SlideShare a Scribd company logo

20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]

Download as PPTX, PDF
W
Walter Richard Sweeney
1 of 14
Foundational Basis for the Assessment of NASA Information Systems January 12, 2017 Presented by: Cybersecurity and Integration Division (CSID) Code 710 Information Technology & Communications Directorate (ITCD) Code 700
Summary 2Code 7XX DSR 11/05/14 To provide a thorough understanding of all relevant Federal mandates and guidance regarding the continuous monitoring of NASA Federal Information Systems through the process of independent annual security control assessments.
Overview Legislative basis for Federal governance of security within NASA Information Systems 3Code 7XX DSR 11/05/14
Federal Laws 4 The Federal Information Systems Management Act of 2002 (Public Law 107-347) and Federal Information Systems Modernization Act of 2014 (Public Law 113-283), known as FISMA 2002 and FISMA 2014 respectively, require the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) to issue regulations as per the security of federally managed information systems.
FISMA 2002 5 Mandates the head of each federal agency to be responsible for “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction.” To achieve this end, FISMA 2002 requires that “senior agency officials” accomplish the following objectives: • Assess risk and magnitude of harm that could result from a breach of security; • Determine the appropriate level of security on a system-by-system basis; • Implement policies and practices to reduce risk; and • Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.
FISMA 2014 6 Updates FISMA 2002 by mandating that each independent assessment shall include: • Each year, each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such programs and practices; • Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems; • An assessment of the effectiveness of the information security policies, procedures, and practices of the agency; and • Separate presentations, as appropriate, regarding information security relating to national security systems.
FISMA 2014 (cont.) 7 Mandates that security assessments be either carried out by the Office of the Inspector General or by an “independent external auditor” engaged by the head of the agency. As such, any assessment performed by a stakeholder within the organization of the information system does not meet the legal requirement for independent annual assessments of federal information systems.
Federal Directives (DHS) 8 DHS Binding Operational Directives (BODs) DHS BOD-15-01 Addresses the cybersecurity landscape from a national security perspective and provides directives to stake holders in federal information systems. Prescribes “identifying and mitigating vulnerabilities in the information technology (IT) environment” as a key mechanism in reducing the “risk of attackers penetrating their networks and stealing their information.”
Federal Instructions (OMB) 9 OMB Instruction documents regarding security assessments for federal information systems are OMB Circular No. A-130, OMB Memo 15-01, OMB Memo 14-03, and OMB Memo 10-28. The OMB mandates enhance the aforementioned laws by specifying that agencies shall “regularly review and address risk regarding processes, people and technology” by using the guidance provided by the National Institute of Standards and Technology (NIST) as well as Federal Information Processing Standards (FIPS).
Federal Instructions (OMB) cont. 10 OMB Memo 15-01 specifically mandates that agencies are to “assess information security risks on an ongoing basis” and that each agency is required to “develop an Information Security Continuous Monitoring Strategy (ISCM).” OMB Memo 14-03 states that it is the purpose of the ISCM Strategy to support and enhance “the process of ongoing authorization by providing authorizing officials with sufficient information regarding the current security state of their information systems and environments of operations, including the security controls employed within, and inherited by, the systems.” Furthermore OMB Memo 14-03 states, "Continuous monitoring-generated information used to support ongoing authorizations must satisfy the independence requirements defined in NIST Special Publication (SP) 800-37 and SP 800-53.
NIST 11 • The National Institute of Standards and Technology (NIST) is empowered by DHS and OMB to create the tools and processes by which the security of these systems are measured. • Adherence to the NIST guidance is mandated by both OMB and DHS.
NASAAgency Governance 12 • NASA annually issues a strategic plan for the securing of federal information systems and regularly updates a series of IT Security Handbooks (ITS-HBKs) which provide specific guidance on how all aforementioned requirements are met. • The fifth goal of the NASA ITCD Strategic Plan for 2016 is to, “Enhance and strengthen information security to ensure the integrity, availability, and confidentiality of NASA’s critical data and risk management solutions.” • NASA publishes the ITS-HBK series which provides detailed information and guidance regarding the processes to meet the NASA security program requirements. These handbooks are authorized as official Agency guidance by NASA Policy Directive (NPD) 2810.1e and NASA Procedural Requirement (NPR) 2810.1a.
Summary of Publications and Resources 13Code 7XX DSR 11/05/14 Federal Laws • Public Law 107-347 (FISMA 2002) • Public Law 113-283 (FISMA 2014) OMB Instructions • OMB Circular No. A-130 • OMB Memorandum 10-28 • OMB Memorandum 14-03 • OMB Memorandum 15-01 DHS Directives • DHS Binding Operational Directive 15-01 NIST Special Publications (SPs) • NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations
NASA Governance Documents 14Code 7XX DSR 11/05/14 • NASA Information Technology and Communications Division Strategic Plan for 2016 • NASA Policy Directive 2810.1e NASA Information Security Policy • NASA Procedural Requirement 2810.1a Security of Information Technology • NASA IT Security Handbook 2810.02 Security Assessment and Authorization • NASA IT Security Handbook 2810.04 Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values

