50 likes | 264 Views
Federal Enterprise Architecture Security and Privacy Profile Update Briefing – November 20, 2008 Architecture and Infrastructure Committee Federal CIO Council Co-Leads: Scott A. Bernard Deputy CIO, FRA/DOT Ron Ross FISMA PMO, NIST
E N D
Federal Enterprise Architecture Security and Privacy Profile Update Briefing – November 20, 2008 Architecture and Infrastructure Committee Federal CIO Council Co-Leads: Scott A. Bernard Deputy CIO, FRA/DOT Ron Ross FISMA PMO, NIST Ken Mortensen Chief Privacy Officer, DOJ
Ongoing Activities: • 1. SPP Being Virtualized Into: • Federal Segment Architecture Methodology (FSAM) Done • NIST SP800-37 Guide to Security C&A • NIST SP800-39 Managing Risk from Info Systems • NIST SP800-53 Security Controls for Info Systems • SPP White Paper in Development (Due Dec 31) • Working Group Meetings to resume in December.
Information Security and Data Privacy Framework Federal Enterprise Architecture Requirement / Solution Identification and Implementation NIST Risk Mgmt. Framework Security / Privacy Control Development Enterprise Level “Common Controls” for Security/Privacy Categorize Performance Architecture (PRM) Select Business Architecture (BRM) Implement Segment Level Controls Information Security / Privacy Control Guidance and Supporting Documentation Enterprise Architecture Guidance and Supporting Documentation Assess ServiceComponent Architecture (SRM) Authorize Data/Information Architecture (DRM) Solution / System Level Controls Technology Architecture (TRM) Monitor Governance Process Lifecycle Development & Maintenance Process
Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security Controls SELECT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System IMPLEMENT Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Risk Management Framework
RISK EXECUTIVE FUNCTION Enterprise-wide Oversight, Monitoring, and Risk Management Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries RMF RISK MANAGEMENT FRAMEWORK INFORMATION SYSTEM INFORMATION SYSTEM Authorization Decision Authorization Decision SP SP SP SP SP SP SAR SAR SAR SAR SAR SAR INFORMATION SYSTEM INFORMATION SYSTEM Authorization Decision POAM POAM POAM POAM POAM POAM Authorization Decision Common Controls (Inherited by Information Systems) Authorization Decision Authorization Decision SP: Security Plan SAR: Security Assessment Report POAM: Plan of Action and Milestones