isa220 risk management framework for practitioners · isa220 risk management framework for...

ISA220 Risk Management Framework for Practitioners Lesson 3.5 - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

Init iating the Security Plan

'

I

In RMF Step 1, we initiate the OoD Securi ty Plan; however, it is a living document and updated regularly throughout the acquisition life cycle.

It is a conceptual body of information which may be accounted for within one or more repositories and includes documents that come from a variety of sources.

For example, Information System Owners inheriting common controls can either document the implementation of the controls in their respec tive Securi ty Plans or reference the controls contained in the Securi ty Plans of common control providers .

~ I of 26 I ..... Back Next

I SA 220 Risk Man agem ent Framework fo r Practition e rs Lesson 3.5 - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

The DoD Security Plan

The DoD Security Plan is initiated by the Information or PIT System Owner or Common Control Provider (with collaboration of the security staff).

The Security Plan:

• Provides an overview of the security of the Information or PIT System and describes the controls and critical elements in place or planned for, based upon DoD Standards

• Provides sufficient information to enable an understanding of the intended expression of each securi ty con trol in the context of the Information or PIT System

Security PJall

..... I P• ge2of26 I .... 1Back & Next

ISA220 Risk Management Framework for Practitioners Lesson 3.S - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

The DoD Security Plan Template

The Securi ty Plan is the anchoring document to your system's Securit y Authorizat ion Package you will submit t o the AO. It has cont ributions from many sources and provides detailed informat ion about the system.

The RMF Knowledge Service (KS) provides a DoD Securi ty Plan tem plate that contains 38 distinct fields with content descriptions and inst ruct ions.

Although many fields are self-explanatory, I will provide more narrative examples, apply ing re levant information from our AFS to the numbered fields within the template to better understand t he types of informat ion you may include in a Securi ty Plan.

Please select the magnifying glass icon to view a portion of the Security Plan template.

..... I of 26 I .... Back Ciil ) Next

The OoO Security Plan Template x

OoO S ecurity Plan [S P]

11 Authorization T erminat!System Name: 6 VersiorlAelease II:1 Date:

2 System Identification: 7 DoD Component: 12 Governi Mission Are - Please Select - - Please Select

!---+~~~~~~~~~~~~~--+-~--<'

3 B Ports. Protocols, & ServicesAcronym: M<111<1gement (PPSMJ Flegistry Number: 13 Se . A . DC\Slt evtew ate

9 Authorization Status 14 stem Location

- Pl ease Select - - Please Select- Ci Sinole Location

5 System Life Cycle/Acquisition Phase 10 Authorization Date and Signature r MUlliole Location

Type Authorization ~res rtJ.i

15 DoD Securi ty Control S - Please Select

NIST SP 800-53 Aevisi•

v C::~~~~~~~~~~~~~~~~~~~~~~~~~-R-MF:~-e-OC~s-. --e-mber~~ t--~M N-ame~-s.-and~-C-ont~-ac- lnfb

< > ..... I Page 3 of 26 .....

Back w J Next"AU


The DoD Security Plan Template

The Securi ty Plan is the anchoring document to your system's Securit y Authorizat ion Package you wi ll submit t o the AO. It has cont ributions from many sou rces and provides detailed informat ion

Securi ty Plan The Security Plan Template. Fields include: System Name, nt descriptions System Ident ification, Acronym, System Type, System Life Cycle Acquisit ion Phase, Version/Release #, DoD Component, PPSM Registry Number, Authorization Date rovide more and Signatu re, Authorization Terminat ion Date, Governing from our AFS to Mission Area, Securit y Review Date, System Locat ion, Do understand t he Security Control Set, Physical Location, and RMF Point of Plan. Contact Member Name Titles.

ortion of the

~ I Page 3 of 26 I ..... Back W ~ Next


The DoD Security Plan Template, Cont.

•

I've attached the RMF Core Security Authorization Package. This is a Microsoft Office Excel workbook that allows you to view the entire group of templates required for the RMF.

When using these templa tes, DoD has added drop down menus that align to required designations and identifiers to main tain consistency with common DoD terms and definitions.

For more information regarding the workbook, please visi t https: //rmfks. osd. mjl/login. htm.

Please select the information icon to view this workbook. U

"""" I Paige 4 of 26 I .... 1Back ii Next

ISA220 Risk Man agement Framework for Practition e rs Lesson 3.5 - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

Completing the Security Plan

•

The most critical information provided to an Authorizing Official when seeking system authorization is found in the Security Plan.

We will now address completing port ions of the Security Plan for the Automated Fuels System. We will begin with the System name, iden ti fication, acronym, type and phase.

Please select each field to see the required information and our AFS information. We will place in the corresponding fields .

• System Name

• System Identification

• Acronvm

• System Type

• System Life CVcle/Acgujsjtion Phase

..... I P• geS of26 I .... 1Back iii Next



'

I

The mos t critical information provided to an Au thorizing Official when

Syst e m Nam e

Definit ion: Full descriptive name of the system.

Example: Automated Fuels System

1nformat1on. We will place 1n the corresponding fields.

• System Name


• Acronym

• System Type

• System Life Cycle/ Acquisition Phase

......ii I Page S of 26 , .... Back liiii ) Next



'

I

The most critical information provided to an Au thorizing Official when

Syst e m I dent ificat ion

Definit ion: Unique system identifier ( typically a number or code) used by the DoD Component to uniquely identify the system. This is usually the DoD IT Portfolio Repository (DITPR) identification.

