130 likes | 494 Views
Cyber Security Assessment and Management (CSAM). IT Security Program Purpose : Support Department of Justice Strategic Goals by ensuring Integrity, Confidentiality, and Availability of information and information systems. Introduction and Overview Highlights and Capabilities
E N D
Cyber Security Assessment and Management (CSAM) IT Security Program Purpose: Support Department of Justice Strategic Goals by ensuring Integrity, Confidentiality, and Availability of information and information systems. • Introduction and Overview • Highlights and Capabilities • Business Readiness • Pricing Model • Conclusion • Q and A’s Comprehensive FISMA Compliance Technology and Support Services Customer Information Day Information System Security Line of Business March 13, 2007 Dennis Heretick Deputy CIO, IT Security Department of Justice Dennis.heretick@usdoj.gov
Cyber Security Assessment and Management (CSAM) Certification & Accreditation (DOJ IT Security Standards (FISCAM/FIPS 200/NIST 800-53) Security Requirements Selection and Assign Responsibilities (PL-2) System Description • Inventory/Interconnections (CA-3) • Scope • Security Category • Inherit Common Controls (MOA/SLA) (CA-2) Asset Discovery/Mgmt DB Application Discovery Dec 06 – Dec 07 Accreditation Maintenance Jan 07 – Jan 08 Testing Integrated into Implementation • C&A Team Review/Update • Risk Assessment • POA&M & Funding Decision • Monthly Review • Dashboard • OMB Report Implement/Maintain Technical/Operational Controls 2. • Life Cycle Mgmt (SA-3) • Configuration Management (PL-1) • Exercise & Update Incident Response Plan ( IR-7) • Exercise & Update Contingency Plan (CP-10) • Awareness & Training (AT- 2 & 3) Vulnerability Scans Vulnerability Mgmt Plan 1. • Access Controls (AC 2-20) • Vulnerability Mgmt (RA-5) • Audit and Accountability (AU 2- 11) • Identification and Authentication ( IA 2-7) • Systems & Communications Protection (SC 2-19) • System and Information Integrity (SI 2-12) • DB App Scan • Web App Scan • Config Sec 3. • Physical/Environ Protection (PE-4) • Personnel Security (PS-8) • Media Protection (MP-7) • Security • Info Mgmt Feb 06 – Mar 07 with ongoing maintenance
Cyber Security Assessment and Management (CSAM) System Controls Common Controls Risk Weight L M H L M H 4 X X 2 X X X X 2 X X X X 5 X 4 X X 2 X X 2 X X 2 X X 4 X X 2 X X X X 4 X X 2 X X X X X X Vulnerabilities Requiring Correction 4 X X 2 X X X 2 X X 2 X X • Risk Impact: • Plan Start: • Actual Start: • Planned Finish: • Actual Finish: • Validation Date: • Cost: _____ 2 X X 2 X X 4 X 2 X X 2 X X X X 4 X X 2 X 5 X 4 X X 3 X 2 X X X X 3 X X X X PRESIDENTS MANAGEMENT AGENDA FISMA, DCID 6/3 DOJ IT SECURITY STDS FISCAM, FIPS/NIST 800-53 Plans of Action & Milestones (POA&M) Implementation Requirements OMB FISMA Reporting Test Case for Each Requirement Management Controls Cost + Implementation Guidance RA-1 Risk Assessment and Procedures PL-1 Security Planning Policy and Procedures. SA-1 System & Services Acquisition Policy & Procedures CA-1 Certification & Accreditation & Security Assessment Policies and Procedures. Test Case nn.n.n. Test Case CA-1.3 Test Case SA-1.1 Test Case PL-1.8 Cyber Security Assessment & Mgmt TrustedAgent (CSAM) Test Case RA-1.1 • Control Objective • (Subordinate Objective) • Control Techniques • Specific Criteria • Prerequisite Controls • Test Objective • Test Set Up • Test Steps • Expected Results: • Actual Results: • Cost Operational Controls Cost + Implementation Guidance PS-1 Personnel Security Policy & Procedures PE-1 Physical Environmental Protection Policy & Procedures CP-1 Contingency Planning Policy & Procedures CM-1 Configuration Management Policy & Procedures. Technical Controls Cost + Implementation Guidance IA-1 Identification and Authentication Policy & Procedures AC-1 Access Control Policy & Procedures AU-1 Audit & Accountability Policy & Procedures SC-1 System & Comm Protection Policy & Procedures. PASS FAIL Risk Assessment Total Risk Vulner Control Vulner Level Threat Level Signif Level X X =