Recommended

Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveJon Lendrum
 
Protecting non fed controlled unclassified info nist sp-800-171
Protecting non fed controlled unclassified info nist sp-800-171Protecting non fed controlled unclassified info nist sp-800-171
Protecting non fed controlled unclassified info nist sp-800-171RepentSinner
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
OIG: Review of NASA's Management and Oversight of Its Information Technology ...
OIG: Review of NASA's Management and Oversight of Its Information Technology ...OIG: Review of NASA's Management and Oversight of Its Information Technology ...
OIG: Review of NASA's Management and Oversight of Its Information Technology ...Bill Duncan
 
Sp800 30-rev1-ipd
Sp800 30-rev1-ipdSp800 30-rev1-ipd
Sp800 30-rev1-ipdFISMA-COMPARED
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber securityThames Global Consultants
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceLessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceBlack Duck by Synopsys
 
2003-annual-report
2003-annual-report2003-annual-report
2003-annual-reportMatthew W. Stephan, CISM, CISSP, CRISC, CGEIT, PMP
 

Recommended

Medical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveMedical Device Cybersecurity : A Regulatory Perspective
Medical Device Cybersecurity : A Regulatory PerspectiveJon Lendrum
 
Protecting non fed controlled unclassified info nist sp-800-171
Protecting non fed controlled unclassified info nist sp-800-171Protecting non fed controlled unclassified info nist sp-800-171
Protecting non fed controlled unclassified info nist sp-800-171RepentSinner
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
OIG: Review of NASA's Management and Oversight of Its Information Technology ...
OIG: Review of NASA's Management and Oversight of Its Information Technology ...OIG: Review of NASA's Management and Oversight of Its Information Technology ...
OIG: Review of NASA's Management and Oversight of Its Information Technology ...Bill Duncan
 
Sp800 30-rev1-ipd
Sp800 30-rev1-ipdSp800 30-rev1-ipd
Sp800 30-rev1-ipdFISMA-COMPARED
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber securityThames Global Consultants
 
Lessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceLessons from Equifax: Open Source Security & Data Privacy Compliance
Lessons from Equifax: Open Source Security & Data Privacy ComplianceBlack Duck by Synopsys
 
2003-annual-report
2003-annual-report2003-annual-report
2003-annual-reportMatthew W. Stephan, CISM, CISSP, CRISC, CGEIT, PMP
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
 
Nist.sp.800 53r4 (1)
Nist.sp.800 53r4 (1)Nist.sp.800 53r4 (1)
Nist.sp.800 53r4 (1)Aravamuthan Chockalingam
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the FogThe Security of Things Forum
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101Kenneth Silsbee, MS
 
SE430A1ProductProposalWilliams
SE430A1ProductProposalWilliamsSE430A1ProductProposalWilliams
SE430A1ProductProposalWilliamsLatienda M. Williams
 
NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guideunevendock6891
 
NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guidechildlikeegg1000
 
NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
 
NIST.SP.800-53r4
NIST.SP.800-53r4NIST.SP.800-53r4
NIST.SP.800-53r4Eric Hodge - MBA
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverThe Security of Things Forum
 
Trackment
TrackmentTrackment
Trackmentmeaannn
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALRonald Jackson, Jr
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assignRonald Jackson, Jr
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information David Sweigert
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...David Bustin
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
Showreel 2016
Showreel 2016Showreel 2016
Showreel 2016Yogesh gusain
 
Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar astrydquintero
 

More Related Content

What's hot

NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guideunevendock6891
 
NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guidechildlikeegg1000
 
NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverThe Security of Things Forum
 
Trackment
TrackmentTrackment
Trackmentmeaannn
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALRonald Jackson, Jr
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information David Sweigert
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...David Bustin
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 

What's hot (20)

SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security Framework
 
Nist.sp.800 53r4 (1)
Nist.sp.800 53r4 (1)Nist.sp.800 53r4 (1)
Nist.sp.800 53r4 (1)
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101
 
SE430A1ProductProposalWilliams
SE430A1ProductProposalWilliamsSE430A1ProductProposalWilliams
SE430A1ProductProposalWilliams
 
NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guide
 
NIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices GuideNIST Updates Federal Supply Chain Risk Management Practices Guide
NIST Updates Federal Supply Chain Risk Management Practices Guide
 
NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)
 
NIST.SP.800-53r4
NIST.SP.800-53r4NIST.SP.800-53r4
NIST.SP.800-53r4
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
Trackment
TrackmentTrackment
Trackment
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINAL
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness Training
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)
 
NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information NIST SP 800-171 - Protecting Controlled Unclassified Information
NIST SP 800-171 - Protecting Controlled Unclassified Information
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 

Viewers also liked

Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar astrydquintero
 
Blotting Technique
Blotting TechniqueBlotting Technique
Blotting TechniqueAman Ullah
 
Esperanza Cocoma Aldana
Esperanza Cocoma Aldana Esperanza Cocoma Aldana
Esperanza Cocoma Aldana astrydquintero
 
A brief history of mine
A brief history of mineA brief history of mine
A brief history of mineWill Knapman
 
Vidya Uday- gen
Vidya Uday- genVidya Uday- gen
Vidya Uday- genVIDYA UDAY
 
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...NephroTube - Dr.Gawad
 
Brainstorms - Print, Radio & TV Advert
Brainstorms - Print, Radio & TV AdvertBrainstorms - Print, Radio & TV Advert
Brainstorms - Print, Radio & TV Advertairidascironka
 
Theorie und Praxis der Achtsamkeit / Mindfulness
Theorie und Praxis der Achtsamkeit / MindfulnessTheorie und Praxis der Achtsamkeit / Mindfulness
Theorie und Praxis der Achtsamkeit / MindfulnessStefan Spiecker
 
10 tons per day compost pellet prodution line
10 tons per day compost pellet prodution line10 tons per day compost pellet prodution line
10 tons per day compost pellet prodution lineEvita Lee
 
3rd Year Formula Student Frame Project Report
3rd Year Formula Student Frame Project Report3rd Year Formula Student Frame Project Report
3rd Year Formula Student Frame Project ReportJessica Byrne
 

Viewers also liked (12)

Showreel 2016
Showreel 2016Showreel 2016
Showreel 2016
 
Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar Martha Liliana Acosta Tobar
Martha Liliana Acosta Tobar
 
Blotting Technique
Blotting TechniqueBlotting Technique
Blotting Technique
 
Esperanza Cocoma Aldana
Esperanza Cocoma Aldana Esperanza Cocoma Aldana
Esperanza Cocoma Aldana
 
A brief history of mine
A brief history of mineA brief history of mine
A brief history of mine
 
Vidya Uday- gen
Vidya Uday- genVidya Uday- gen
Vidya Uday- gen
 
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...
Anti-Phospholipase A2 Receptor Antibody - Clinical Application for Membranous...
 