Example: 63221

• System Name


• Acronym

• System Type





'

I

The most critical information provided to an Au thorizing Official when

Acronym

Definit ion: Provide a shortened or commonly used name or abbreviation (upper case) for the system.

Example: AFS

1n 1 orma uon. .. .. e w111 p1ace 1n ,_, .e corresponu1ng 11e.us.

• System Name


• Acronym

• System Type





The mos t critical information provided to an Au thorizing Official when

Syst e m Type

Definit ion: Identi fy the DoD IT type [Drop Down list] :

• IS Major Application • IS Enclave Platform • IT System

' Example: IS Enclave


• Acronym

• System Type I





'

I

The most critical information provided to an Authorizing Official when

System Life Cycle/ Acquisition Phase

Definition : For Programs Of Record, identify the current System Acquisition Phase [Drop-down list] :

1. Pre- Milestone A (Materiel Solution Analysis ) 2. Post- Milestone A (Technology Development) 3. Post- Milestone B (Engineering and Manufacturing

Development) 4. Post- Milestone c (Production and Deployment) 5. Post-Full Rate Production/ Deployment Decision (Operations &

Support)

Ex ample: 1. Pre-Milestone A (Materiel Solut ion Analysis)

......ii I Page S of 26 , .... Bac k liiii ) Next


Completing t he Security Plan, Cont.

Please select the magnifying glass icon to view the portion of the template that is completed for the Automated Fuels system example.

We will continue to apply information abou t our Automated Fuels System to gain a better unders tanding o f how to complete the Securi ty Plan .

•

..... I P• ge6of26 I ...... Back Next

Completing the Security Plan, Cont.

x OoO Security Plan (SP)

1 - . · . - ... -·-'" . ....... . ·· 6 Version/Release#: 11 Auth orization Terminatioj

1Date:

Automated Fuels System

2 System Identification: 7 DoD Component 12 Govemino Mission Area 63221 -Please Select - · I - Please Select .-3 Acronym: 8 --r-'1n:., r-1UlU\;'1n>1 Ol:~tl'IV1~~

Management (PPSM) Registry.. - 13 Securltv Review Date II

AFS

4 Svstem Tvoe: g AUrnorization status 14 ~stem Location I

-Please Select - .:J - Please Select ..:J r. SirtQle Location IS Enclave -5 System Life Cycle/Acquisition Phase 10 Authorization Date and Signature

r MuttiPle Location

Type Authorization rr.s ,-rJo

- Please Select .:l 15 DoD Security Control Set'

NIST SP 800-53 Revisior 1. Pre-Milestone A (Matertal Solution AnaJysis)

i:::= < > -

"AU ..... I Back

Page6of26 .....

Next

x Completing the Security Plan, Cont.

Automated Fuels System

2 System Identification: 7 DoD Component 12 Govemin Mission Area

63221 -Please Select- I -Please Selectt---+-------------+-----i8 ·r-vn~, r-t-ul~V-~, Ol-.;:)tnvn;tt"?)--·-==+ --------j'

3 Acronym: Management (PPSM) Registry 13

Securi Review Date AFS

e: 9 Authorization status 14 stem Location

- Please Select - Please Seled- I< Sinole Location IS Enclave

5 System Life Cycle/Acquisition Phase 1 O Authorization Date and Signature r MUltiole Location Type Authorization ryes I rti

15 DoD Security Control Set - Please Select

NIST SP 800-53 Revisior 1. Pre.Milestone A (Material Solution Analysis)

RMF POCs, Member Names, and Contact lnfonnal 17 Tltte Name Phone j1

Authorizing Olli ci a I CAOl: AO v

< > 0

9'AU ...... I Back

Page6of26 .....

Next


Completing the Security Plan, Cont.

'

I

Please select t he magnifying glass icon to view t he portion of t he template t hat is completed for t he Automated Fuels System example.

We will continue to apply information about our Automated Fuels System to gain a better understanding of how to comple te the Securi ty Plan.

Long Descript ion

DoD Securi ty Plan (SP)

The template that is used to comple te the Securi ty Plan. The fields that are comple ted are:

• System Name: Automated Fuels System • System Identification: 63221 • Acronym: AFS • System T ype: IS Enclave • System Life Cycle/ Acquisition Phase: 1. Pre

Milestone A (Material Solution Analysis )

..... I Page6of26 I ..... Back Next


The Security Plan-The Sy stem Description of the AFS

•

Within the Security Plan, you must provide a system description (template field 18) (e.g., data analysis, ne twork support, administration) and describe the primary computing platforms (e.g., mainframe, desktop, Local Area Network, Wide Area Network, and/or Virtual Local Area Network).

For the AFS, we would describe the system with the following information:

"The AFS is an information system that supports the U.S. Army in performing the DoD's Fuels Program fuel management and distribution mission. It is a multi-functional network that provides point of sale data collection, inventory control, financial management, accounting, procurement, and facilities management. The Fuels Program information is Unclassified//For Official Use Only.•



The Security Plan-The System Description of the AFS, Cont.

•

The AFS will provide interfaces via the NIPRNet to existing DoD Fuels Program logistics and financial information systems. It includes both enterprise level and opera tional level business operations in order to standardize the business processed for all fuel management via enterprise applications.

The Fuels Program is managed within the Pentagon which will also host the AFS. This will allow the AFS to leverage physical and logical security controls from the Pentagon, NIPRNet, and the Fuels Management Network.

Initial Operational Capability ( IOC) for the AFS is currently anticipated to occur within three years from start and reach Full Operational Capability within six years from start.

..... .

..... I P• ge 8of26 I ...... Back Next


The Security Plan- The System Description of the AFS, