This document is a template for a Plan of Action and Milestones (POA&M) for an information system called <Information System Name>. The POA&M identifies security weaknesses or deficiencies in the system, along with plans and milestones to remediate them. It includes an introduction describing the purpose and scope of the POA&M. A methodology section outlines how the POA&M will be structured, with a worksheet to track weaknesses, points of contact, resources required, milestones and completion dates. Appendices define acronyms and references used in the document.
This document provides a template for an eAuthentication plan, including instructions for its use. It defines the four eAuthentication levels established by OMB Memo M-04-04. It describes how to select an eAuthentication level based on potential impacts to confidentiality, integrity, and availability. The template then documents the selection of eAuthentication Level [2 or 3] for the <Information System Name> based on its risk profile.
This document provides Rules of Behavior for the internal and external users of the <Information System Name> system. The Rules of Behavior describe security controls associated with user responsibilities and expectations for following security policies. Section 1 provides an overview of Rules of Behavior. Section 2 describes recommended Rules of Behavior for internal users, such as complying with copyright, reporting security incidents, and safeguarding resources. Section 3 describes recommended Rules of Behavior for external users, such as maintaining credential confidentiality, reporting security incidents, and using encryption. Both sections require users to sign acceptance of the Rules of Behavior.
This template provides a sample format for preparing the Control Implementation Summary (CIS) Report for the CSP information system. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements.
A emmanuel-sap-grc- consultant ( ac,pc,rm) resume-sfEmmanuel A
Emmanuel Shikhamani has over 11 years of experience in IT with specialized expertise in SAP GRC Access Control 10.0, Process Control 10.0, and Risk Management 10.0. He has led several full end-to-end SAP GRC implementation projects globally and has extensive experience designing controls, rules, and developing solutions for various SAP modules. Some of Emmanuel's key skills include SAP GRC, SAP security, ABAP, web programming, and risk analysis. He is currently working as a SAP GRC consultant at Techve Solutions in Hyderabad, India.
Legacy Systems in Software Engineering SE26koolkampus
The document discusses legacy systems, which are older software systems that are still vital to an organization. It defines legacy systems and explains why they are important. It describes common legacy system structures and functional design approaches. It also discusses assessing the business value and quality of legacy systems to determine the best strategy for evolving or replacing them.
Manageability refers to the ease of discovering, configuring, controlling, and monitoring systems. It is an important part of overall system robustness along with reliability, availability, and serviceability. Key manageability functions include health monitoring, logging, configuration and control, deployment and updates, and asset discovery. Manageability can operate both in-band through the main operating system or out-of-band through a separate processor. It helps support systems through each phase of the product lifecycle from design to wear-out.
This document discusses the key benefits that eMA provides to service providers in managing their service delivery and reporting to customers. eMA combines real-time monitoring and analytical reporting into a single tool. It allows integration with various third-party monitoring tools and data sources. eMA also provides configurable dashboards and reports that give users customizable views of key performance indicators and service level agreements on a per-customer basis. This helps service providers optimize service delivery and proactively manage customer SLA compliance.
This document is a template for a Plan of Action and Milestones (POA&M) for an information system called <Information System Name>. The POA&M identifies security weaknesses or deficiencies in the system, along with plans and milestones to remediate them. It includes an introduction describing the purpose and scope of the POA&M. A methodology section outlines how the POA&M will be structured, with a worksheet to track weaknesses, points of contact, resources required, milestones and completion dates. Appendices define acronyms and references used in the document.
This document provides a template for an eAuthentication plan, including instructions for its use. It defines the four eAuthentication levels established by OMB Memo M-04-04. It describes how to select an eAuthentication level based on potential impacts to confidentiality, integrity, and availability. The template then documents the selection of eAuthentication Level [2 or 3] for the <Information System Name> based on its risk profile.
This document provides Rules of Behavior for the internal and external users of the <Information System Name> system. The Rules of Behavior describe security controls associated with user responsibilities and expectations for following security policies. Section 1 provides an overview of Rules of Behavior. Section 2 describes recommended Rules of Behavior for internal users, such as complying with copyright, reporting security incidents, and safeguarding resources. Section 3 describes recommended Rules of Behavior for external users, such as maintaining credential confidentiality, reporting security incidents, and using encryption. Both sections require users to sign acceptance of the Rules of Behavior.
This template provides a sample format for preparing the Control Implementation Summary (CIS) Report for the CSP information system. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements.
A emmanuel-sap-grc- consultant ( ac,pc,rm) resume-sfEmmanuel A
Emmanuel Shikhamani has over 11 years of experience in IT with specialized expertise in SAP GRC Access Control 10.0, Process Control 10.0, and Risk Management 10.0. He has led several full end-to-end SAP GRC implementation projects globally and has extensive experience designing controls, rules, and developing solutions for various SAP modules. Some of Emmanuel's key skills include SAP GRC, SAP security, ABAP, web programming, and risk analysis. He is currently working as a SAP GRC consultant at Techve Solutions in Hyderabad, India.
Legacy Systems in Software Engineering SE26koolkampus
The document discusses legacy systems, which are older software systems that are still vital to an organization. It defines legacy systems and explains why they are important. It describes common legacy system structures and functional design approaches. It also discusses assessing the business value and quality of legacy systems to determine the best strategy for evolving or replacing them.
Manageability refers to the ease of discovering, configuring, controlling, and monitoring systems. It is an important part of overall system robustness along with reliability, availability, and serviceability. Key manageability functions include health monitoring, logging, configuration and control, deployment and updates, and asset discovery. Manageability can operate both in-band through the main operating system or out-of-band through a separate processor. It helps support systems through each phase of the product lifecycle from design to wear-out.
This document discusses the key benefits that eMA provides to service providers in managing their service delivery and reporting to customers. eMA combines real-time monitoring and analytical reporting into a single tool. It allows integration with various third-party monitoring tools and data sources. eMA also provides configurable dashboards and reports that give users customizable views of key performance indicators and service level agreements on a per-customer basis. This helps service providers optimize service delivery and proactively manage customer SLA compliance.
This document discusses key topics in systems engineering, including:
1) Systems engineering involves procuring, designing, implementing, and maintaining sociotechnical systems that include both technical and human elements.
2) Software systems are part of broader sociotechnical systems and software engineers must consider human, social, and organizational factors.
3) Sociotechnical systems have emergent properties that depend on the interactions between system components and cannot be understood by examining the components individually.
This document discusses sociotechnical systems and systems engineering. It defines sociotechnical systems as systems that include both technical systems (e.g. hardware and software) as well as operational processes and people. Sociotechnical systems have emergent properties that depend on the interactions between system components. They are also non-deterministic since human behavior introduces unpredictability. Developing sociotechnical systems requires an interdisciplinary approach involving areas like software engineering, organizational design, and human factors.
This document discusses systems of systems and complexity. It begins by defining systems of systems and providing examples. Key characteristics of systems of systems include operational and managerial independence of elements, and evolutionary development. The document then covers sources of complexity, including technical, managerial and governance complexity. It discusses how reductionism has traditionally been used to manage complexity in engineering but has limitations for large systems of systems.
This document provides an overview of key topics in distributed software engineering. It discusses distributed systems issues, architectural patterns for distributed systems like client-server and peer-to-peer, and software as a service. Some important considerations for designing distributed systems include transparency, openness, scalability, security, and failure management. Middleware helps manage communication and interoperability between diverse components in a distributed system.
This document provides an overview of embedded systems and real-time systems. It discusses topics such as embedded system design, architectural patterns, timing analysis, real-time operating systems, and reactive systems. Key aspects of embedded systems include their need to respond to external events in real-time, their use of cooperating processes controlled by a real-time executive, and constraints related to hardware interaction, safety, and reliability.
SecondFloor eFrame® product orchestrates the data, systems and processes esse...SecondFloor
Business benefits
• Through governance, workflow and process control it conducts the interplay between modeling, analytics, compliance, reporting and decision support throughout the enterprise.
• Ensures efficiency by managing multiple reporting cycles, reporting approaches, business hierarchies, geographies and supervisory jurisdictions.
• Instills confidence among those signing off regulatory reports and taking business decisions, through knowing the origin and evolution of source data.
• Leverages an organization’s existing technology to enable business analytics, by controlling the data and results flowing between data warehouses, modeling tools, analytic systems, desktop applications, and business intelligence reporting solutions.
• Ensures completeness by providing an interface for business experts to submit specialist data, not held in structured data stores, for inclusion in analytics and reports.
For more information please visit: http://www.secondfloor.com/eframe
Software fault tolerance technologies can increase application availability and data consistency. The paper discusses Watchdog, libft, and nDFS - reusable software components that provide up to the third level of software fault tolerance. Watchdog monitors processes for crashes, libft checkpoints critical data, and nDFS replicates persistent data. These components have been used to enhance fault tolerance in AT&T telecom products with performance overhead from 0.1-14% depending on amount of data checkpointed and replicated. The components provide efficient and economical means to increase software fault tolerance.
White Paper about solutions to manage your IBM ECM environments (FileNet, Content Manager, Content Manager OnDemand, Datacap, ICC, ..) efficiently and reliably.
