150 likes | 314 Views
GSFC MOVE. Factors making GSFC MOVE C
E N D
1. GSFC MOVE C&A Lessons Learned:Accepted Risk and POA&MsGoddard Space Flight CenterMission Operations Voice EnhancementCertification & Accreditation Katie Poole
Juri Schauermann Fourteenth NISN Customers’ Forum
2. GSFC MOVE Factors making GSFC MOVE C&A unique
Stand Alone System
Under Strict Vendor Configuration Control
Follows IONet Mission Network Policies
Categorized as a HIGH system
Resultant Findings Mitigated with
Residual Risks
POA&M, Plan of Actions and Milestones
Fourteenth NISN Customers’ Forum 2
3. Accepted Risk: IA-02(2) IA-02(2), User Identification And Authentication
Control: The information system uniquely identifies and authenticates users (or processes acting on behalf of users).
(2) The information system employs multifactor authentication for local system access that is NIST Special Publication 800-63 Level 3 (Entrust) or Level 4 (RSA SecureID or PIV Card) compliant.
GSFC MOVE
This control is implemented through the use of username and passwords on a stand alone network. This meets NIST SP800-63 Level 2 compliance.
Statement of Risk Acceptance/Mitigation:
MOVE-GSFC uses usernames and passwords on a standalone network to mitigate this risk.
Fourteenth NISN Customers’ Forum 3
4. Accepted Risk: IA-05 IA-05, Authenticator Management
For password-based authentication, the information system will require: A minimum number of 12 characters for the password.
GSFC MOVE
The system implements an 8 character minimum password.
Statement of Risk Acceptance/Mitigation
As a stand alone network, MOVE-GSFC accepts the risk of requiring an 8 character minimum password.
Fourteenth NISN Customers’ Forum 4
5. Accepted Risk: IR-03(1) IR-03(1), Incident Response Testing and Exercises
The organization tests and/or exercises the incident response capability for the information system annually using applicable NASA incident response policies and guidance to determine the incident response effectiveness and documents the results.
(1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability.
GSFC MOVE
The system does not employ automated mechanisms to test and/or exercise the incident response capability.
Statement of Risk Acceptance/Mitigation
GSFC-MOVE accepts the risk of not employing automated mechanisms to test and.or exercise the incident response capability. Fourteenth NISN Customers’ Forum 5
6. Accepted Risk: PE-10(1) PE-10(1), Emergency Shutoff
The organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment.
(1) The organization protects the emergency power-off capability from accidental or unauthorized activation.
GSFC MOVE
The newer Emergency Power Shutoff units do not have a protective cover; the few older units do have a protective cover that must be raised to activate the shutoff.
Statement of Risk Acceptance/Mitigation
GSFC-MOVE accepts the risk that the newer Emergency Power Shutoff units do not have a protective cover.
Fourteenth NISN Customers’ Forum 6
7. Accepted Risk: RA-05 RA-05, Vulnerability Scanning
The organization scans for vulnerabilities in the information system monthly or when significant new vulnerabilities potentially affecting the system are identified and reported.
GSFC MOVE
Vulnerability scan will be run on MOVE-GSFC quarterly.
Statement of Risk Acceptance/Mitigation
GSFC-MOVE is a stand-alone system and accepts the risk of not running a vulnerability scan every month. Quarterly run vulnerability scans will be sufficient for GSFC-MOVE
Fourteenth NISN Customers’ Forum 7
8. Accepted Risk: SC-05 SC-05, Denial Of Service Protection
The information system protects against or limits the effects of the following types of denial of service attacks: Please visit http://www.us-cert.gov and http://www.cert.org/tech_tips/denial_of_service.html websites for the current list of DoS attacks.
GSFC MOVE
MOVE-GSFC is a stand-alone system with no remote access, Denial of Service is not a potential threat.
Statement of Risk Acceptance/Mitigation
MOVE-GSFC is a stand-alone system with no remote access, Denial of Service is not a potential threat. GSFC-MOVE accepts the risk that no Denial of Service protection is implemented. There is no Internet connectivity to/from GSFC-MOVE.
