1 / 9

Defense Security Service Industrial Security Field Operations Overview

This November 2013 report by the ISFO and ODAA provides insights on security plan reviews, certification & accreditation, common deficiencies in security plans, on-site review results, and common vulnerabilities found during system validations.

stthomas
Download Presentation

Defense Security Service Industrial Security Field Operations Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISFO – ODAA Nov 2013 Defense Security Service Industrial Security Field Operations(ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013

  2. ISFO – ODAA Nov 2013 Defense Security Service Overview: • Security Plan Reviews • Security Plan Processing Timeliness • Top Ten Deficiencies Identified in Security Plans • System Onsite Validations • Timeliness • Top Ten Vulnerabilities

  3. ISFO – ODAA Nov 2013 Defense Security Service Certification & Accreditation • DSS is the primary government entity responsible for approving cleared contractor information systems to process classified data. • Work with industry partners to ensure information system security controls are in place to limit the risk of compromising national security information. • Ensures adherence to national industrial security standards.

  4. ISFO – ODAA Nov 2013 Security Plan Review Results from Nov 2012- Oct 2013 Performance: Metrics reflect excellent performance across the C&A program nationwide. Improvements have been made in the number of systems processed straight ATO and reducing the number of days systems operate on an IATO when compared to six months ago. Common reasons for second IATOs are Host Based Security System (HBSS) not installed, Onsite validation rescheduled due to ISSP and/or ISSM availability, Administrative reasons after the system is certified (MOUs, etc.).

  5. ISFO – ODAA Nov 2013 Common Deficiencies in Security Plans from Nov 2012- Oct 2013 Top 10 Deficiencies SSP Is incomplete or missing attachments SSP Not Tailored to the System Inaccurate or Incomplete Configuration diagram or system description Sections in General Procedures contradict Protection Profile Missing certifications from the ISSM Missing variance waiver risk acknowledgement letter Incorrect or missing ODAA UID in plan submission Integrity & Availability not addressed completely Inadequate anti-virus procedures Inadequate trusted download procedures

  6. ISFO – ODAA Nov 2013 On Site Review Results from Nov 2012- Oct 2013 Performance: Metrics reflect excellent performance across the C&A program nationwide. Improvements have been made in the number of systems processed straight ATO and reducing the number of days systems operate on an IATO when compared to six months ago. We are averaging over 45% of all ATOs being straight to ATO.

  7. ISFO – ODAA Nov 2013 Common Vulnerabilities found during System Validations from Nov 2012- Oct 2013 Top 10 Vulnerabilities • Security Relevant Objects not protected. • Inadequate auditing controls • SSP does not reflect how the system is configured • Improper session controls: Failure to have proper user activity/inactivity, logon, system attempts enabled. • Bios not protected • Topology not correctly reflected in (M)SSP • Inadequate configuration management • Physical security controls • Inadequate Anti-virus procedures • Identification & authentication controls

  8. ISFO – ODAA Nov 2013 Defense Security Service Summary and Takeaways: • Security Plans are Being Processed and Reviewed in a Timely Manner • Most Common Deficiencies in SSPs Include Missing Attachments, Documentation Errors, Integrity and Availability Requirements • Need More Emphasis on Reducing Deficiencies • Onsite Validations are Being Completed in a Timely Manner • Most Common Vulnerabilities Identified During System Validation Include Auditing Controls, Configuration Management, Not Protecting Security Relevant Objects • More Straight to ATO (Where Practical) to Reduce Risk and Increase Efficiency

  9. ISFO – ODAA Nov 2013 Defense Security Service Questions

More Related