Covers ECM application health monitoring, end user service quality monitoring, hot backup & granular recovery.
Continuous Monitoring: Monitoring Strategy – Part 2 of 3EMC
This white paper is part two of a three-part series on successfully managing a continuous monitoring (CM) program. It addresses monitoring strategy, including the frequency and method of assessments.
This document discusses computer system validation and provides guidance on categorizing different types of software. It outlines 5 categories of software from infrastructure software to custom applications. For each category, it describes the appropriate validation approach and documentation required. The goal is to ensure computer systems are validated and controlled to provide high quality, regulated products and data management while avoiding duplication and leveraging supplier activities.
This document summarizes key topics from a lecture on security engineering:
1. It discusses security engineering and management, risk assessment, and designing systems for security. Application security focuses on design while infrastructure security is a management problem.
2. It outlines guidelines for secure system design including basing decisions on security policies, avoiding single points of failure, balancing security and usability, validating all inputs, and designing for deployment and recoverability.
3. It also covers risk management, assessing threats, and designing architectures with layered protection and distributed assets to minimize the effects of attacks.
This document provides an overview of software reuse techniques discussed in Chapter 16, including:
1) Application frameworks which provide reusable skeleton designs through abstract and concrete classes;
2) Software product lines which allow generic applications to be adapted through configuration, component selection, and specialization for different requirements;
3) COTS (commercial off-the-shelf) product reuse where pre-existing software systems can be customized through deployment configuration without changing source code.
The document discusses dependability in systems. It covers topics like dependability properties, sociotechnical systems, redundancy and diversity, and dependable processes. Dependability reflects how trustworthy a system is and includes attributes like reliability, availability, and security. Dependability is important because system failures can have widespread impacts. Both hardware and software failures and human errors can cause systems to fail. Techniques like redundancy, diversity, and formal methods can help improve dependability. Regulation is also discussed as many critical systems require approval from regulators.
This document provides information about IT management services from ACMA Computers including Infrastructure Management Services (IMS). IMS aims to transform reactive IT management to a proactive and predictive model through monitoring, proactive alerts, automated maintenance, security hardening, asset management, ticketing and reporting. This is intended to save time, manpower and costs while keeping systems healthy, updated and achieving maximum uptime through automated processes.
A consulting firm needs to redesign their client technology tracking system and service request system. The current systems for tracking client hardware/software configurations, submitting service requests, and recording work done are inefficient. The proposed solution is a new integrated system that allows clients to submit service requests online, technicians to view requests and document work, and all users to view the status and history of requests. The system would also track client hardware and software configurations.
The document summarizes topics related to real-time software engineering including embedded system design, architectural patterns for real-time software, timing analysis, and real-time operating systems. It discusses key characteristics of embedded systems like responsiveness, the need to respond to stimuli within specified time constraints, and how real-time systems are often modeled as cooperating processes controlled by a real-time executive. The document also outlines common architectural patterns for real-time systems including observe and react, environmental control, and process pipeline.
Critical System Validation in Software Engineering SE21koolkampus
The document discusses techniques for validating critical systems, with a focus on validating safety and reliability. Static validation techniques include design reviews and formal proofs, while dynamic techniques involve testing. Reliability validation uses statistical testing against an operational profile to measure reliability. Safety validation aims to prove a system cannot reach unsafe states, using techniques like safety proofs, hazard analysis, and safety cases presenting arguments about risk levels. The document also provides an example safety validation of an insulin pump system.
Gerald Witt is a Master Scheduler with experience in logistics management, maintenance supervision, and military instruction. He has over 20 years of experience managing teams, maintaining communications equipment, and developing training programs. Currently he supervises a team of schedulers at Vectrus supporting the Army Corps of Engineers. Previously he held logistics and maintenance management roles overseeing multimillion dollar budgets and government property. He has a background in electronic maintenance, supply operations, and technical instruction from his time in the military.
This document provides an introduction to software engineering topics including:
1. What software engineering is, its importance, and the software development lifecycle activities it encompasses.
2. The many different types of software systems that exist and how software engineering approaches vary depending on the application.
3. Key fundamentals of software engineering that apply universally, including managing development processes, dependability, and reusing existing software components.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
FOR MORE CLASSES VISIT
www.tutorialoutlet.com
Case Study #1: Technology & Product Review for Endpoint Protection Solutions
Case Scenario:
Red Clay Renovations (the “client”) has requested that your company research and recommend
an Endpoint Protection Platform which will provide host-based protection for the laptop PC’s used by its
construction managers and architects.
This document discusses key topics in systems engineering, including:
1) Systems engineering involves procuring, designing, implementing, and maintaining sociotechnical systems that include both technical and human elements.
2) Software systems are part of broader sociotechnical systems and software engineers must consider human, social, and organizational factors.
3) Sociotechnical systems have emergent properties that depend on the interactions between system components and cannot be understood by examining the components individually.
This document discusses sociotechnical systems and systems engineering. It defines sociotechnical systems as systems that include both technical systems (e.g. hardware and software) as well as operational processes and people. Sociotechnical systems have emergent properties that depend on the interactions between system components. They are also non-deterministic since human behavior introduces unpredictability. Developing sociotechnical systems requires an interdisciplinary approach involving areas like software engineering, organizational design, and human factors.
This document discusses systems of systems and complexity. It begins by defining systems of systems and providing examples. Key characteristics of systems of systems include operational and managerial independence of elements, and evolutionary development. The document then covers sources of complexity, including technical, managerial and governance complexity. It discusses how reductionism has traditionally been used to manage complexity in engineering but has limitations for large systems of systems.
This document provides an overview of key topics in distributed software engineering. It discusses distributed systems issues, architectural patterns for distributed systems like client-server and peer-to-peer, and software as a service. Some important considerations for designing distributed systems include transparency, openness, scalability, security, and failure management. Middleware helps manage communication and interoperability between diverse components in a distributed system.
This document provides an overview of embedded systems and real-time systems. It discusses topics such as embedded system design, architectural patterns, timing analysis, real-time operating systems, and reactive systems. Key aspects of embedded systems include their need to respond to external events in real-time, their use of cooperating processes controlled by a real-time executive, and constraints related to hardware interaction, safety, and reliability.
SecondFloor eFrame® product orchestrates the data, systems and processes esse...SecondFloor
Business benefits
• Through governance, workflow and process control it conducts the interplay between modeling, analytics, compliance, reporting and decision support throughout the enterprise.
• Ensures efficiency by managing multiple reporting cycles, reporting approaches, business hierarchies, geographies and supervisory jurisdictions.
• Instills confidence among those signing off regulatory reports and taking business decisions, through knowing the origin and evolution of source data.
• Leverages an organization’s existing technology to enable business analytics, by controlling the data and results flowing between data warehouses, modeling tools, analytic systems, desktop applications, and business intelligence reporting solutions.
• Ensures completeness by providing an interface for business experts to submit specialist data, not held in structured data stores, for inclusion in analytics and reports.
For more information please visit: http://www.secondfloor.com/eframe
Software fault tolerance technologies can increase application availability and data consistency. The paper discusses Watchdog, libft, and nDFS - reusable software components that provide up to the third level of software fault tolerance. Watchdog monitors processes for crashes, libft checkpoints critical data, and nDFS replicates persistent data. These components have been used to enhance fault tolerance in AT&T telecom products with performance overhead from 0.1-14% depending on amount of data checkpointed and replicated. The components provide efficient and economical means to increase software fault tolerance.
White Paper about solutions to manage your IBM ECM environments (FileNet, Content Manager, Content Manager OnDemand, Datacap, ICC, ..) efficiently and reliably.
Covers ECM application health monitoring, end user service quality monitoring, hot backup & granular recovery.
Continuous Monitoring: Monitoring Strategy – Part 2 of 3EMC
This white paper is part two of a three-part series on successfully managing a continuous monitoring (CM) program. It addresses monitoring strategy, including the frequency and method of assessments.
This document discusses computer system validation and provides guidance on categorizing different types of software. It outlines 5 categories of software from infrastructure software to custom applications. For each category, it describes the appropriate validation approach and documentation required. The goal is to ensure computer systems are validated and controlled to provide high quality, regulated products and data management while avoiding duplication and leveraging supplier activities.
This document summarizes key topics from a lecture on security engineering:
1. It discusses security engineering and management, risk assessment, and designing systems for security. Application security focuses on design while infrastructure security is a management problem.
2. It outlines guidelines for secure system design including basing decisions on security policies, avoiding single points of failure, balancing security and usability, validating all inputs, and designing for deployment and recoverability.
3. It also covers risk management, assessing threats, and designing architectures with layered protection and distributed assets to minimize the effects of attacks.
This document provides an overview of software reuse techniques discussed in Chapter 16, including:
1) Application frameworks which provide reusable skeleton designs through abstract and concrete classes;
2) Software product lines which allow generic applications to be adapted through configuration, component selection, and specialization for different requirements;
3) COTS (commercial off-the-shelf) product reuse where pre-existing software systems can be customized through deployment configuration without changing source code.