CSAM -- Comprehensive FISMA Compliance Technical and Support Services 5. Training and Quarterly Workshops • User Workshops to Train with Automated Tools, • Enhancements and Share Lessons Learned • Feedback for Continuous • Process Improvement 4. Management Reporting • FISMA Reports • OMB A-123 Assertions • Enterprise and System Reporting • Flexible Ad Hoc Reporting • Residual Risk Reports • PO&AM Reports 3. Subordinate System Security Plan (SSP) 1. Risk-based Policy and Implementation Guidance 2. Enterprise Program Management Plan • Requirements Determination • Scope • Security Category (FIPS 199) • Inheritance of Security Controls • Initial Minimum Control Set • Testing Integrated into • Implementation • Identify Residual Risks & • POA&M Mgmt • Generate an SSP with Artifacts • Support Continuous Monitoring • Authoring Tool to Tailor IT • Security Standards & • Procedures to Agency Needs • Assign Agency, Component, • and System Roles and • Responsibilities • Employ Automated Risk • Assessment Methodology • Establish Program Implementation • Strategy • Set Up System Inventory Process • Establish Goals, Performance • Metrics, and Monitor Performance • Identify Enterprise Solutions • Provide Cost Guidance • Performance Dashboard to • Monitor Implementation
Business Readiness CSAM Strategy Responsive actions to customer feedback and continuous improvements are key to ensuring satisfied users • Justice has successfully implemented service level agreements and revolving funds to support IT operations • Reliable reimbursement process for managing reimbursable customer contracting support arrangements is in place • Several Justice contracting vehicles are in place • BPA Delivery Orders • ITSS-3 Indefinite Delivery/Indefinite Quantity Contract • GSA Schedule
CSAM Pricing Model (Partnership Fee/Software License/Maintenance) 01-09 Systems -- $ 25K 10-24 Systems -- $ 30K 25-49 Systems -- $ 45K 50-99 Systems -- $100K 100-149 Systems --$125K 150-199 Systems --$150K 200-249 Systems -- $175K 250-299 Systems -- $200K 300- 349 Systems -- $225K 350- 399 Systems -- $250K 400 -450 Systems -- $275K 451- 499 Systems -- $300K 500- 549 Systems -- $325K 550- 599 Systems -- $350K 600- 650 Systems -- $375K 650- 699 Systems -- $400K 700-749 Systems -- $425K 750-799 Systems -- $450K
CSAM Pricing Model (Installation and Help Desk Services)
CSAM Pricing Model (Policy, Enterprise Program Management Plan)
CSAM Pricing Model (Training) • Initial Training Classes • Four hours classroom training -- $200/per user • Quarterly Workshops -- Train with Automated Tools, Enhancements and Share Lessons Learned • Each user receives 4 hours training per quarter --$200/per user • Two Day workshops -- $800/per user
Pricing Model (Certification and Accreditation Services)
Conclusion • CSAM… • Is a comprehensive FISMA compliance Technology and Support Services solution • The CSAM solution includes… • Risk-based Policy and Implementation Guidance • Enterprise Program Management Plan • Subordinate System Security Plans • Training and Quarterly Workshops • Robust Management Reporting • For more information or to request a system demonstration, • email: DOJLOBCSAM@usdoj.gov • or contact: • Ken GandolaJim Leahy • 202-353-0081 202-353-8741 • Kenneth.d.gandola@usdoj.gov james.t.leahy@usdoj.gov