1 / 21

US Department of State Jay Coplon

US Department of State Jay Coplon. My Commitment. You will get a sense for how we do C&A You will find value in being here All of your questions will be answered. Key Points. Quantitative Metrics Toolkits, Tools and Templates Continuous Monitoring Questions and Answers.

xanthe
Download Presentation

US Department of State Jay Coplon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. US Department of StateJay Coplon

  2. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be answered

  3. Key Points Quantitative Metrics Toolkits, Tools and Templates Continuous Monitoring Questions and Answers

  4. Decision Memo Authorization to Operate • When the Control Limits have not been exceeded.

  5. Decision Memo Authorization to Operate • When the Control Limits have been exceeded.

  6. System Owner will manage their systems iPost Risk Score which is represent by an average over a 30 day period. Risk Score in iPost • Specification Limit6 -15% Medium Risk • Control Limit • 5% or Less Medium Risk

  7. System Owner will maintain a high level of hosts fully reporting (to iPost) within the accreditation boundary.  Fully means current reporting on hardware, software, patch, vulnerability, and compliance Fully Reporting in iPost • Specification LimitFalls below 70% • Control Limit • Falls below 90%

  8. Little or No Medium Traditional Risk • The System Owner will maintain a level or state of low or no Medium business risk as determined by traditional C&A.  • Specification Limit6 -15% Medium Risk • Control Limit • 5% or Less Medium Risk

  9. Notifications of Change When risk is above the specification limit notifications of change will not be considered. • Specification Limit<3 consecutive months • Control Limit • 3 or more consecutive months

  10. C&A – How we communicate with our customers. SharePoint Website Policy, Procedure, Standard Document Center Organized by categories Alert Notifications Page and/or Document Workshops Tools

  11. SharePoint

  12. SharePoint

  13. Get Ready Get Set STOP! • Exceed any specification limit • Readiness to Start C&A Checklist

  14. FIPS 199 and OMB M-04-04 • Categorize your System • Determine the Assurance Level

  15. Control Selection Tool • Identify which controls have been implemented • How each control has been implemented • C&A and Annual Security Control Assessments • Manage controls over the systems lifecycle

  16. POA&M Tester Database Tool • Linked to the system FIPS 199 categorization • Import Open Findings from previous assessments • Finding and Recommended remediation • Failed Controls are identified • Standardizes the risk is calculated for each finding • Risk Scoping

  17. iPost Continuous Monitoring

  18. IPost Continuous Monitoring

  19. Questions and Answers

More Related