continue to operate systems and items of information technology currently certified and accredited under pre-existing policies, guidelines and standards; any certification, recertification, accreditation, or reaccreditation of existing and currently certified and accredited systems or items of information technology undertaken after the date of signature must, however, be accomplished in accordance with the policies set forth in this Directive. Any information systems or items of information technology placed into service after the date of signature shall be certified and accredited in accordance with the policies set forth in this Directive.

    37. ICD 503 Authorities 37 Additional Information: National Security Act of 1947 (as amended) - http://intelligence.senate.gov/nsaact1947.pdf Executive Order 12958 – http://nsi.org/Library/Govt/ExecOrder12958.html Executive Order 12333 – http://www.ncs.gov/library/policy_docs/eo_12333.pdfAdditional Information: National Security Act of 1947 (as amended) - http://intelligence.senate.gov/nsaact1947.pdf Executive Order 12958 – http://nsi.org/Library/Govt/ExecOrder12958.html Executive Order 12333 – http://www.ncs.gov/library/policy_docs/eo_12333.pdf

    38. Risk Management 38 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    39. Accreditation 39

    40. Authorizing Official 40 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    41. Delegated Authorizing Official 41 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    42. Certification 42 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    43. Reciprocity 43 Additional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    44. Execution of Reciprocity in the IC 44 Additional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf Additional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    45. Interconnections & Resolution 45 Additional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    46. Status of ICD 503 46 Additional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdfAdditional Information: DNI Electronic Reading Room - http://www.dni.gov/electronic_reading_room ICD 503 can be found here - http://www.dni.gov/electronic_reading_room/ICD_503.pdf

    47. 47

    48. Why use a Risk Managed Approach? 48 Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Developing an organization-wide information security program is not a new concept. However, obtaining a broad-based, organization-wide perspective by authorizing officials and other senior leaders facilitates a more comprehensive view of managing risk from the operation and use of information systems. In today’s organizations, a single mission/business process may be supported by multiple information systems. Conversely, there may be multiple mission/business processes supported by a single information system. This many-to-many relationship among mission/business processes and information systems requires an organization-wide approach to managing risk—that is, the risk resulting from the use of information systems in organizational mission/business processes. Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Developing an organization-wide information security program is not a new concept. However, obtaining a broad-based, organization-wide perspective by authorizing officials and other senior leaders facilitates a more comprehensive view of managing risk from the operation and use of information systems. In today’s organizations, a single mission/business process may be supported by multiple information systems. Conversely, there may be multiple mission/business processes supported by a single information system. This many-to-many relationship among mission/business processes and information systems requires an organization-wide approach to managing risk—that is, the risk resulting from the use of information systems in organizational mission/business processes.

    49. Concept of Risk Management 49 Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf Insider Threat – www.cs.cmu.edu/~jfrankli/talks/insider-threat.ppt http://www.cert.org/archive/pdf/CSG-V3.pdf Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf Insider Threat – www.cs.cmu.edu/~jfrankli/talks/insider-threat.ppt http://www.cert.org/archive/pdf/CSG-V3.pdf

    50. Organizational Risk Management 50 Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf To be effective, organization-wide information security programs require strong commitment, direct involvement, and ongoing support from senior leaders. The objective is to institutionalize information security into the day-to-day operations of organizations as a priority and an integral part of how organizations conduct their operations in cyberspace, recognizing that this is essential in order to successfully carry out organizational mission and business processes in actual threat- laden operational environments. Building information security into the culture and infrastructure of organizations requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by organizations (e.g., enterprise architecture development, acquisition and procurement processes, system development life cycle processes, concepts of operation). Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf To be effective, organization-wide information security programs require strong commitment, direct involvement, and ongoing support from senior leaders. The objective is to institutionalize information security into the day-to-day operations of organizations as a priority and an integral part of how organizations conduct their operations in cyberspace, recognizing that this is essential in order to successfully carry out organizational mission and business processes in actual threat- laden operational environments. Building information security into the culture and infrastructure of organizations requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by organizations (e.g., enterprise architecture development, acquisition and procurement processes, system development life cycle processes, concepts of operation).

    51. Organizational Risk Management (cont.) 51 Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf

    52. Risk from an Enterprise Perspective 52 Additional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdfAdditional Information: NIST SP 800-39 (draft) - http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf NIST SP 800-37 (draft) - http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf

    53. 53

    54. Evolution of NSS Security Control Input to NIST SP 800-53 54 Additional Information: Expands NIST SP 800-53 to include controls for the protection of National Security Information and Systems Moves “guidance” areas of NIST SP 800-53 and includes them as “requirements” Provides supplemental enhancement and supplemental guidanceAdditional Information: Expands NIST SP 800-53 to include controls for the protection of National Security Information and Systems Moves “guidance” areas of NIST SP 800-53 and includes them as “requirements” Provides supplemental enhancement and supplemental guidance

    55. Security Controls Structure 55 Additional Information: NIST SP 800-53 can be found at the following location – http://csrc.nist.gov/publications/Additional Information: NIST SP 800-53 can be found at the following location – http://csrc.nist.gov/publications/

    56. Security Control Classes and Families 56 Additional Information: NIST SP 800-53 can be found at the following location – http://csrc.nist.gov/publications/ The final version of NIST SP 800-53 may have an added security control family; Personally Identifiable Information (PII).Additional Information: NIST SP 800-53 can be found at the following location – http://csrc.nist.gov/publications/ The final version of NIST SP 800-53 may have an added security control family; Personally Identifiable Information (PII).

More Related