integrated security solution for fisma reporting environmental protection agency shared service...
TRANSCRIPT
![Page 1: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/1.jpg)
INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING
INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING
Environmental Protection AgencyShared Service Center
Environmental Protection AgencyShared Service Center
![Page 2: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/2.jpg)
Our VisionOur Vision
Help federal managers & and IT professionals understand
& successfully implement the federal risk management framework
so they can manage information and IT assets in accordance with
federal standards
2
![Page 3: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/3.jpg)
Agenda/Presentation OverviewAgenda/Presentation Overview
SSC Goals
Role in the Risk Management Framework
ASSERT Capabilities
EPA’s SSC Process
Consortium Benefits
Implementation Timeframe
Pricing
Summary
3
![Page 4: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/4.jpg)
Integrated Security Solution – Our Goals
Integrated Security Solution – Our Goals
Assist your information security program using proven, effective practices
Save time and resources spent on FISMA quarterly and annual reporting to OMB
Aid performance on the Annual Congressional Scorecard
4
![Page 5: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/5.jpg)
EPA’s Integrated Security Solution
InformationSystem
800-60FIPS 200
800-53
800-30
800-18
800-64800-70
FIPS 200
800-37
800-53a
800-37
800-42
FIPS 200
FIPS 199
800-53a
5
ASSERTASSERT
![Page 6: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/6.jpg)
Time to Talk About ASSERTTime to Talk About ASSERT
6
![Page 7: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/7.jpg)
7
Secure Web Access
Portal for Ease of Use
System Categorization
System Inventory Management
Risk Identification
Control Tailoring
Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks)
Management Oversight
FISMA Reporting Compliance
ASSERT CapabilitiesASSERT Capabilities
“Since 2004 SSA has used the ASSERT tool. It has met all our expectations and more as the IG and
their contractor have also given it a ‘thumbs up.’
… We at SSA highly recommend the tool.”
Bob Burch, FISMA Manager
Social Security Administration
![Page 8: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/8.jpg)
8
ASSERT Secure Web Access ASSERT Secure Web Access
Customized with your logo and colors
Post news and announcements for users
Conforms with Moderate Baseline & FIPS 140-2 encryption
![Page 9: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/9.jpg)
9
ASSERT Portal: Ease of UseASSERT Portal: Ease of Use
Perform key functions at the click of a button
See summary information
Access details via links
Focus on critical items
What you see is based on your job assignments
![Page 10: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/10.jpg)
10
Walks users through a structured interview or supports expert mode
Helps users identify Business Areas, Lines of Business
Extensive links to help Button navigation
ASSERT System Categorization Business Orientation
ASSERT System Categorization Business Orientation
![Page 11: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/11.jpg)
11
Low LowModerate
Coaching for decisions on confidentiality, integrity, and availability
Helps identify Other Factors and Special Factors affecting categorization
ASSERT System Categorization Guidance for Users
ASSERT System Categorization Guidance for Users
![Page 12: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/12.jpg)
ASSERT Inventory ManagementASSERT Inventory Management12
Maintain FISMA or full Agency Inventory
Identify GSS/MA Relationships across Agency
12
![Page 13: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/13.jpg)
ASSERT Risk Identification and Control Tailoring
ASSERT Risk Identification and Control Tailoring13
Scoping Risk values
Review status13
![Page 14: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/14.jpg)
14
ASSERT Continuous Monitoring: Implementation
ASSERT Continuous Monitoring: Implementation
Base Control
Enhancements
Implementation documented & available for export to Security Plan
![Page 15: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/15.jpg)
15
ASSERT Continuous Monitoring: Testing
ASSERT Continuous Monitoring: Testing
Show expected test step results and require documentation of variances
Document the test step result
Certify the test step result
Roll up to Control status
![Page 16: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/16.jpg)
16
Tasks for remediating the control
ASSERT Continuous Monitoring: Remediation
ASSERT Continuous Monitoring: Remediation
![Page 17: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/17.jpg)
17
ASSERT Management OversightASSERT Management Oversight
Real-time report data
Export to PDF or Excel or on-screen view
![Page 18: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/18.jpg)
18
ASSERT Management OversightASSERT Management Oversight
Color coding and words
![Page 19: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/19.jpg)
19
ASSERT FISMA Reporting Compliance
ASSERT FISMA Reporting Compliance
Expands to show totals by categorization level
![Page 20: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/20.jpg)
20
ASSERT FISMA Reporting Compliance
ASSERT FISMA Reporting Compliance
![Page 21: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/21.jpg)
21
ASSERT Technical SpecificationsASSERT Technical Specifications
ColdFusion MX7 front-end
Oracle 10g database
Accessed via the Web using FIPS 140-2 compliant encrypted connection (https://)
No mobile code or special ports
Scalable for number of organizational units, systems and users
![Page 22: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/22.jpg)
A Solid Foundation in ASSERTA Solid Foundation in ASSERT
A stable, effective, full-featured tool
Secure web-based access to a centralized database
Complies with Moderate baseline controls
Full cycle of FISMA-mandated activities supported
Reporting capabilities
“The elements and phases of the ASSERT SPM appear not only to
comply with DITSCAP requirements, but they are much more
comprehensive and specify many more steps in the software
accreditation and implementation process for EPA. In addition, each
element of the ASSERT System has very specific QA requirements for
documentation and approval.”
