110 likes | 254 Views
FISMA 2.0: A CISO Perspective. Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC. INTRODUCTION. FISMA 1.0: Focus on compliance rather than proven security measures. “ FISMA 2.0 ” Senate Bill S. 3474, Senator Tom Carper
E N D
FISMA 2.0: A CISO Perspective Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC
INTRODUCTION • FISMA 1.0: Focus on compliance rather than proven security measures. • “FISMA 2.0” • Senate Bill S. 3474, Senator Tom Carper • Approved by Senate Homeland Security and Governmental Affairs Committee in September • Purpose: Strengthen federal IT security
SIGNIFICANT CHANGES • Annual independent audits rather than evaluations • Increased responsibility for the CISO • Requirement for Operational Evaluations by DHS • Establishment of a CISO Council • Requirement for standard, government-wide contract language • Annual DHS reports to Congress
ANNUAL INDEPENDENT AUDIT REQUIREMENT • Changes in auditing standards • Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems • Audit report must include overall conclusion about effectiveness of security controls
CISO RESPONSIBILITIES • Appointment by the agency head • Separation of duties between CIO and CISO mandated • Quarterly submission of “security architecture framework documentation” to US-CERT • CISO directly responsible for security programs of subordinate organizations • Responsible for creating IT security performance measurement system • Authority to disconnect agency IT systems • CISO granted enforcement authority
OPERATIONAL EVALUATIONS • To be conducted at least annually by DHS • Agencies to establish security controls testing protocols • Findings to be reported to the agency head, CIO, and CISO • CISO to respond to results with corrective action plan within 30 days to agency head and CIO
CISO COUNCIL • Purpose is to establish best practices and recommendations for operational evaluations • Promote the development and use of standard performance metrics • Recommend CISO qualifications
CONTRACT LANGUAGE • OMB to publish standard security contract language in coordination with NIST • Include standard terms for • security of systems • collection and transmission of information • incident response procedures • COTS products must comply with security requirements
ANNUAL DHS REPORT TO CONGRESS • DHS to report on results of operational evaluations and testing protocols • Provide detailed information on agency evaluation including results and pending corrective actions • Describe effectiveness of testing protocols • Describe information security posture of the federal government
SIGNIFICANT CHANGES • Annual Audits rather than Evaluations • Increased responsibility for the CISO • Requirement for Operational Evaluations by DHS • Establishment of a CISO Council • Requirement for standard, government-wide contract language • DHS annual report to Congress