The document discusses dependability in systems. It covers topics like dependability properties, sociotechnical systems, redundancy and diversity, and dependable processes. Dependability reflects how trustworthy a system is and includes attributes like reliability, availability, and security. Dependability is important because system failures can have widespread impacts. Both hardware and software failures and human errors can cause systems to fail. Techniques like redundancy, diversity, and formal methods can help improve dependability. Regulation is also discussed as many critical systems require approval from regulators.
This document provides information about IT management services from ACMA Computers including Infrastructure Management Services (IMS). IMS aims to transform reactive IT management to a proactive and predictive model through monitoring, proactive alerts, automated maintenance, security hardening, asset management, ticketing and reporting. This is intended to save time, manpower and costs while keeping systems healthy, updated and achieving maximum uptime through automated processes.
A consulting firm needs to redesign their client technology tracking system and service request system. The current systems for tracking client hardware/software configurations, submitting service requests, and recording work done are inefficient. The proposed solution is a new integrated system that allows clients to submit service requests online, technicians to view requests and document work, and all users to view the status and history of requests. The system would also track client hardware and software configurations.
The document summarizes topics related to real-time software engineering including embedded system design, architectural patterns for real-time software, timing analysis, and real-time operating systems. It discusses key characteristics of embedded systems like responsiveness, the need to respond to stimuli within specified time constraints, and how real-time systems are often modeled as cooperating processes controlled by a real-time executive. The document also outlines common architectural patterns for real-time systems including observe and react, environmental control, and process pipeline.
Critical System Validation in Software Engineering SE21koolkampus
The document discusses techniques for validating critical systems, with a focus on validating safety and reliability. Static validation techniques include design reviews and formal proofs, while dynamic techniques involve testing. Reliability validation uses statistical testing against an operational profile to measure reliability. Safety validation aims to prove a system cannot reach unsafe states, using techniques like safety proofs, hazard analysis, and safety cases presenting arguments about risk levels. The document also provides an example safety validation of an insulin pump system.
Gerald Witt is a Master Scheduler with experience in logistics management, maintenance supervision, and military instruction. He has over 20 years of experience managing teams, maintaining communications equipment, and developing training programs. Currently he supervises a team of schedulers at Vectrus supporting the Army Corps of Engineers. Previously he held logistics and maintenance management roles overseeing multimillion dollar budgets and government property. He has a background in electronic maintenance, supply operations, and technical instruction from his time in the military.
This document provides an introduction to software engineering topics including:
1. What software engineering is, its importance, and the software development lifecycle activities it encompasses.
2. The many different types of software systems that exist and how software engineering approaches vary depending on the application.
3. Key fundamentals of software engineering that apply universally, including managing development processes, dependability, and reusing existing software components.
Contractor Responsibilities under the Federal Information Security Management...padler01
This document discusses contractor responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It provides an overview of FISMA and its provisions regarding contractor systems. It notes that while FISMA language applies to contractors, agencies have struggled to effectively oversee contractor compliance. It recommends that agencies improve oversight of contractor systems and inventory of contractor-run systems, and contractually impose compliance requirements.
FOR MORE CLASSES VISIT
www.tutorialoutlet.com
Case Study #1: Technology & Product Review for Endpoint Protection Solutions
Case Scenario:
Red Clay Renovations (the “client”) has requested that your company research and recommend
an Endpoint Protection Platform which will provide host-based protection for the laptop PC’s used by its
construction managers and architects.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
This report summarizes the Information Security Oversight Office's (ISOO) activities in fiscal year 2003 related to classifying and safeguarding national security information. It provides statistics on original classification decisions, derivative classification decisions, and declassified records. It also discusses implementation of Executive Order 12958, which aims to promote openness while protecting national security. Key events in 2003 included an amendment to EO 12958 calling for automatic declassification of older records by 2006 and continued work to refine the security system to suit the electronic era. Implementation challenges include excessive delays in granting security clearances. The report concludes effective oversight requires continuous effort to balance an informed public with national security.
This document proposes five core primitives that are building blocks for Networks of 'Things' (NoTs), including the Internet of Things (IoT):
1) Sensors - which measure physical properties and output data
2) Aggregators - which collect and process data from multiple sensors
3) Communication channels - which allow for data transfer between primitives
4) External utilities (eUtilities) - which are entities outside the NoT that can input or output data
5) Decision triggers - which initiate actions based on aggregated data
These primitives provide a framework for analyzing reliability, security, and trust in NoTs.
All government agencies, government contractors, and organizations that exchange data directly with government systems must be FISMA compliant. This may include such diverse entities as data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems. Coverage may expand to include public and private sector entities that utilize manage or run critical infrastructures if FISMA security controls are combined with the Consensus Audit Guidelines as part of the new U.S. Information and Communications Enhancement (ICE) Act.
CIP IT Governance 5.0 Solution Guide for ArcSight Loggerprotect724rkeer
The document provides an overview of the HPE Security ArcSight Compliance Insight Package for Logger, which leverages Logger's log and event data repository to facilitate compliance with ISO 27002 and NIST 800-53 IT governance standards. It includes alerts, reports, dashboards, and queries to monitor events and provide detailed compliance reporting. The document also describes how to install the Compliance Insight Package on the Logger Appliance or Software Logger.
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]Walter Richard Sweeney
This document provides an overview of the legislative and regulatory foundations for assessing the security of NASA information systems. It outlines laws like FISMA 2002 and 2014, directives from the Office of Management and Budget and Department of Homeland Security, and guidance from the National Institute of Standards and Technology. It also discusses how NASA's own governance documents and strategic plans adhere to these federal mandates for continuous security monitoring and independent annual assessments.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
This document provides guidelines for protecting Special Access Program information within Department of Defense information systems. It establishes roles and responsibilities, defines protection levels based on levels of concern, and outlines security requirements for confidentiality, integrity, availability, interconnected systems, advanced technologies, administrative procedures, and risk management/certification processes. The guidelines are applicable to all government and contractor personnel involved in DoD special access programs.
Company Background & Operating EnvironmentThe assigned case study .docxbrownliecarmella
Company Background & Operating Environment
The assigned case study and attachments to this assignment provide information about “the company.”
·
Use the Baltimore field office as the target for the System Security Plan
·
Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/
)
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s field offices. This requirement has been incorporated into the company’s risk management plan and the company’s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18
Guide for Developing Security Plans for Federal Information Systems.
The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also accepted the CISO’s recommendation for creating a single
System Security Plan
for a
General Support System
since, in the CISO’s professional judgement, this type of plan would best meet the “formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the required
system security plan
for a
General Support System.
In your research so far, you have learned that:
·
A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.” (See NIST SP 800-18)
·
The Field Office manager is the designated
system owner
for the IT support systems in his or her field office.
·
The
system boundaries
for the field office
General Support System
have already been documented in the company’s enterprise architecture (see the case study).
·
The
security controls
required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
Research:
1.
Review the information provided in the case study and in this assignment, especially the information about the field offices and the IT systems and networks used in their day to day business affairs.
2.
Review NIST’s guidance for developing a System Security Plan for a general support IT System.
This information is presented in NIST SP 800-18.
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-fina ...
This document provides an introduction to information security. It discusses what information security is, its basic principles of confidentiality, integrity and availability. It outlines the history of information security from the 1960s to the present. It analyzes the economic impacts of information security spending and environmental factors. The document concludes that information security has become essential for organizations to securely store electronic information and protect against threats.
The document discusses security categorization of information and information systems. It provides definitions for information type and information system. The security categorization process involves identifying information systems and types, selecting provisional impact levels, reviewing levels, and finalizing categories. An example is given of categorizing an energy supply information type and inventory control type within the Power Safe system, which is given an overall moderate system impact categorization. Action items are outlined for developing policies, templates, training, and completing agency categorization studies.
This document outlines the University of Exeter's patch management policy. It defines the scope of IT systems covered, including those managed by third parties. The policy requires that all systems must have up-to-date operating systems and applications, and install critical and high risk patches within 14 days. It assigns roles for patching activities and requires monitoring and reporting on patching status. The policy is reviewed annually or as needed to ensure alignment with relevant laws and best practices.
The document is the version 2.7 of the IT Handbook for the University System of Georgia (USG), updated in February 2018. It provides an overview and history of changes made to the handbook. The handbook establishes IT standards, best practices, and compliance requirements for USG organizations to follow related to governance, project management, security, privacy, facilities, and other IT functions. It is intended to help IT professionals and ensure practices align with laws, regulations, and Board of Regents policies.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
Similar to DHS 4300A Sensitive System Handbook Attachment E (20)
This document provides guidance for state, local, tribal, and territorial (SLTT) law enforcement on reporting cyber incidents to federal authorities. It outlines types of incidents that should be reported, such as those affecting critical infrastructure, national security, or public safety. The document details the information that should be included in reports, such as technical details about the incident and impacted systems. It also lists several ways for SLTT law enforcement to report incidents, including email, phone, or online portals, and specifies the federal agencies responsible for accepting different types of reports related to cybercrime, national infrastructure, or investigations.
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
This network analysis report examines a packet capture file containing traffic between two internal hosts downloading a file from a remote server. The analysis found that one internal host, with IP ending in 1.119, experienced significant packet loss during the download, as shown by drops in throughput and bursts of TCP errors. This packet loss indicates a potential failure at an infrastructure device, likely causing the observed retransmissions and degradation in performance. Further analysis of ingress traffic is needed to determine if the packet loss is occurring internally or externally to the network.
