Panel:Moderator: Michele IversenGuest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell

Adhering to laws, regulations, standards, best practices, and contractual requirements (collectively referred to as “mandates”)• Includes the PROCESS of becoming and remaining compliant• Ongoing state of continuous improvement that requires discipline across

the enterprise, over the business and product lifecycle

• It contributes to achieving Risk Management objectives• Mechanism for controlling and managing risk• Protects nonpublic, sensitive information• Establishes standards for information security• Deters cybercriminals, including insiders• Holds corporate boards and senior executives accountable

Risk management has industry standards that cross industries and geographies; they can be quite complex !

Federal Government• Federal Information Security Management

Act (FISMA)• Federal Risk and Authorization

Management Program (FedRAMP)• FIPS Standards• Common Criteria• Security Technical Implementation Guides

(STIGS)• U.S. Rehabilitation Act & Section 508• Communications Assistance for Law

Enforcement Act (CALEA)

Banking & Finance• Sarbanes-Oxley Act (SOX)• National Automated Clearing House

Association (NACHA ) Electronic Payments Association Electronic Data Interchange (EDI)

• Payment Card Industry Data Security Standard (PCI DSS)

Health Care• Health Insurance Portability and

Accountability Act (HIPAA)• HIGHTECH• Meaningful Use• Health Level Seven International (HL7)

Standards Development Organization

Privacy• New York State Privacy Law • California Privacy and Identity Management

Law• And other States!• Europe and other countries

Federal Information Systems Management Act (FISMA) • Federal law enacted in 2002 as Title III of the E-Government Act, which

recognizes the importance of information security to the economic and national security interests of the U.S.

• Provides a framework for ensuring the effectiveness of information security controls over information resources supporting federal operations.

• Requires that agencies identify and provide information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.

• States that the head of each agency is responsible for providing information security protections.

TIER 3Information System

(Environment of Operation)

TIER 2Mission / Business Process

(Information and Information Flows)

TIER 1Organization(Governance)

STRATEGIC RISK FOCUS

TACTICAL RISK FOCUS

Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Information Security Architecture

Flexible and Agile Implementation Threat Aware

National Institute of Standards and Technology

Security Life CycleSP 800-39

Determine security control effectiveness(i.e., controls implemented correctly,

operating as intended, meeting security requirements for information system).

SP 800-53A

ASSESSSecurity Controls

Define criticality/sensitivity of information system according to

potential worst-case, adverse impact to mission/business.

FIPS 199 / SP 800-60

CATEGORIZE Information System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

SP 800-137

MONITORSecurity State

SP 800-37

AUTHORIZE Information System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation;if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

SP 800-70 / SP 800-160

FIPS 200 / SP 800-53

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

National Institute of Standards and Technology

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Strategic Risk Management

Focus

Tactical Risk Management

Focus

Top Level Risk Management

Strategy Informs

Operational Elements

Enterprise-Wide

Security Assessment

Report

SecurityPlan

Plan of Action and Milestones

Security Assessment

Report

Plan of Action and Milestones

SecurityPlan

Core Missions / Business ProcessesSecurity Requirements

Policy Guidance

RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight

Security Assessment

Report

SecurityPlan

Plan of Action and Milestones

INFORMATION SYSTEM

System-specific Controls

Ong

oing

Aut

horiz

atio

n D

ecis

ions

Ong

oing

Aut

horiz

atio

n D

ecis

ions

Ongoing Authorization Decisions

RISK MANAGEMENT FRAMEWORK

(RMF)

COMMON CONTROLSSecurity Controls Inherited by Organizational Information Systems

Hyb

rid

Con

trol

s

INFORMATION SYSTEM

System-specific Controls

Hyb

rid

Con

trol

s

Defense-in-Breadth

The length of the FISMA compliance process is highly variable, depending on several factors such as:

The Security Category (FIPS 199 Low, Moderate, High) The availability of resources with skills and spare time to manage the process The current level of security controls The total number of users in a project The complexity of the computing environment.

8

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP is mandatory for federal agency cloud deployments and service models at low- and moderate-risk impact levels.

To initiate the process, a cloud service provider (CSP) or federal agency submits a completed FedRAMP request form and Federal Information Process Standards (FIPS) 1999 worksheet to FedRAMP.

The FedRAMP Joint Authorization Board reviews the risk posture of cloud systems and provides “provisional authorizations” based on the submitted security package.

FEDRAMP Documentation RequirementsFEDRAMP Documentation Requirements(Authorization Package)(Authorization Package)

Deliverable DescriptionSystem Security Plan This document describes how the controls are implemented within the

cloud information system and its environment of operation. The SSP is also used to describe the system boundaries.

Information Security Policies This document describes the CSP’s Information Security Policy that governs the system described in the SSP.

User Guide This document describes how leveraging agencies use the system.

Rules of Behavior This document is used to define the rules that describe the system user's responsibilities and expected behavior with regard to information and information system usage and access.

IT Contingency Plan This document is used to define and test interim measures to recover information system services after a disruption. The ability to prove that system data can be routinely backed up and restored within agency specified parameters is necessary to limit the effects of any disaster and the subsequent recovery efforts.

Configuration Management Plan This plan describes how changes to the system are managed and tracked. The Configuration Management Plan should be consistent with NIST SP 800-128.

Deliverable DescriptionIncident Response Plan This plan documents how incidents are detected, reported, and escalated

and should include timeframes, points of contact, and how incidents are handled and remediated. The Incident Response Plan should be consistent with NIST Special Publication 800-61.

E-Authentication Workbook This template will be used to indicate if E-Authentication will be used in the cloud system and defines the required authentication level (1-4) in terms of the consequences of the authentication errors and misuse of credentials. Authentication technology is selected based on the required assurance level.

Privacy Threshold Analysis This questionnaire is used to help determine if a Privacy Impact

Assessment is required.Privacy Impact Assessment This document assesses what Personally Identifiable Information (PII) is

captured and if it is being properly safeguarded. This deliverable is not always necessary.

FEDRAMP Documentation Requirements(Authorization Package) 2 of 2

• Understand the mandates: both how your product meets the applicable compliance framework requirements and/or how your product helps your customer meet them.

• Identify and document your baseline state of compliance; develop a requirements traceability matrix as appropriate.

• Validate compliance through third party audits– have documentation that you’re willing to share• Identify gaps and plan for remediation