Fourteenth NISN Customers’ Forum 8
9. Accepted Risk: SC-10 SC-10, Network Disconnect
The information system terminates a network connection at the end of a session or after 30 minutes of inactivity.
GSFC MOVE
The operator workstations (LSAs) will automatically lock and blank the screen after 30 minutes of inactivity. No session is terminated since this is a mission critical system.
Statement of Risk Acceptance/Mitigation
No sessions are terminated. The operator workstations (LSAs) will automatically lock and blank the screen after 30 minutes of inactivity. GSFC-MOVE accepts this risk because it is a mission critical system.
Fourteenth NISN Customers’ Forum 9
10. Accepted Risk and POA&M: SI-02 SI-02,Flaw Remediation
The organization identifies, reports, and corrects information system flaws. Vendor or NASA designated critical patches shall be applied within 72 hours. Center "snapshot" of patch status shall automatically be provided weekly for update of the Agency ERS and used for build of the Agency monthly Patch reports.
GSFC-MOVE
The system uses vulnerability scan reports to identify information system flaws. Flaws are corrected by working the vendor, FUSA, as regression testing may be required. Vendor maintenance and service agreement prohibit NASA from making unauthorized changes.
POA&M
The vendor is developing the process to maintain the operation system on the LSA system. This will include patch mangement and potentially operating system upgrades upgrades. Fourteenth NISN Customers’ Forum 10
11. Accepted Risk and POA&M: SI-02 SI-02, Flaw Remediation
Statement of Risk Acceptance/Mitigation
The SRD allows NASA to perform Foundstone scans. However, the contract does not allow NASA to address the vulnerabilities that are discovered. Vulnerability fixes that affect the baseline will have to be regression tested in the vendor development area before they can be applied to the MOVE-GSFC systems. The need for vendor regression will delay the implementation of security fixes.
Fourteenth NISN Customers’ Forum 11
12. Accepted Risk and POA&M: SI-03 SI-03, Malicious Code Protection
The information system implements malicious code protection.
GSFC MOVE
A contract modification is being drafted to mitigate the lack of malicious code protection.
POA&M
The vendor responsibilities for malicious code software installatin and management are currently being developed. The vendor will implement a Symantec solution to the LSA system.
Statement of Risk Acceptance/Mitigation
The vendor maintenance and service agreement prohibits NASA from making unauthorized changes to the vendor baseline without prior testing in the vendor development area. Therefore, it is unlikely that NASA will be able to apply malicious code/anti-virus signatures and engine updates in a timely manner.
Fourteenth NISN Customers’ Forum 12
13. POA&M: AC-01 AC-01, Access Control Policy and Procedures
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
AGENCY
Planned Correction: HQ personnel will compose NASA IT Requirement (NITR)-2810-18.
Status: NITR-2810-18 has been in OCIO for vetting since October 2008. It contained some controversial issues and is currently in the second round of vetting through OCIO Fourteenth NISN Customers’ Forum 13
14. POA&M: AU-04, AU-11 AU-04, Audit Storage Capacity
The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
AU-11, Audit Record Retention
The organization retains audit records for 1 year then: Delete/destroy when no longer needed for administrative, legal, audit or other operational purposes (NPR 1441.1)to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
MOVE GSFC
The MOVE-GSFC has sufficient capacity to hold system logs for 1 year, but is currently configured to store logs for 30 days.
POA&M
The vendor will reconfigure the system to store audit logs for one year.
Fourteenth NISN Customers’ Forum 14
15. POA&M: CP-06 CP-06, Alternate Storage Site
The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information.
GSFC MOVE
Backups of the system applications, operating system, and system baselines are stored off-site at an alternate storage site at the vendor’s builidng located in Columbia, Maryland. The system has identified Building 14 as the primary storage site and Building 32 as the secondary/alternate storage site. Since the secondary/alternate site is on center/campus, a POA&M is open.
POA&M
The system is awaiting the completion of the Code 700 Continuity of Operations Plan. The COOP will contain the specification of an alternate storage site that MOVE - GSFC will evaluate for use.
Fourteenth NISN Customers’ Forum 15