Presented in the ACT/IAC Information Security and Privacy SIG webinar focused on presenting the updated FISMA security requirements described in NIST SP 800-37r1. The other presenters were Ron Ross of NIST and Patti Titus of Unisys.

1. Near Real-Time Risk Management Continuous Monitoring, Configuration Managementand SCAP ACT/IAC Information Security and Privacy SIG 501 School Street SW Suite 800 Washington, DC 20024 202-567-2777 www.tantustech.com Daniel Philpott, CISSP, CAP Federal Information Security Architect Tantus Technologies March 22, 2010

2. Continuous Monitoring “The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.” - NIST SP 800-37 Revision 1, Appendix G “Continuous monitoring of security controls using automated support tools facilitates near real-time risk management …” - NIST SP 800-37 Revision 1, Appendix G 2

3. Monitoring: High Level Overview Strategy Organizations, information system owners and common control providers should develop a strategy to plan how continuous monitoring can effectively be established in their environment to support near real-time risk management. Program Functions Track changes to the system and its environment of operation; Conduct security impact analyses; Take remediation actions; Reassess security controls; Record and report the security status of the system; and Determine risk and decide whether the risk is acceptable. 3

4. Monitoring: What? What do we monitor? Primary Focus: Security Controls Hardware Software Firmware Secondary Focus: Operational Environment Threat space/environment Mission and business Policy and law Changes 4

5. Monitoring: Which? Which Security Controls do we monitor? Decisions belong to Information System Owner and Common Control Providers Authorizing Official or AODR approves decisions How Many Security Controls Consider the categorization of the system and importance to organizational mission Consider recent risk assessments and threat environment Selecting Security Controls Volatility – How often will the control change? Effectiveness – Does the control have a known weakness? Impact – How important is the control in relation to threats? 5

6. Monitoring: How? How do we monitor? Methods of monitoring vary by class of Security Control: Technical Controls – Best monitored by automated mechanisms, configuration management and SCAP Operational Controls – Interviews with knowledgeable staff Management Controls – Reviews of pertinent documentation and interviews with knowledgeable staff Automation can be applied anywhere: Create automated mechanisms to monitor for document changes Configuration Management processes offer a rich source of operational and management change information 6

7. Monitoring: Configuration Management What is Configuration Management? A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems. How does it work with Continuous Monitoring? Anticipated changes to security controls are tracked by it Assessment of anticipated control changes occur within it Remediation of control weaknesses are enacted through it Records of control changes are maintained in it NIST SP 800-128 Guide for Security Configuration Management of Information Systems (Draft) 7

8. Monitoring: SCAP Security Content Automation Protocol (SCAP) Six specifications and associated content which enable: Documentation of configuration standards for software and operating systems Validation of software and operating system configurations against the standard Scanning for vulnerabilities and patch levels Discovery of known insecure configuration settings Asset management Best known use: Federal Desktop Core Configuration NIST SP 800-126 Technical Specification for the Security Content Automation Protocol (SCAP) v1.0 8

9. Resources NIST SP 800-37 Revision 1: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf NIST SP 800-128 (Configuration Management Draft): http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf NIST SP 800-126 (SCAP): http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf 9

10. 10 Contacts Buck Keswani Chief Executive Officer Tel 202-567-2720 Cell 703-582-7664 bkeswani@tantustech.com Peter Rath Information Assurance Program Director Cell 703 624-2796 prath@tantustech.com Daniel Philpott Federal Information Security Architect Cell 301-825-5722 dphilpott@tantustech.com www.tantustech.com