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
This document provides notes for the CompTIA CASP exam, organized by exam domain:
1. Enterprise Security topics include placement of firewalls and other security appliances, SELinux mandatory access controls, storage area networks, encryption of multiple operating systems on a solid state drive, and TOCTOU attacks.
2. Risk Management and Incident Response domains cover risk terms.
3. Research and Analysis focuses on cryptographic concepts, enterprise storage technologies, and host and application security controls.
4. Integration of Computing, Communications and Business Disciplines addresses remote access and IPv6 issues.
5. Technical Integration of Enterprise Components involves application integration enablers.
National Cyber Security Awareness Month - October 2017David Sweigert
National Cyber Security Awareness Month is held each October to promote cybersecurity awareness and education. It is a collaborative effort between the Department of Homeland Security and private partners. There are 5 themes highlighted during the month - simple online safety steps, cybersecurity in the workplace, security of connected devices and the internet of things, cybersecurity careers, and protecting critical infrastructure. Each week focuses on one of these themes and provides resources to help organizations and individuals strengthen cybersecurity. The goal is to engage the public and encourage everyone to play a role in cybersecurity.
California Attorney General Notification Penal Code 646.9David Sweigert
This letter requests assistance from the California Attorney General's office for the District Attorney of San Luis Obispo County. It describes activities of an individual named Nathan Ames Stolpman who broadcasts livestreams on YouTube and videos on Patreon directing "crowd stalking" followers to target and harass private citizens by publishing their personal information. Stolpman issues "bounties" for photos of targeted individuals and provides their intended locations. The letter writer believes the District Attorney has not demonstrated a clear understanding of relevant privacy laws and requests the Attorney General's office provide technical assistance to the District Attorney regarding Stolpman's activities.
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
This House resolution expresses support for developing educational programs to better prepare students for cybersecurity careers by promoting ethical hacking skills. It notes the critical shortage of cybersecurity professionals and growing cyber threats facing the US. The resolution states that partnerships between industry, government and academia should collaborate to create programs, competitions and curricula giving students hands-on experience with in-demand cybersecurity skills like ethical hacking to help close this workforce gap.
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
This document discusses how racketeering and wire fraud laws can be used to combat hoax news sites that engage in "CrowdStalking" to distribute misinformation. These sites target critical infrastructure operators, federal employees, and security advisors. The document provides an example of how social engineering attacks can steal millions from a company. It argues that legal action against hoax news site operators can deter such attacks, and establishes criteria for when racketeering laws may apply to their activities, such as using deception for financial gain. The document identifies specific YouTube personalities like Nathan Stolpman and Jesse Moorefield who operate hoax news sites.
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
The document summarizes a study on how Live Action Role Play (LARP) simulations can create cognitive threat vectors using the example of two YouTube conspiracy theorists, Jason Goodman and George Webb. In June 2017, they created a sense of hysteria among their online fans by claiming a container ship was sailing into the Port of Charleston with a dirty bomb onboard, leading to the port's evacuation. The document argues this "crowdsourcing" format can weaponize sensationalized information and represents an emerging threat that critical infrastructure operators need to be aware of. It can potentially lead unwitting participants to engage in criminal acts or attacks in response to implied calls for action by the game's controllers.
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
The Cyber Incident Response Team responds to cyber crises and threats. It is composed of 15 personnel including managers, analysts, specialists in areas like forensics and infrastructure. The team investigates incidents, uses mitigation approaches, and documents actions. It requires equipment like laptops, forensics tools, and communications devices and is deployable for up to 14 days.
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
The Cyber Incident Response Team responds to cyber crises and threats. It is composed of 15 personnel including managers, analysts, specialists in areas like forensics and infrastructure. The team investigates incidents, uses mitigation approaches, and documents actions. It requires equipment like laptops, forensics tools, and communications devices and is deployable for up to 14 days.
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
The document provides guidance for a National Qualification System (NQS) to strengthen resource management under the National Incident Management System (NIMS). The NQS will define qualifications for emergency response personnel through common standards and certification processes to enhance coordination during multi-jurisdictional responses. It establishes guidelines for qualification criteria and processes, certification of qualified personnel, and credentialing of certified personnel. Feedback is sought on the draft guidelines over a 30-day period.
National Incident Management System - NQS Public FeedbackDavid Sweigert
The National Qualification System (NQS) provides a common language and approach to qualify emergency personnel in order to facilitate more effective mutual aid response. It establishes standardized job titles, minimum qualifications, and certification processes to help requesting agencies obtain resources with the needed skills and qualifications. The NQS supplements the National Incident Management System by providing guidance on personnel resource typing and supports the goal of a more secure and resilient nation through qualified emergency personnel who can respond across jurisdictions.
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
The document discusses establishing Medical Computer Emergency Response Teams (MedCERT) to coordinate responses to cybersecurity incidents affecting medical devices and networks. It argues that healthcare cybersecurity is currently unprepared for emergencies and that response and recovery need to be emphasized in addition to prevention and protection. The document recommends that MedCERT teams receive training in the National Incident Management System and Incident Command System to effectively respond to incidents. It also calls for improved information sharing across the healthcare industry regarding cyber threats.
National Preparedness Goals 2015 2nd editionDavid Sweigert
The National Preparedness Goal outlines core capabilities across five mission areas - Prevention, Protection, Mitigation, Response, and Recovery - that are necessary to deal with risks facing the nation. The document describes each mission area and defines related core capabilities and preliminary targets. Prevention focuses on capabilities to avoid, prevent, or stop terrorist threats, while other mission areas take an all-hazards approach. Key capabilities include planning, public information and warning, operational coordination, intelligence and information sharing, and interdiction and disruption. The goal is for the whole community to achieve a secure and resilient nation through these interdependent capabilities.
The document provides an overview and update of the Healthcare and Public Health (HPH) Sector-Specific Plan (SSP). Key points include:
- The SSP establishes a vision, mission, goals, and activities to guide security and resilience efforts for HPH critical infrastructure.
- Goals focus on risk assessment, risk management, information sharing, partnership development, and response/recovery.
- Metrics will measure progress on priorities like risk analysis, information sharing, and partnership engagement.
- The update reflects maturation of sector partnerships and addresses evolving risks to critical infrastructure.
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
The Emergency Services Sector Cyber Risk Assessment evaluates risks to six critical emergency services disciplines from potential cyber threats. Through a collaborative process, subject matter experts identified seven risk scenarios and assessed their potential consequences. High risks included natural disasters disrupting 9-1-1 systems, loss of critical databases hampering operations, and compromised systems spreading misinformation. The assessment aims to enhance cybersecurity and resilience across the emergency services sector through informed resource allocation and partnership.
UN WOD 2024 will take us on a journey of discovery through the ocean's vastness, tapping into the wisdom and expertise of global policy-makers, scientists, managers, thought leaders, and artists to awaken new depths of understanding, compassion, collaboration and commitment for the ocean and all it sustains. The program will expand our perspectives and appreciation for our blue planet, build new foundations for our relationship to the ocean, and ignite a wave of action toward necessary change.
Combined Illegal, Unregulated and Unreported (IUU) Vessel List.Christina Parmionova
The best available, up-to-date information on all fishing and related vessels that appear on the illegal, unregulated, and unreported (IUU) fishing vessel lists published by Regional Fisheries Management Organisations (RFMOs) and related organisations. The aim of the site is to improve the effectiveness of the original IUU lists as a tool for a wide variety of stakeholders to better understand and combat illegal fishing and broader fisheries crime.
To date, the following regional organisations maintain or share lists of vessels that have been found to carry out or support IUU fishing within their own or adjacent convention areas and/or species of competence:
Commission for the Conservation of Antarctic Marine Living Resources (CCAMLR)
Commission for the Conservation of Southern Bluefin Tuna (CCSBT)
General Fisheries Commission for the Mediterranean (GFCM)
Inter-American Tropical Tuna Commission (IATTC)
International Commission for the Conservation of Atlantic Tunas (ICCAT)
Indian Ocean Tuna Commission (IOTC)
Northwest Atlantic Fisheries Organisation (NAFO)
North East Atlantic Fisheries Commission (NEAFC)
North Pacific Fisheries Commission (NPFC)
South East Atlantic Fisheries Organisation (SEAFO)
South Pacific Regional Fisheries Management Organisation (SPRFMO)
Southern Indian Ocean Fisheries Agreement (SIOFA)
Western and Central Pacific Fisheries Commission (WCPFC)
The Combined IUU Fishing Vessel List merges all these sources into one list that provides a single reference point to identify whether a vessel is currently IUU listed. Vessels that have been IUU listed in the past and subsequently delisted (for example because of a change in ownership, or because the vessel is no longer in service) are also retained on the site, so that the site contains a full historic record of IUU listed fishing vessels.
Unlike the IUU lists published on individual RFMO websites, which may update vessel details infrequently or not at all, the Combined IUU Fishing Vessel List is kept up to date with the best available information regarding changes to vessel identity, flag state, ownership, location, and operations.
About Potato, The scientific name of the plant is Solanum tuberosum (L).Christina Parmionova
The potato is a starchy root vegetable native to the Americas that is consumed as a staple food in many parts of the world. Potatoes are tubers of the plant Solanum tuberosum, a perennial in the nightshade family Solanaceae. Wild potato species can be found from the southern United States to southern Chile
Synopsis (short abstract) In December 2023, the UN General Assembly proclaimed 30 May as the International Day of Potato.
A Guide to AI for Smarter Nonprofits - Dr. Cori Faklaris, UNC CharlotteCori Faklaris
Working with data is a challenge for many organizations. Nonprofits in particular may need to collect and analyze sensitive, incomplete, and/or biased historical data about people. In this talk, Dr. Cori Faklaris of UNC Charlotte provides an overview of current AI capabilities and weaknesses to consider when integrating current AI technologies into the data workflow. The talk is organized around three takeaways: (1) For better or sometimes worse, AI provides you with “infinite interns.” (2) Give people permission & guardrails to learn what works with these “interns” and what doesn’t. (3) Create a roadmap for adding in more AI to assist nonprofit work, along with strategies for bias mitigation.
Donate to charity during this holiday seasonSERUDS INDIA
For people who have money and are philanthropic, there are infinite opportunities to gift a needy person or child a Merry Christmas. Even if you are living on a shoestring budget, you will be surprised at how much you can do.
Donate Us
https://serudsindia.org/how-to-donate-to-charity-during-this-holiday-season/
#charityforchildren, #donateforchildren, #donateclothesforchildren, #donatebooksforchildren, #donatetoysforchildren, #sponsorforchildren, #sponsorclothesforchildren, #sponsorbooksforchildren, #sponsortoysforchildren, #seruds, #kurnool
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOChristina Parmionova
The 2024 World Health Statistics edition reviews more than 50 health-related indicators from the Sustainable Development Goals and WHO’s Thirteenth General Programme of Work. It also highlights the findings from the Global health estimates 2021, notably the impact of the COVID-19 pandemic on life expectancy and healthy life expectancy.
Food safety, prepare for the unexpected - So what can be done in order to be ready to address food safety, food Consumers, food producers and manufacturers, food transporters, food businesses, food retailers can ...
A guide to the International day of Potatoes 2024 - May 30th
DHS 4300A Sensitive System Handbook Attachment E
1. DHS 4300A
Sensitive Systems Handbook
Attachment E
FISMA Reporting
Version 11.0
August 5, 2014
Protecting the Information that Secures the Homeland
2. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
This page intentionally blank
v11.0, August 5, 2014 ii
3. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
Document Change History
Version Date Description
1.0 September 9, 2004 Initial release
2.0 July 29, 2005 Minor editorial changes
2.1 October 1, 2005 Clarification of policy c in Section 5.0.
2.2 December 30, 2005 Modification to policy c in Section 5.0; addition of policies d & e.
4.0 June 1, 2006 Change to policy c in Section 5.0, minor editorial changes.
5.0 March 1, 2007 No change
6.0 May 14, 2008 No change.
6.1 September 23, 2008
Included “Interconnnection Security Agreements Template” as an
appendix.
7.0 August 7, 2009
Introduced new terminology Authorizing Official (AO) – replaces DAA,
as per NIST 800-37 and 800-53
8.0 July 19, 2011
Updated NIST 800-37 terminology
Aligned Appendix N4 with RMS template
11.0 August 5, 2014
Changes to: References, Figure 1, IACS, FNR, and the annual FISMA
questions References updated.
References to DoD reporting removed. Stylistic editing.
v11.0, August 5, 2014 iii
4. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
Contents
1.0 INTRODUCTION........................................................................................................................................ 1
1.1 Purpose.................................................................................................................... 1
1.2 Background............................................................................................................. 1
1.3 Scope....................................................................................................................... 2
1.4 References............................................................................................................... 2
2.0 OMB REPORTING REQUIREMENTS........................................................................................................... 3
2.1 Secretary’s Annual FISMA Report......................................................................... 3
2.2 CIO Quarterly FISMA Report ................................................................................ 4
3.0 DHS SECURITY MANAGEMENT TOOLS...................................................................................................... 5
3.1 Enterprise FISMA Compliance and Security Authorization Tool.......................... 6
3.2 Management Aggregation and Security Tool (MAST) .......................................... 7
3.3 ISO Reporting Tool................................................................................................. 8
3.4 Accessing DHS Security Management Tools......................................................... 8
3.5 Customer Service Center ........................................................................................ 8
4.0 COMPONENT FISMA REPORTING............................................................................................................. 9
4.1 Annual FISMA Data Requirements........................................................................ 9
4.2 Quarterly Reporting Requirements....................................................................... 15
5.0 RESPONSIBILITIES................................................................................................................................... 17
5.1 Chief Information Officer..................................................................................... 17
5.2 Chief Information Security Officer....................................................................... 17
5.3 Component Chief Information Officer ................................................................. 17
5.4 System Owners and Program Officials................................................................. 17
5.5 Component Chief Information Security Officers and Information System Security
Managers........................................................................................................................... 18
5.6 Information system Security Officers................................................................... 18
6.0 DEPARTMENT SCORECARD .................................................................................................................... 19
v11.0, August 5, 2014 iv
5. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
1.0 INTRODUCTION
1.1 Purpose
The purpose of this document is to provide information as to how Department of Homeland
Security (DHS) Components and reporting offices assist the Chief Information Officer (CIO) in
following the Office of Management and Budget’s (OMB) annual reporting guidance for the
Federal Information Security Management Act (FISMA). This document also provides metrics
defined by DHS Federal Network Resiliency (FNR).
This document provides guidance for handling every category of information systems security
metrics and applies to DHS Headquarters, to all DHS Components, to DHS Data Centers, and to
any company, consultant, partner, or Government agency that is receiving Federal funds from
DHS or performing a Federal function on behalf of or in cooperation with DHS.
1.2 Background
FISMA was created to achieve the following objectives:
• Provide a comprehensive framework for ensuring the effectiveness of information security
controls over information resources that support Federal operations and assets.
• Recognize the highly networked nature of the current Federal computing environment and
provide effective Government-wide management and oversight of the related information
security risks, including coordination of information security efforts throughout the civilian,
national security, and law enforcement communities.
• Provide for development and maintenance of minimum controls required to protect Federal
information and information systems.
• Provide a mechanism for improved oversight of Federal agency information security
programs.
• Acknowledge that commercially developed information security products offer advanced,
dynamic, robust, and effective information security solutions, reflecting market solutions for
the protection of critical information infrastructures important to the national defense and
economic security of the nation that are designed, built, and operated by the private sector
• Recognize that the selection from among commercially developed products of specific
technical hardware and software information security solutions should be left to individual
agencies.
FISMA requires OMB to oversee agencies’ progress in implementing the Act’s requirements.
Following OMB guidance, DHS submits monthly, quarterly and annual FISMA reports to OMB
on the status, adequacy, and effectiveness of the Department’s information security policies,
procedures, and practices, and on the status of compliance with FISMA requirements. Much of
the required data shows the degree of each Component’s compliance with IT system metrics
established by FISMA. The DHS FISMA reporting process relies on timely entry of data by
system owners and information security professionals into DHS security management tools and
on submittal of monthly scanning tool data feeds.
v11.0, August 5, 2014 1
6. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
In July of 2010, OMB named DHS Federal Network Resiliency (FNR) Branch as the agency that
will exercise primary responsibility within the executive branch for the operational aspects of
Federal agency cybersecurity with respect FISMA. FNR requires monthly, quarterly, and annual
reporting of key metrics through the Cyberscope tool.
1.3 Scope
Components will use the DHS Information Assurance Compliance System (IACS) to develop,
maintain, and monitor Security Authorization Packages (SAP) for all Sensitive But Unclassified
(SBU) IT Systems. A separate instance of CIACS (Classified IACS) is used as the repository for
systems at the SECRET level and at the TOP SECRET level. Those systems classified as
Sensitive Compartmentalized Information (SCI) fall under the responsibility of the Office of
Intelligence and Analysis for FISMA reporting purposes.
1.4 References
Federal Laws
Federal Information Security Management Act of 2002, 44 USC 3541 et seq., enacted as Title III of the E-
Government Act of 2002, Pub L 107-347, 116 Stat 2899
Office of Management and Budget (OMB) Memorandums
OMB Memorandum M-10-28, “Clarifying Cybersecurity Responsibilities and Activities of the Executive Office
of the President and the Department of Homeland Security (DHS), M-10-28, July 6, 2010.
OMB Memorandum M-12-20, “FY 2012 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management, Office of Management and Budget, M-12-20, September
27, 2012 (or successor).
National Institute of Standards and Technology (NIST) Special Publications (SP)
NIST SP 800-53, Rev 4, “Recommended Security Controls for Federal Information Systems and
Organizations,” (April 30, 2013)
Department of Homeland Security Publications
“DHS Information Security Program Plan of Action and Milestones (POA&M) Process Guide,” Attachment H
to DHS 4300A Sensitive Systems Handbook, June 2012
“FY 2013 Chief Information Officer Federal Information Security Management Act Reporting Metrics,” DHS
National Cyber Security Division, Federal Network Resilience. November 2012.
v11.0, August 5, 2014 2
7. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
2.0 OMB REPORTING REQUIREMENTS
OMB requires all Federal agencies to provide monthly, quarterly, and annual FISMA reports as
follows:
Month Report
January Quarterly Report to OMB
April Quarterly Reports to OMB
July Quarterly Report to OMB
November Annual FISMA Report to OMB
Table 1: Schedule of FISMA Reports
2.1 Secretary’s Annual FISMA Report
Each November, the Secretary of Homeland Security is required to provide the FNR via the
OMB Cyberscope application, a report that summarizes Department’s progress in meeting
FISMA requirements. The report includes the results of annual IT security reviews of systems.
Under FISMA, DHS must report on all agency systems including national security systems. The
DHS CIO metrics are derived from 3 different sources:
• Administration Priorities
• Key FISMA Metrics
• Baseline Questions
Throughout the year this data is obtained using current approved compliance tools, scan data
from tools such as Nessus, McAfee, and BigFix as well as component data calls. The responses
are aggregated for all systems by Component and then entered into the Cyberscope application.
In FY11 the Administration identified three FISMA priorities:
1. Continuous Monitoring
2. Trusted Internet Connection (TIC) capabilities and traffic consolidation
3. Implementation of Homeland Security Presidential Directive (HSPD)-12 for logical
access control
In FY13, these priorities continue to provide emphasis on FISMA metrics that are identified as
having the greatest probability of success in mitigating cybersecurity risks to agency information
systems.
The Secretary’s Annual Report, consists of the following:
• Transmittal letter from the Secretary, including a discussion of any differences between the
findings of the agency CIO and the Inspector General (IG)
• Report on the CIO’s annual IT security reviews of systems and programs
• Report on the IG independent evaluation of the DHS Information Security Program
• Status of agency compliance with OMB privacy policies completed by the Senior Agency
Official for Privacy (SAOP)
v11.0, August 5, 2014 3
8. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
After review by and notification from OMB, the Department forwards the transmittal letter with
report to the appropriate Congressional Committees and to the General Accounting Office
(GAO).
• For an interim approval, AOs specify tasks remaining to be completed and schedules for
these tasks.
• For a rejected interconnection, return to the applicable planning steps.
• Perform a re-authorization through the security authorization process.
2.2 CIO Quarterly FISMA Report
The DHS CIO must provide an update on IT security performance measures to OMB per FISMA
reporting requirements. These quarterly updates are due in January, April and July. A Quarterly
report for 4th
quarter is not required. Senior Agency Official for Privacy (SOAP) metrics are
reported on the same schedule. OMB uses these quarterly reports to monitor the progress of
DHS remediation efforts and to identify progress and problems.
v11.0, August 5, 2014 4
9. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
3.0 DHS SECURITY MANAGEMENT TOOLS
In order to maintain consistent security processes and procedures across the Department, the
DHS Chief Information Security Officer (CISO) has implemented the following web-based
commercial off the shelf (COTS) security management tools:
• Information Assurance Compliance System (IACS)
• Management Aggregation and Security Tool (MAST)
• SAP ‘s Crystal Reports
Figure 1: Enterprise security management tools that support FISMA
Figure 1 illustrates how the COTS enterprise security management tools are used by the
Department to collect, manage, and report information security metrics. The diagram illustrates
the following characteristics of the Department’s FISMA reporting process:
• The security management tools incorporate DHS and federal information security mandates
and foster Component compliance.
• Several types of data reviews are performed to verify the contents of the data in these tools
and Component compliance:
◦ The Component Chief Information Security Officer (CISO) or Information System Security
Manager (ISSM) is responsible for verifying that the information is valid.
v11.0, August 5, 2014 5
10. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
◦ In its annual independent review of the Department’s information security program, the
Office of the Inspector General (OIG) reviews a sample of the IT system data and assesses
the quality of the data.
◦ The DHS CISO provides compliance review teams to assist the Components to improve their
information security programs, processes, and procedures.
• OMB-mandated FISMA reports are automatically generated from the ISO Reporting tool.
• Information security metrics for each Component and for the Department are provided to
senior DHS management through the monthly Information Security FISMA Scorecard.
3.1 Enterprise FISMA Compliance and Security Authorization Tool
The DHS FISMA Compliance tool, IACS, automates the collection and maintenance of FISMA
data used for reporting to OMB. The tool provides a single, standard, consistent FISMA data
collection and reporting process for ensuring that DHS is in compliance with OMB requirements.
IACS automates and standardizes the labor-intensive data collection and reporting processes
traditionally used to gather and report FISMA data.
IACS is also the Security Authorization (SA) tool for automating and standardizing portions of
the SA process to assist DHS in quickly and efficiently developing security authorization
packages. IACS utilizes questionnaires and templates to filter a master set of DHS security
requirements so as to identify the subset of policies applicable to a specific IT system undergoing
security authorization.
In support of FISMA and the Security Authorization Process, IACS provides the following
functionality:
• Inventory Management
◦ Stores information data for systems, sites, and programs
◦ Aligns inventory data with the organizational structure of the Department
◦ Provides an authoritative list of IT systems based on accreditation boundaries
◦ Tracks key information points of contact for systems, sites, and programs
• Security Assessment and Performance
◦ Allows National Institute of Standards and Technology (NIST) SP (Special Publication) 800-
53, rev 4 security controls to be used for self-assessments completed against systems, sites,
and programs
◦ Tracks security performance, testing, and accreditation progress
◦ Maintains security artifacts and deliverables for the SA process
◦ Tracks key information points of contact for systems, sites, and programs
◦ Performs data validation
• Weakness Management
◦ Tracks IT security weaknesses identified in various ways (for example, by audits and security
reviews)
◦ Tracks status of weakness remediation, resource allocations, and scheduled completion dates
v11.0, August 5, 2014 6
11. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
• Access Control
◦ Role and domain level access control and reporting including Executive, Department-wide,
Component, Regional, and System
◦ Read-only auditor access
◦ Help desk access
• Reporting
◦ Provides an OMB-compliant Plans of Action and Milestones (POA&M) tracking and
reporting capability
◦ Provides Security Performance reports
◦ Privacy Sensitive Information which highlights annual privacy sensitive information
performance
• Requirements Traceability Matrix (RTM)
• Security Assessment Plan (SAP)
• Security Plan (SP)
• Security Assessment Report (SAR)
• Contingency Plan
• ISSO Designation Letters
• ATO/IATO Designation Letters
Classified IACS (CIACS) is located on LAN B and is accessible by any user with HSDN or
SCIF access. CIACS is classified at the SECRET level; all data for SECRET systems may be
input into the tool. Those systems classified as TOP SECRET, however, are entered into CTAF
by name and identification only; POA&Ms and associated SA documents for TOP SECRET
systems are to be secured at the Component facility.
3.2 Management Aggregation and Security Tool (MAST)
The automated tools used by DHS ISO enable accurate system and document tracking and
provide quality assurance measures. Monthly data feeds from each Component are processed
and aggregated in a Continuous Monitoring Database (CMDB) within ISO MAST. This data is
then used to tabulate Scorecard totals.
Data is transferred between submission method and the Management Aggregation and Security
Tool (MAST) via encrypted Universal Serial Bus (USB) flash drives. Access to MAST is
physically restricted to all personnel except those supporting continuous monitoring at the ISO.
Once data enters MAST, it is not removed for any purpose other than to fulfill mandatory
reporting requirements. Data is consolidated and normalized for report generation. It is stored
on a standalone, air-gapped system. The import process does not determine nor recognize the
tool used to provide the data. The application identifies based upon field names and required
format. This means that any tool can be used to provide ISCM required data as long as all data
elements are provided.
v11.0, August 5, 2014 7
12. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
3.3 ISO Reporting Tool
Crystal Reports is a business intelligence application used to develop reports from a wide variety
of data sources. Using direct connections to Oracle, Crystal Reports is able to obtain data from
IACS and several other sources to generate daily and monthly reports. Examples of reports
include:
• Security Authorization reports showing reports with expiring ATOs
• POA&M reports to show status of POA&Ms, due dates, and milestones reached
• Inventory reports of systems to include Software Development Life Cycle (SDLC) status,
classification, and investment information
• Security Controls reports which display controls that have been satisfied, not started, not
completed, not applicable, etc.
• Privacy Reports to show privacy sensitive systems and privacy document status
• Daily scorecard reports to show overall security compliance of component’s systems.
3.4 Accessing DHS Security Management Tools
The DHS Security Management Tools are web-based and can be securely accessed from the
Internet. Access to each tool site is controlled by a two-part login procedure. Requests for too
access must be made through the Component Information System Security Manager (ISSM) or
designated Point of Contact (POC). The following information is required to obtain an account:
• First and last name
• Email address
• Phone number
• Role Requested (e.g., ISSM, ISSO, Auditor, Privacy)
• Component
The IACS portal is located at:
http://mgmt-ocio-sp.dhs.gov/ciso/compliance/iacs/SitePages/Home.aspx
The Crystal Reports website is located at: https://dhscr.dhs.gov
Each Component is responsible for managing the accounts under its authority. The Component
CISO, ISSM, or POC is responsible for ensuring that the names submitted for user accounts are
valid user for access DHS IT systems and have a need-to-know.