Brainstorms - Print, Radio & TV Advert
Brainstorms - Print, Radio & TV AdvertBrainstorms - Print, Radio & TV Advert
Brainstorms - Print, Radio & TV Advert
 
Theorie und Praxis der Achtsamkeit / Mindfulness
Theorie und Praxis der Achtsamkeit / MindfulnessTheorie und Praxis der Achtsamkeit / Mindfulness
Theorie und Praxis der Achtsamkeit / Mindfulness
 
10 tons per day compost pellet prodution line
10 tons per day compost pellet prodution line10 tons per day compost pellet prodution line
10 tons per day compost pellet prodution line
 
3rd Year Formula Student Frame Project Report
3rd Year Formula Student Frame Project Report3rd Year Formula Student Frame Project Report
3rd Year Formula Student Frame Project Report
 
MAKYONG
MAKYONGMAKYONG
MAKYONG
 

Similar to 20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]

Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
 
NIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxNIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
 
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...PublicLeaker
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...PublicLeaks
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?Tieu Luu
 
Running head IT SECURITY POLICYIT SECURITY POLICY .docx
Running head IT SECURITY POLICYIT SECURITY POLICY .docxRunning head IT SECURITY POLICYIT SECURITY POLICY .docx
Running head IT SECURITY POLICYIT SECURITY POLICY .docxcharisellington63520
 
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxalfred4lewis58146
 
Data-Classification-Study (1).pptx
Data-Classification-Study (1).pptxData-Classification-Study (1).pptx
Data-Classification-Study (1).pptxMukeshKumar798460
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 

Similar to 20170112 Working Group Assessment Mandate Presentation DRAFT V1[2] (20)

Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docx
 
NIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docxNIST Special Publication 800-34 Rev. 1 Contingency.docx
NIST Special Publication 800-34 Rev. 1 Contingency.docx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...Are NIST standards clouding the implementation of HIPAA security risk assessm...
Are NIST standards clouding the implementation of HIPAA security risk assessm...
 
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
 
(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...(U fouo) committee on national security systems supply chain risk management ...
(U fouo) committee on national security systems supply chain risk management ...
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?
 
Running head IT SECURITY POLICYIT SECURITY POLICY .docx
Running head IT SECURITY POLICYIT SECURITY POLICY .docxRunning head IT SECURITY POLICYIT SECURITY POLICY .docx
Running head IT SECURITY POLICYIT SECURITY POLICY .docx
 
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
 
Data-Classification-Study (1).pptx
Data-Classification-Study (1).pptxData-Classification-Study (1).pptx
Data-Classification-Study (1).pptx
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx NIST Special Publication 800-37 Revision 2 Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 

20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]

