Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management


Published on

Presented in the ACT/IAC Information Security and Privacy SIG webinar focused on presenting the updated FISMA security requirements described in NIST SP 800-37r1. The other presenters were Ron Ross of NIST and Patti Titus of Unisys.

Published in: Technology
  • Be the first to comment

FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management

  1. 1. Near Real-Time Risk Management<br />Continuous Monitoring, Configuration Managementand SCAP<br />ACT/IAC Information Security and Privacy SIG<br />501 School Street SW<br />Suite 800<br />Washington, DC 20024<br />202-567-2777 <br /><br />Daniel Philpott, CISSP, CAP<br />Federal Information Security Architect<br />Tantus Technologies<br />March 22, 2010<br />
  2. 2. Continuous Monitoring<br />“The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.”<br /> - NIST SP 800-37 Revision 1, Appendix G<br />“Continuous monitoring of security controls using automated support tools facilitates near real-time risk management …”<br />- NIST SP 800-37 Revision 1, Appendix G<br />2<br />
  3. 3. Monitoring: High Level Overview<br />Strategy<br />Organizations, information system owners and common control providers should develop a strategy to plan how continuous monitoring can effectively be established in their environment to support near real-time risk management.<br />Program Functions<br />Track changes to the system and its environment of operation;<br />Conduct security impact analyses;<br />Take remediation actions;<br />Reassess security controls;<br />Record and report the security status of the system; and<br />Determine risk and decide whether the risk is acceptable.<br />3<br />
  4. 4. Monitoring: What?<br />What do we monitor?<br />Primary Focus: Security Controls<br />Hardware<br />Software<br />Firmware<br />Secondary Focus: Operational Environment<br />Threat space/environment<br />Mission and business<br />Policy and law<br />Changes<br />4<br />
  5. 5. Monitoring: Which?<br />Which Security Controls do we monitor?<br />Decisions belong to Information System Owner and Common Control Providers<br />Authorizing Official or AODR approves decisions<br />How Many Security Controls<br />Consider the categorization of the system and importance to organizational mission<br />Consider recent risk assessments and threat environment<br />Selecting Security Controls<br />Volatility – How often will the control change?<br />Effectiveness – Does the control have a known weakness?<br />Impact – How important is the control in relation to threats?<br />5<br />
  6. 6. Monitoring: How?<br />How do we monitor?<br />Methods of monitoring vary by class of Security Control:<br />Technical Controls – Best monitored by automated mechanisms, configuration management and SCAP<br />Operational Controls – Interviews with knowledgeable staff<br />Management Controls – Reviews of pertinent documentation and interviews with knowledgeable staff<br />Automation can be applied anywhere:<br />Create automated mechanisms to monitor for document changes<br />Configuration Management processes offer a rich source of operational and management change information<br />6<br />
  7. 7. Monitoring: Configuration Management<br />What is Configuration Management?<br />A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.<br />How does it work with Continuous Monitoring?<br />Anticipated changes to security controls are tracked by it<br />Assessment of anticipated control changes occur within it<br />Remediation of control weaknesses are enacted through it<br />Records of control changes are maintained in it<br />NIST SP 800-128 Guide for Security Configuration Management of Information Systems (Draft)<br />7<br />
  8. 8. Monitoring: SCAP<br />Security Content Automation Protocol (SCAP)<br />Six specifications and associated content which enable:<br />Documentation of configuration standards for software and operating systems<br />Validation of software and operating system configurations against the standard<br />Scanning for vulnerabilities and patch levels<br />Discovery of known insecure configuration settings<br />Asset management<br />Best known use: Federal Desktop Core Configuration<br />NIST SP 800-126 Technical Specification for the Security Content Automation Protocol (SCAP) v1.0<br />8<br />
  9. 9. Resources<br />NIST SP 800-37 Revision 1:<br /> <br />NIST SP 800-128 (Configuration Management Draft):<br /><br />NIST SP 800-126 (SCAP):<br /><br />9<br />
  10. 10. 10<br />Contacts<br />Buck Keswani<br />Chief Executive Officer<br />Tel 202-567-2720<br />Cell 703-582-7664<br /><br />  <br />Peter Rath<br />Information Assurance Program Director<br />Cell 703 624-2796<br /><br />Daniel Philpott<br />Federal Information Security Architect<br />Cell 301-825-5722<br /><br /><br /> <br />