390 likes | 409 Views
Environmental Protection Agency Shared Service Center. INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING. Our Vision. Help federal managers & and IT professionals understand & successfully implement the federal risk management framework so they can manage information
E N D
Environmental Protection AgencyShared Service Center INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING
Our Vision • Help federal managers & and IT • professionals understand • & successfully implement the • federal risk management framework • so they can manage information • and IT assets in accordance with • federal standards
Agenda/Presentation Overview • SSC Goals • Role in the Risk Management Framework • ASSERT Capabilities • EPA’s SSC Process • Consortium Benefits • Implementation Timeframe • Pricing • Summary
Integrated Security Solution – Our Goals • Assistyour information security program using proven, effective practices • Savetime and resources spent on FISMA quarterly and annual reporting to OMB • Aidperformance on the Annual Congressional Scorecard
EPA’s Integrated Security Solution FIPS 199 FIPS 200 FIPS 200 800-42 800-60 800-53 800-53a ASSERT Information System C&A 800-37 800-30 800-37 800-18 FIPS 200 800-53a 800-64 800-70
Secure Web Access Portal for Ease of Use System Categorization System Inventory Management Risk Identification Control Tailoring Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks) Management Oversight FISMA Reporting Compliance ASSERTCapabilities • “Since 2004 SSA has used • the ASSERT tool. It has • met all our expectations • and more as the IG and • their contractor have also • given it a ‘thumbs up.’ • … We at SSA highly • recommend the tool.” • Bob Burch, • FISMA Manager • Social Security Administration
ASSERTSecure Web Access Customized with your logo and colors Conforms with Moderate Baseline & FIPS 140-2 encryption Post news and announcements for users
ASSERTPortal: Ease of Use See summary information What you see is based on your job assignments Focus on critical items Perform key functions at the click of a button Access details via links
ASSERTSystem CategorizationBusiness Orientation Helps users identify Business Areas, Lines of Business Walks users through a structured interview or supports expert mode Extensive links to help Button navigation
ASSERTSystem CategorizationGuidance for Users Coaching for decisions on confidentiality, integrity, and availability Low Low Moderate Helps identify Other Factors and Special Factors affecting categorization
ASSERTInventory Management Maintain FISMA or full Agency Inventory Identify GSS/MA Relationships across Agency 12
ASSERTRisk Identification and Control Tailoring Scoping Risk values Review status 13
ASSERTContinuous Monitoring: Implementation Base Control Implementation documented & available for export to Security Plan Enhancements
ASSERTContinuous Monitoring: Testing Show expected test step results and require documentation of variances Roll up to Control status Document the test step result Certify the test step result
ASSERTContinuous Monitoring: Remediation Tasks for remediating the control
ASSERTManagement Oversight Real-time report data Export to PDF or Excel or on-screen view
ASSERTManagement Oversight Color coding and words
ASSERTFISMA Reporting Compliance Expands to show totals by categorization level
ASSERTTechnical Specifications • ColdFusion MX7 front-end • Oracle 10g database • Accessed via the Web using FIPS 140-2 compliant encrypted connection (https://) • No mobile code or special ports • Scalable for number of organizational units, systems and users
A Solid Foundation inASSERT • A stable, effective, full-featured tool • Secure web-based access to a centralized database • Complies with Moderate baseline controls • Full cycle of FISMA-mandated activities supported • Reporting capabilities “The elements and phases of the ASSERT SPM appear not only to comply with DITSCAP requirements, but they are much more comprehensive and specify many more steps in the software accreditation and implementation process for EPA. In addition, each element of the ASSERT System has very specific QA requirements for documentation and approval.” Kevin Hull, December 2006 Independent QA Auditor 22
EPA’s Shared Service Center Offerings • Implementation support • Software deployment • Ongoing management & operational support • Technical hosting options • Consortium membership
SSC Implementation Support • Evaluate current processes and security environment • Recommend implementation plan based on effective practices • If requested, provide CISO and staff with business and technical consulting • Help migrate existing data, tailor controls • Offer user training and help desk support
SSC Software Deployment • Flexibility through customization of… • Agency logo and preferred colors • Organizational structure • Standardized terms • Support for loading information • System-user information • Assessment and POAM history • Agency specific NIST-compliant policies to reference • Agency specific common controls, risk management decisions
SSC Management & Operational Support • Sharing of best practices • FISMA management and reporting services: • Management and business process consultation • Analysis, such as policy alignment • Customized reports • Staff augmentation • Comprehensive user training • Relates software to business processes • Can qualify as specialized IT training • Help desk support
SSC Technical Hosting Options • EPA hosting service • Centralized database instance for each agency, with segregation of data • System platforms, management and monitoring • Fully certified and accredited environments • Participant agency hosting • Provide own system platforms, management and monitoring
ASSERTConsortium • Consortium Board sets vision and directs software evolution • Configuration Control Board oversees the ASSERTfeature set • Members share best practices and leverage costs • Reasonablypriced to accommodate agencies of all sizes • 2006 membership: • EPA, GSA, SSA, USDA
Consortium Members’ Security Grades: 2001-2005 NOTE: USDA joined in 2006.
Consortium Process Gather Requirements Analyze & Define Review by Consortium Board Formalize Request Approval by CCB Develop & Deploy Process repeats as necessary
Cost: Sliding Scale * To Be Negotiated 33
SummaryEPA’s Integrated Security Solution • A proven business model • Conformance to the federal risk management framework • Proven, stable software solution since 2002 • Services to support implementation and beyond • Consortium in operation since 2004 • Consortium members got “A’s” on 2005 Congressional Scorecard
Benefits • Conforms to the federal risk management framework and federal standards • Standardizes and integrates security practices with business processes • Affordable for agencies of all sizes • Comprehensive solution: • Services for implementation plus ongoing management and operations support • ASSERTsoftware
Benefits (continued) • Well-integrated with OMB regulations and NIST methodology for continuous monitoring of controls • Active consortium of government agencies • Direct the system vision and development • Reduce costs through shared resources • Sets software feature direction
Summary: This Approach Standardizes and integrates security practices with business processes… …with the help of an agency that has been there before.
EPA Open House • Consortium Open House, April 5 from 9 am to 3 pm • At EPA East, 12th & Constitution, Rooms 1117A & B • Come for panel discussions, Q&A, and demos 38
Environmental Protection AgencyShared Service Center FISMA Reporting Solution For more information, please contact: Don Huddleston U.S. EPA 202-566-1462 huddleston.don@epa.gov Bernice Bealle U.S. EPA 202-566-0716 bealle.bernice@epa.gov Marian Cody, CISO U.S. EPA 202-566-0302 cody.marian@epa.gov 39