3.5 Customer Service Center
DHS has a subject matter expert to provide assistance and help getting started with IACS. The
Customer Service Center is available during normal business hours (7:00 a.m. to 5:00 p.m. EST)
to answer questions regarding usage of the tool. The Customer Service Center can be reached
via:
• Phone: 202-357-6100
• Email: ISOSupport@hq.dhs.gov
v11.0, August 5, 2014 8
13. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
4.0 COMPONENT FISMA REPORTING
Each fiscal year, usually in late spring, OMB/FNR provides updated FISMA reporting guidance
for both the quarterly and annual reports. The reporting requirements change on an annual basis
and generally reflect the latest information security concerns. As discussed earlier, some of the
data is generated based on data entered into IACS. The majority of data is acquired using
various tools (Nessus, McAfee, Bigfix) during monthly scans that are part of the Continuous
Monitoring data collection process. The Components have received a template designed by the
ISO Continuous Monitoring team which specifies the formatting and type of data required from
the data collection tools.
4.1 Annual FISMA Data Requirements
The annual FISMA data entry requirements for Components are summarized below. As of the
date of publication of this document, every Component must enter system performance data
directly into IACS. All other metrics are reported to the DHS OCISO via monthly data feeds.
4.1.1 System Inventory
Components must provide the following:
• The Federal Information Processing Standards (FIPS) 199 security categorization
• The number of systems at each FIPS level for Organization Operated Systems, Contractor
Operated Systems and the collective number of those systems with a valid SA package
4.1.2 Asset Management
The Federal Continuous Monitoring Working Group (CMWG) has determined that Asset
Management is one of the first areas where continuous monitoring needs to be developed.
Organizations must first know about devices (both authorized/managed and
unauthorized/unmanaged) and software before they can manage assets for configuration,
vulnerabilities, and reachability. A key goal of hardware and software asset management is to
identify and remove unmanaged assets before they are exploited and used to attack other assets.
Asset management information each organization must provide includes:
• The total number of hardware assets that are connected to the organization’s unclassified
network
• The number of assets having automated capability to provide visibility at the organization’s
enterprise level into asset inventory information for all hardware assets
• Information on how often these automated capabilities are used and how long it takes a
device discovery tool to complete the process
• The number of assets for which the organization has an automated capability to determine
whether the asset is authorized and who manages it
• The number of assets for which the organization has the capability to remove any
unauthorized devices and how long it would take to accomplish this
• Whether or not the organization can track the installed operating system vendor, product,
version, and patch-level combination(s) in use on the assets in order to assess the number of
operating system vulnerabilities present without scanning.
v11.0, August 5, 2014 9
14. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
• Statement as to whether or not the organization has a current list of COTS general purpose
applications installed on the assets and can report on the number of vulnerabilities via CPE
without scanning
• The number of assets where the organization has implemented an automated capability to
detect unauthorized software and block it from executing
4.1.3 Configuration Management
For each operating system and enterprise-wide COTS general purpose applications vendor,
product, version, and patch-level referenced in Section 4.1.2 above, Components need to report
the following:
• Whether or not an adequately secure configuration baseline has been defined
• The number of hardware assets with this software (covered by baseline if it exists)
• The percentage of applicable hardware assets for each kind of operating system software that
has an automated capability to identify deviations from the approved configuration baselines
and that provides visibility at the organization’s enterprise level
• The frequency of deviation identification (in days)
• The percentage of network boundary devices assessed by an automated capability to ensure
that they are adequately configured as intended
4.1.4 Vulnerability and Weakness Management
A key goal of vulnerability management is to make assets harder to exploit through mitigation or
remediation. NIST’s National Vulnerability Database identifies vulnerabilities to be addressed.
For each operating system and enterprise-wide COTS general purpose applications vendor,
product, version, and patch-level referenced in Section 4.1.2 above, Components need to report
the following:
• Percentage of network boundary devices assessed by an an automated capability to ensure
that they continue to be adequately free of vulnerabilities
• Percentage of hardware assets evaluated using an automated capability that identifies NIST
National Vulnerability Database vulnerabilities present with visibility at the organization’s
enterprise level
• Provide the percentage of hardware assets identified in 4.1.2 that were evaluated using tools
to assess the security of the systems and that generated output compliant with each of the
following:
◦ Common Vulnerabilities and Exposures (CVE)
◦ Common Vulnerability Scoring System (CVSS)
◦ Open Vulnerability and Assessment Language (OVAL)
• For systems in development and maintenance, what percentage identify and fix instances of
common weaknesses prior to placing that version of the production code?
• For systems in production, what percentage report on configuration and vulnerability levels
for hardware assets supporting those systems?
v11.0, August 5, 2014 10
15. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
• Can the organization find SCAP compliant tools and good SCAP content?
4.1.5 Identity and Access Management
This section focuses on unprivileged and privileged network user accounts and whether or not a
form of identification is either required, or allowed but not required, for login. The questions in
this section are summarized as follows:
• How many unprivileged network user accounts does the organization have?
• How many privileged network user accounts does the organization have?
• For each account listed above, how many accounts:
◦ Are allowed to log on with user ID and password?
◦ Are allowed, but no required to log on with a non-PIV form of two factor authentication?
◦ Are allowed, but not required, to log on with a two-factor PIV card?
◦ Are required to log on with a non-PIV form of two-factor authentication?
◦ Are required to log on with a two factor PIV card?
◦ Are required to conduct PIV authentication at the user-account level?
• What is the estimated number of organzation internal systems?
• What percentage of internal system are configured for authentication for each of the
following ways?
◦ Allows user ID and password?
◦ Allows, but does not enforce, non-PIV two factor authentication?
◦ Allows, but does not enforce, two factor PIV card authentication?
◦ Enforces non-PIV two factor authentication?
◦ Enforces two factor PIV card for all users?
• What percentage of the organization’s systems that have intergovernmental users enforce
two-factor PIV card authentication for all users?
• Does your organization’s Federal Identity, Credential, and Access Management (FICAM)
implementation plan include an enterprise Identity and Access Management approach that
system owners can leverage to adopt PIV enablement?
4.1.6 Data Protection
Mobile devices and unencrypted email are primary sources of loss for sensitive data because they
move outside the protection of physical and electronic barriers that protect other hardware assets.
These devices are also vectors to carry malware back into the organization’s networks. The use
of encryption of data at rest or in motion is vital to protect that data’s confidentiality and
integrity. Components will need to report the following information regarding data protection:
• A breakdown of mobile asset types from the number of assets recorded in section 4.1.2.
Mobile asset types include:
◦ Laptop computers and notebooks
v11.0, August 5, 2014 11
16. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
◦ Tablet-type computers
◦ BlackBerries and other smart phones
◦ Other cellular devices
◦ USB-connected devices
◦ Other mobile hardware assets
• The estimated number of these assets should be reported as well as the estimated number of
these assets that have adequate encryption of data on the device.
• The percentage of email traffic on systems that implements FIPS 140-2 compliant encryption
technologies, such as S/MIME, PGP, OpenPGP, or PKI when sending messages to the
government and to the public?
• The organization will be asked to desribe its PKI Certificate Authority.
4.1.7 Boundary Protection
A key goal of boundary protection is to make assets harder for outsiders to exploit by keeping
outsiders outside the network perimeter. The Trusted Internet Connection (TIC) is an
Administration Priority, and the CMWG has recommended that it is among the areas where
continuous monitoring needs to be developed. The Department will be required to report the
following:
• TIC Access Providers need to report the percentage of TIC 1.0 and 2.0 capabilities that are
implemented as well as the percentage of TICs with operational NCPS (EINSTEIN)
deployment.
• Federal Civilian Agencies need to provide the percentage of external network traffic passing
through a TIC and the percentage of external network/application interconnections to/from
the organization’s network passing through a TIC.
DHS Components will be asked to provide the following information:
• Percentage of email systems that implement sender verification technologies on outgoing
messages?
• Percentage of email systems that employ sender verification technologies to detect forged
messages from outside the network?
• Estimated percentage of incoming mail traffic (measured in messages) that is executed or
opened in a sand box/virtual environment to determine whether or not it is malicious?
• The frequency at which the organization performs scheduled and unscheduled scans for
unauthorized wireless access points?
• The number of networks with DLP/DRM at the gateway to capture outbound data leakage?
• Is the organization’s internet service configured to manage filters, excess capacity,
bandwidth, or provide other redundancies to limit the effects of information-flooding types of
denial-of-service attacks on the organization’s internal networks and internet services?
v11.0, August 5, 2014 12
17. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
4.1.8 Incident Management
Given the persistence of attackers, and the relative ease of initiating numerous attacks, , it is
reasonable to expect that some attacks will succeed. Organizations need to be able to detect
anomalous activity and to protect against internal and external threats. Ideally, organizations
would defend against those attacks in real time, but at a minimum it is expected that
organizations determine the kinds of attacks that have been successful. Organizations can use
this information about successful attacks and their impact to make informed risk-based decisions
about where it is most cost effective and essential to focus security resources.