  • 1. Foundational Basis for the Assessment of NASA Information Systems January 12, 2017 Presented by: Cybersecurity and Integration Division (CSID) Code 710 Information Technology & Communications Directorate (ITCD) Code 700
  • 2. Summary 2Code 7XX DSR 11/05/14 To provide a thorough understanding of all relevant Federal mandates and guidance regarding the continuous monitoring of NASA Federal Information Systems through the process of independent annual security control assessments.
  • 3. Overview Legislative basis for Federal governance of security within NASA Information Systems 3Code 7XX DSR 11/05/14
  • 4. Federal Laws 4 The Federal Information Systems Management Act of 2002 (Public Law 107-347) and Federal Information Systems Modernization Act of 2014 (Public Law 113-283), known as FISMA 2002 and FISMA 2014 respectively, require the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) to issue regulations as per the security of federally managed information systems.
  • 5. FISMA 2002 5 Mandates the head of each federal agency to be responsible for “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction.” To achieve this end, FISMA 2002 requires that “senior agency officials” accomplish the following objectives: • Assess risk and magnitude of harm that could result from a breach of security; • Determine the appropriate level of security on a system-by-system basis; • Implement policies and practices to reduce risk; and • Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.
  • 6. FISMA 2014 6 Updates FISMA 2002 by mandating that each independent assessment shall include: • Each year, each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such programs and practices; • Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems; • An assessment of the effectiveness of the information security policies, procedures, and practices of the agency; and • Separate presentations, as appropriate, regarding information security relating to national security systems.
  • 7. FISMA 2014 (cont.) 7 Mandates that security assessments be either carried out by the Office of the Inspector General or by an “independent external auditor” engaged by the head of the agency. As such, any assessment performed by a stakeholder within the organization of the information system does not meet the legal requirement for independent annual assessments of federal information systems.
  • 8. Federal Directives (DHS) 8 DHS Binding Operational Directives (BODs) DHS BOD-15-01 Addresses the cybersecurity landscape from a national security perspective and provides directives to stake holders in federal information systems. Prescribes “identifying and mitigating vulnerabilities in the information technology (IT) environment” as a key mechanism in reducing the “risk of attackers penetrating their networks and stealing their information.”
  • 9. Federal Instructions (OMB) 9 OMB Instruction documents regarding security assessments for federal information systems are OMB Circular No. A-130, OMB Memo 15-01, OMB Memo 14-03, and OMB Memo 10-28. The OMB mandates enhance the aforementioned laws by specifying that agencies shall “regularly review and address risk regarding processes, people and technology” by using the guidance provided by the National Institute of Standards and Technology (NIST) as well as Federal Information Processing Standards (FIPS).
  • 10. Federal Instructions (OMB) cont. 10 OMB Memo 15-01 specifically mandates that agencies are to “assess information security risks on an ongoing basis” and that each agency is required to “develop an Information Security Continuous Monitoring Strategy (ISCM).” OMB Memo 14-03 states that it is the purpose of the ISCM Strategy to support and enhance “the process of ongoing authorization by providing authorizing officials with sufficient information regarding the current security state of their information systems and environments of operations, including the security controls employed within, and inherited by, the systems.” Furthermore OMB Memo 14-03 states, "Continuous monitoring-generated information used to support ongoing authorizations must satisfy the independence requirements defined in NIST Special Publication (SP) 800-37 and SP 800-53.
  • 11. NIST 11 • The National Institute of Standards and Technology (NIST) is empowered by DHS and OMB to create the tools and processes by which the security of these systems are measured. • Adherence to the NIST guidance is mandated by both OMB and DHS.
  • 12. NASAAgency Governance 12 • NASA annually issues a strategic plan for the securing of federal information systems and regularly updates a series of IT Security Handbooks (ITS-HBKs) which provide specific guidance on how all aforementioned requirements are met. • The fifth goal of the NASA ITCD Strategic Plan for 2016 is to, “Enhance and strengthen information security to ensure the integrity, availability, and confidentiality of NASA’s critical data and risk management solutions.” • NASA publishes the ITS-HBK series which provides detailed information and guidance regarding the processes to meet the NASA security program requirements. These handbooks are authorized as official Agency guidance by NASA Policy Directive (NPD) 2810.1e and NASA Procedural Requirement (NPR) 2810.1a.
  • 13. Summary of Publications and Resources 13Code 7XX DSR 11/05/14 Federal Laws • Public Law 107-347 (FISMA 2002) • Public Law 113-283 (FISMA 2014) OMB Instructions • OMB Circular No. A-130 • OMB Memorandum 10-28 • OMB Memorandum 14-03 • OMB Memorandum 15-01 DHS Directives • DHS Binding Operational Directive 15-01 NIST Special Publications (SPs) • NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations • NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations
  • 14. NASA Governance Documents 14Code 7XX DSR 11/05/14 • NASA Information Technology and Communications Division Strategic Plan for 2016 • NASA Policy Directive 2810.1e NASA Information Security Policy • NASA Procedural Requirement 2810.1a Security of Information Technology • NASA IT Security Handbook 2810.02 Security Assessment and Authorization • NASA IT Security Handbook 2810.04 Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values