Certification and Accreditation for Your Open Government Applications

1,155 views

Published on

Open source systems introduce new uncertainties into the certification and accreditation (C&A) process for information systems. Join Acquia, GDIT and Carahsoft for a complimentary webcast where we will discuss:

* How Acquia and their partners at GDIT have developed an approach to certifying and accrediting systems built on Drupal and the LAMP stack
* The processes and tools used to classify your system according to FISMA and NIST guidelines
* How to develop and verify the required controls for your Drupal-based system
* Experiences that have developed Acquia’s approach
* Surprising similarities between the C&A process for open and closed source systems

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,155
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Certification and Accreditation for Your Open Government Applications

  1. 1. Certification & Accreditation for Your Open Government Applications <ul><li>Chuck D’Antonio and Jason Ingalls </li></ul>
  2. 2. Acquia Introduction <ul><li>Drupal expertise </li></ul><ul><li>Enterprise software and government services experience </li></ul><ul><li>60+ employees </li></ul>Acquia, the Enterprise Guide to Drupal
  3. 3. <ul><li>Web Application Development Security </li></ul><ul><li>Security Testing </li></ul><ul><li>Incident Response </li></ul>GDIT, Information Assurance Experts
  4. 4. Help! I need to C&A my Drupal site! © 2009 Acquia, Inc. <ul><li>How do I assure trust in Open Source software? </li></ul><ul><li>Will I need a new set of processes and controls? </li></ul><ul><li>What resources are available to me? </li></ul>
  5. 5. Myths of Drupal & Open Source Security © 2009 Acquia, Inc. <ul><li>PHP is less secure than ... </li></ul><ul><li>Open Source is easier to attack </li></ul><ul><li>Lack of resources such documentation and versioning information for Open Source  </li></ul><ul><li>There aren’t a lot of C&A resources available </li></ul>
  6. 6. Myths of Drupal & Open Source Security © 2009 Acquia, Inc. <ul><li>PHP is as or more secure than other available dynamic web engines out there. Security is a process, not a product. </li></ul>
  7. 7. Myths of Drupal & Open Source Security © 2009 Acquia, Inc. <ul><li>PHP is as or more secure than other available dynamic web engines out there </li></ul><ul><li>Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation </li></ul>
  8. 8. Myths of Drupal & Open Source Security © 2009 Acquia, Inc. <ul><li>PHP is as or more secure than other available dynamic web engines out there </li></ul><ul><li>Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation.  </li></ul><ul><li>Documentation exists for Open Source in many different forms, not necessarily what could be considered traditional knowledge bases  </li></ul>
  9. 9. Myths of Drupal & Open Source Security © 2009 Acquia, Inc. <ul><li>PHP is as or more secure than other available dynamic web engines out there </li></ul><ul><li>Open Source means massive collaboration, high visibility, and a large pool of resources for vulnerability discovery and remediation.  </li></ul><ul><li>Documentation exists for Open Source in many different forms, not necessarily what could be considered traditional knowledge bases </li></ul><ul><li>Publications from NSA, DISA, etc.  </li></ul>
  10. 10. Components of a successful C&A packet © 2009 Acquia, Inc. <ul><li>System boundaries </li></ul><ul><li>Security Categorization </li></ul><ul><li>Risk Analysis </li></ul><ul><li>System Security Plan </li></ul><ul><li>System Test and Evaluation </li></ul><ul><li>Plan of Action and Milestones </li></ul>
  11. 11. C&A Tools and Processes <ul><li>Make your C&A packet work for you </li></ul><ul><li>Integrate reviews early in your system lifecycle </li></ul><ul><li>Use a mix of tools to validate your controls </li></ul><ul><ul><li>Coding standards </li></ul></ul><ul><ul><li>Code analysis </li></ul></ul><ul><ul><li>Functional tests </li></ul></ul><ul><ul><li>Scanners </li></ul></ul><ul><ul><li>Fuzzers </li></ul></ul><ul><li>Leverage available information </li></ul>
  12. 12. Our collaborative approach to C&A <ul><li>Incorporate security expertise into your development team </li></ul><ul><li>Collaborate on controls and remediation </li></ul><ul><li>Include C&A activities in your project milestones </li></ul><ul><li>Address security issues with each development iteration </li></ul>
  13. 13. Developing the right controls <ul><li>Don’t over engineer your controls </li></ul><ul><li>Leverage your existing policies & procedures </li></ul><ul><li>Focus on the entire system </li></ul><ul><li>Define validation plans in parallel with controls </li></ul><ul><li>Take advantage of the Drupal community </li></ul>
  14. 14. Take advantage of available support <ul><li>Community security patches and bulletins </li></ul><ul><ul><li>Clear processes for addressing vulnerabilities </li></ul></ul><ul><li>Commercial vendors </li></ul><ul><ul><li>Formal channels to report and resolve issues </li></ul></ul><ul><ul><li>Guaranteed levels of response </li></ul></ul><ul><ul><li>Addresses many of the concerns of the C&A process </li></ul></ul>
  15. 15. Bringing the process to completion <ul><li>Verify </li></ul><ul><ul><li>Ensure your statements have been demonstrated </li></ul></ul><ul><li>Review </li></ul><ul><ul><li>Fix those errors! </li></ul></ul><ul><li>Finalize </li></ul><ul><ul><li>Get sign off by process owners Submit </li></ul></ul><ul><li>Maintain records </li></ul>
  16. 16. Obtaining your ATO <ul><li>Launch </li></ul><ul><li>Follow the POA&M </li></ul><ul><li>Maintain the Packet </li></ul><ul><li>Ensure compliance </li></ul><ul><li>Perform reviews </li></ul>
  17. 17. Questions and More Information <ul><li>For more information, visit us at: </li></ul><ul><ul><li>http://acquia.com </li></ul></ul><ul><ul><li>http://twitter.com/acquiagov </li></ul></ul><ul><li>Contact Acquia: </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>888-9-ACQUIA </li></ul></ul><ul><li>Contact presenters: </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>For additional Open Government resources, visit: </li></ul><ul><ul><li>http://acquia.com/government </li></ul></ul><ul><li>Sign up for a free 30-day Acquia Network trial </li></ul><ul><ul><li>http://acquia.com/trial </li></ul></ul>

×