To support Incident Management, reporting organizations need to provide the following
information:
• The number of hardware assets on which controlled network penetration testing was
performed in a manner making detection possible (e.g. on the production network through
detection devices)
◦ For those assets that were tested, the percentage of penetration events detected by
during the test
◦ The percentage of applicable events that were detected by NOC/SOC during the
other scans or tests
◦ The median time to detect penetrations during the test
◦ The median time to take action against a penetration test (includes creation of a SEN,
notification of system owner, etc.)
◦
4.1.9 Training and Education
Training users (privileged and unprivileged) and those with access to other pertinent information
and media is a necessary deterrent to these methods. Organizations are expected to use risk-
based analysis to determine the correct amount, content, and frequency of update to achieve
adequate security in the area of influencing these behaviors, which affect cybersecurity.
The metrics will be used to assess the extent to which organizations are providing adequate
training to address these attacks and threats. To support this metric, reporting organizations need
to provide the following information:
• The number of network users that have been provided and successfully completed
cybersecurity awareness training during the Fiscal Year (Including the percentage of new
users that have satisfactorily complete security awareness training before being granted
network access)
• The extent to which users were given cybersecurity awareness training more frequently than
annually
◦ The frequency (in days) of content provisions
◦ The percentage of additional content that addresses emerging threats not previously covered
in annual training
◦ The total number of organization-sponsored exercises designed to increase cybersecurity
awareness and/or measure the effectivess of training
v11.0, August 5, 2014 13
18. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
◦ The percentage of exercises that suffered no problems, or suffered problems that were
addressed through training within three months
• The number of network users with significant security responsibilities
• The organization’s standard for the longest acceptable amount of time between security
training events for network users with significant security responsibilities
• The number of network users with significant security responsibilities who have taken
security training within the organizational standard
4.1.10 Remote Access
Remote connections allow users to access the network without gaining physical access to
organization’s facility and the computers hosted there. However, connections over the internet
provide opportunities for compromise of information in transit. Because these connections are
beyond physical security controls, they need compensating controls to ensure that only properly
identified and authenticated users gain access, and that the connections prevent hijacking by
others.
Reporting organizations need to provide the following information:
• How many people log onto the organization’s remote access solution(s) to obtain access to
the organization’s desktop LAN/WAN resources or services?
• For remote access, what percentage of people can log onto the organization’s desktop
LAN/WAN resources or services in each of the following ways?
◦ What percentage are allowed to log on with user ID and password?
◦ What percentage are allowed, but not required to log on with a non-PIV form of two factor
authentication?
◦ What percentage are allowed, but not required, to log on with a two-factor PIV card?
◦ What percentage are required to log on with a non-PIV form of two-factor authentication?
◦ What percentage are required to log on with a two factor PIV card?
◦ What percentage are required to conduct PIV authentication at the user-account level?
• Estimated percentages for the following:
◦ FIPS 140-2 connections using validated cryptographic modules
◦ Prohibition of split-tunneling and dual-connected remote hosts where the laptop has two
active connections
◦ Configured to time-out after 30 minutes of inactivity
◦ Scan for malware upon connection
• How many of the organizations systems are internet-accessible and are accessed by the
organizations users? This excludes systems accessed through the remote access solutions
covered in 10.1 and 10.2.
• What percentage of the organizatin’s system that are internet-accessible and are access by
user are configured for authentication in each of the following way:
◦ What percentage allow user ID and password?
v11.0, August 5, 2014 14
19. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
◦ What percentage allow, but do not enforce, non-PIV two factor authentication for users?
◦ What percentage allow but do not enforce, two factor PIV card for users?
◦ What percentage enforce non-PIV two factor authentication?
◦ What percentage enforce two factor PIV card for all users
4.1.11 Network Security Protocols
The use of Domain Name System Security Extension (DNSSEC) has been mandated at the
Federal level to prevent the pirating of government domain names. GSA has ensured proper
DNSSEC for the top-level domain names. Each organization is responsible for DNSSEC in sub-
domain names, which are those below the top-level domain.
Reporting organizations need to provide the following information:
• The number of public facing domain names as well as the the number of DNS names signed
using DNSSEC
• The percentage of second-level DNS names and their sub-domains for which all domains at
and under the second level are signed
• The percentage of public-facing servers that use IPv6
4.2 Quarterly Reporting Requirements
Quarterly FISMA report data requirements for Components are outlined below. Every
Component must make IACS and CDM data feed updates for the quarterly report on a monthly
basis.
4.2.1 Asset Management
• Provide the total number of Agency IT assets
◦ Provide the number of Agency IT assets connected to the network where an automated
capability provides visibility at the Agency level into asset inventory information.
4.2.2 Configuration Management
• Provide the number of Agency information technology assets where an automated capability
provides visibility at the Agency level into system configuration information (e.g.
comparison of Agency baselines to installed configurations).
4.2.3 Vulnerability Management
• Provide the number of Agency information technology assets where an automated capability
provides visibility at the Agency level into detailed vulnerability information (CVE).
4.2.4 Identity and Access Management
• Provide the number of Agency network user accounts.
• Provide the number ofnetwork user accounts that are configured to require PIV
authentication to the Agency network(s).
v11.0, August 5, 2014 15
20. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
4.2.5 Boundary Protection
• Provide the percentage of the required TIC 1.0 capabilities that are implemented.
• Provide the percentage of TIC 2.0 Capabilities that are implementedProvide the percentage
of external network capacity passing through a TIC/MTIPS.
• Provide the percentage of external connections passing through a TIC/MTIPS.
v11.0, August 5, 2014 16
21. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
5.0 RESPONSIBILITIES
Security practitioners at each Component and Domain as well as the DHS CIO staff have
responsibilities for various aspects of FISMA reporting. Specific responsibilities for POA&M
development are documented in Attachment H to the DHS 4300A Sensitive Systems Handbook,
“Plan of Action and Milestones (POA&M) Process Guide.”
5.1 Chief Information Officer
The DHS CIO has the following FISMA reporting responsibilities:
• Allocate resources to support Department-wide FISMA reporting and POA&M process
implementation.
• Submit quarterly FISMA reports to OMB.
• Oversee and monitor progress of POA&M implementation and remediation efforts.
5.2 Chief Information Security Officer
The DHS CISO has the following FISMA reporting responsibilities:
• Develop enterprise processes and procedures for FISMA reporting.
• Maintain an oversight program to ensure compliance with FISMA reporting requirements.
• Ensure that POA&M and FISMA data reported by Components is protected and
disseminated only on a need-to-know basis.
• Verify that Component CISOs and ISSMs properly develop, implement, and manage a
Component POA&Ms process.
• Verify that Component CISOs and ISSMs perform oversight of their Component’s POA&M
management process.
• Ensure that the DHS OIG has access to IACS as needed for scheduled reviews and audits.
• Develop the quarterly and annual FISMA reports as required.
5.3 Component Chief Information Officer
Component CIOs have the following FISMA reporting responsibilities:
• Allocate Component resources to support FISMA reporting and POA&M process
implementation.
• Ensure that a Component level POA&M process is implemented and maintained.
• Oversee and monitor the progress of their Component’s POA&M implementation and
remediation efforts.
5.4 System Owners and Program Officials
System Owners and Program Officials have the following FISMA reporting responsibilities:
• Ensure that system performance data is entered into IACS.
• Manage development and implementation of corrective action plans for all systems and
programs that support their operations and assets.
v11.0, August 5, 2014 17
22. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
• Ensure that IT security weaknesses are prioritized.
• Ensure that funding is made available for correcting IT security weaknesses.
5.5 Component Chief Information Security Officers and Information System Security
Managers
Each Component CISO and ISSM is responsible for the following FISMA reporting
responsibilities:
• Implement and maintain a Component level POA&M process.
• Ensure that IT system performance metrics are entered into IACS and updated when a
change in the performance metric occurs.
• Ensure that POA&M updates are submitted in IACS by the data submission deadlines and on
a monthly basis.
• Review, on a quarterly basis, their Component’s system POA&Ms for consistency and
accuracy.
• Monitor the status of their Component’s POA&Ms.
5.6 Information system Security Officers
Each Component ISSO is responsible for the following FISMA reporting responsibilities:
• Develop POA&Ms to track and manage the remediation of weaknesses for the systems under
their control.
• Ensure that their POA&Ms are current and entered into the IACS on at least a monthly basis.
• Use IACS for collecting IT security program data for the periodic FISMA report.
v11.0, August 5, 2014 18
23. DHS 4300A SENSITIVE SYSTEMS HANDBOOK ATTACHMENT E – FISMA REPORTING
6.0 DEPARTMENT SCORECARD
The Department Scorecard is a management level report that is published monthly and
distributed to the CIO Council and the CISO Council. The Scorecard is based on data received
by midnight on the last day of the month for the reporting period. The scorecard reflects OMB
reporting requirements, DHS senior management priorities, and Component progress in
implementing continuous monitoring requirements. The associated reports provide details of
what factors influenced the scores shown to management in the FISMA Scorecard.
v11.0, August 5, 2014 19