Kevin Hull, December 2006Independent QA Auditor
22
![Page 23: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/23.jpg)
EPA’s Shared Service Center:Customized Services
EPA’s Shared Service Center:Customized Services
23
Participation Level Items
Government – Off-the-Shelf (GOTS) Downloadable software
Consortium Membership Technology updates and refreshesMembership on the Configuration
Control Board
Readiness Review Implementation Requirements
Additional ServicesData conversion
Training & reportsOther Security related services
![Page 24: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/24.jpg)
EPA’s Shared Service Center Offerings
EPA’s Shared Service Center Offerings
Implementation support
Software deployment
Ongoing management & operational support
Technical hosting options
Consortium membership
24
![Page 25: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/25.jpg)
SSC Implementation SupportSSC Implementation Support
Evaluate current processes and security environment
Recommend implementation plan based on effective practices
If requested, provide CISO and staff with business and technical consulting
Help migrate existing data, tailor controls
Offer user training and help desk support
25
![Page 26: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/26.jpg)
SSC Software DeploymentSSC Software Deployment
Flexibility through customization of…• Agency logo and preferred colors• Organizational structure• Standardized terms
Support for loading information• System-user information• Assessment and POAM history
Agency specific NIST-compliant policies to referenceAgency specific common controls, risk management
decisions
26
![Page 27: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/27.jpg)
SSC Management & Operational Support
SSC Management & Operational Support
Sharing of best practices FISMA management and reporting services:
• Management and business process consultation• Analysis, such as policy alignment• Customized reports• Staff augmentation
Comprehensive user training• Relates software to business processes• Can qualify as specialized IT training
Help desk support
27
![Page 28: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/28.jpg)
SSC Technical Hosting OptionsSSC Technical Hosting Options
EPA hosting service• Centralized database instance for each agency, with
segregation of data • System platforms, management and monitoring• Fully certified and accredited environments
Participant agency hosting• Provide own system platforms, management and
monitoring
28
![Page 29: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/29.jpg)
ASSERT ConsortiumASSERT Consortium
Consortium Board sets vision and directs software evolution
Configuration Control Board oversees the ASSERT feature set
Members share best practices and leverage costs Reasonably priced to accommodate agencies of
all sizes
2006 membership: EPA, GSA, SSA, USDA
29
![Page 30: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/30.jpg)
Consortium Members’ Security Grades:
2001-2005
Consortium Members’ Security Grades:
2001-2005Agency 2001 2002
2003
2004
2005
Environmental Protection Agency
D+ D-Founded
C B A+
General Services Administration
D D D C+Joined
A-
Social Security Administration
C+ B- B+ BJoined
A+
NOTE: USDA joined in 2006.
30
![Page 31: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/31.jpg)
Consortium ProcessConsortium Process
Gather Requirements Analyze & DefineReview by
Consortium Board
Formalize Request Approval by CCB Develop & Deploy
Process repeats as necessary
31
![Page 32: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/32.jpg)
EPA’s Integrated Security Solution:
Getting There
EPA’s Integrated Security Solution:
Getting There
Timeframe Activities
FY 2007 Evaluation of current processes and security environment
FY 2008 Migrate data, implement system, and train users
FY 2009 Improved security program
32
![Page 33: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/33.jpg)
Cost: Sliding ScaleCost: Sliding Scale
33
Participation Level Year 1 Annual
GOTS None None
Consortium Membership
Mega Agency TBN* Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency Shared instance
Mega Agency TBN Large Agency $250,000 Mid-size Agency $150,000 Small Agency $ 50,000 Micro Agency TBN
ReadinessReview
Mega Agency TBN Large Agency $25,000 Mid-size Agency $25,000 Small Agency Included Micro Agency TBN
None
Additional Services Priced per request
* To Be Negotiated
![Page 34: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/34.jpg)
SummaryEPA’s Integrated Security Solution
SummaryEPA’s Integrated Security Solution
A proven business model
Conformance to the federal risk management
framework
Proven, stable software solution since 2002
Services to support implementation and beyond
Consortium in operation since 2004
Consortium members got “A’s” on 2005
Congressional Scorecard
34
![Page 35: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/35.jpg)
BenefitsBenefits
Conforms to the federal risk management framework and federal standards
Standardizes and integrates security practices with
business processes
Affordable for agencies of all sizes
Comprehensive solution:• Services for implementation plus ongoing management
and operations support
• ASSERT software
35
![Page 36: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/36.jpg)
Benefits (continued)Benefits (continued)
Well-integrated with OMB regulations and NIST
methodology for continuous monitoring of controls
Active consortium of government agencies
• Direct the system vision and development
• Reduce costs through shared resources
• Sets software feature direction
36
![Page 37: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/37.jpg)
Summary: This ApproachSummary: This Approach
Standardizes and integrates security practices with business
processes…
…with the help of an agency that has been there before.
Standardizes and integrates security practices with business
processes…
…with the help of an agency that has been there before.
37
![Page 38: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/38.jpg)
EPA Open HouseEPA Open House
Consortium Open House, April 5 from 9 am to 3 pm
At EPA East, 12th & Constitution, Rooms 1117A & B
Come for panel discussions, Q&A, and demos
38
![Page 39: INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING Environmental Protection Agency Shared Service Center](https://reader035.vdocuments.us/reader035/viewer/2022062321/56649e025503460f94aed377/html5/thumbnails/39.jpg)
For more information, please contact:
Marian Cody, CISOU.S. [email protected]
Bernice BealleU.S. [email protected]
Don HuddlestonU.S. [email protected]
FISMA Reporting Solution
39