Certification and Accreditation for Your Open Government Applications
Upcoming SlideShare
Loading in...5
×
 

Certification and Accreditation for Your Open Government Applications

on

  • 1,557 views

Open source systems introduce new uncertainties into the certification and accreditation (C&A) process for information systems. Join Acquia, GDIT and Carahsoft for a complimentary webcast where we ...

Open source systems introduce new uncertainties into the certification and accreditation (C&A) process for information systems. Join Acquia, GDIT and Carahsoft for a complimentary webcast where we will discuss:

* How Acquia and their partners at GDIT have developed an approach to certifying and accrediting systems built on Drupal and the LAMP stack
* The processes and tools used to classify your system according to FISMA and NIST guidelines
* How to develop and verify the required controls for your Drupal-based system
* Experiences that have developed Acquia’s approach
* Surprising similarities between the C&A process for open and closed source systems

Statistics

Views

Total Views
1,557
Views on SlideShare
1,552
Embed Views
5

Actions

Likes
0
Downloads
5
Comments
0

1 Embed 5

http://www.slideshare.net 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Certification and Accreditation for Your Open Government Applications Certification and Accreditation for Your Open Government Applications Presentation Transcript

  • Certification & Accreditation for Your Open Government Applications
    • Chuck D’Antonio and Jason Ingalls
  • Acquia Introduction
    • Drupal expertise
    • Enterprise software and government services experience
    • 60+ employees
    Acquia, the Enterprise Guide to Drupal
    • Web Application Development Security
    • Security Testing
    • Incident Response
    GDIT, Information Assurance Experts
  • Help! I need to C&A my Drupal site! © 2009 Acquia, Inc.
    • How do I assure trust in Open Source software?
    • Will I need a new set of processes and controls?
    • What resources are available to me?
  • Myths of Drupal & Open Source Security © 2009 Acquia, Inc.
    • PHP is less secure than ...
    • Open Source is easier to attack
    • Lack of resources such documentation and versioning information for Open Source 
    • There aren’t a lot of C&A resources available
  • Myths of Drupal & Open Source Security © 2009 Acquia, Inc.
    • PHP is as or more secure than other available dynamic web engines out there. Security is a process, not a product.
  • Myths of Drupal & Open Source Security © 2009 Acquia, Inc.
    • PHP is as or more secure than other available dynamic web engines out there
    • Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation
  • Myths of Drupal & Open Source Security © 2009 Acquia, Inc.
    • PHP is as or more secure than other available dynamic web engines out there
    • Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation. 
    • Documentation exists for Open Source in many different forms, not necessarily what could be considered traditional knowledge bases 
  • Myths of Drupal & Open Source Security © 2009 Acquia, Inc.
    • PHP is as or more secure than other available dynamic web engines out there
    • Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation. 
    • Documentation exists for Open Source in many different forms, not necessarily what could be considered traditional knowledge bases
    • Publications from NSA, DISA, etc. 
  • Components of a successful C&A packet © 2009 Acquia, Inc.
    • System boundaries
    • Security Categorization
    • Risk Analysis
    • System Security Plan
    • System Test and Evaluation
    • Plan of Action and Milestones
  • C&A Tools and Processes
    • Make your C&A packet work for you
    • Integrate reviews early in your system lifecycle
    • Use a mix of tools to validate your controls
      • Coding standards
      • Code analysis
      • Functional tests
      • Scanners
      • Fuzzers
    • Leverage available information
  • Our collaborative approach to C&A
    • Incorporate security expertise into your development team
    • Collaborate on controls and remediation
    • Include C&A activities in your project milestones
    • Address security issues with each development iteration
  • Developing the right controls
    • Don’t over engineer your controls
    • Leverage your existing policies & procedures
    • Focus on the entire system
    • Define validation plans in parallel with controls
    • Take advantage of the Drupal community
  • Take advantage of available support
    • Community security patches and bulletins
      • Clear processes for addressing vulnerabilities
    • Commercial vendors
      • Formal channels to report and resolve issues
      • Guaranteed levels of response
      • Addresses many of the concerns of the C&A process
  • Bringing the process to completion
    • Verify
      • Ensure your statements have been demonstrated
    • Review
      • Fix those errors!
    • Finalize
      • Get sign off by process owners Submit
    • Maintain records
  • Obtaining your ATO
    • Launch
    • Follow the POA&M
    • Maintain the Packet
    • Ensure compliance
    • Perform reviews
  • Questions and More Information
    • For more information, visit us at:
      • http://acquia.com
      • http://twitter.com/acquiagov
    • Contact Acquia:
      • [email_address]
      • 888-9-ACQUIA
    • Contact presenters:
      • [email_address]
      • [email_address]
    • For additional Open Government resources, visit:
      • http://acquia.com/government
    • Sign up for a free 30-day Acquia Network trial
      • http://acquia.com/trial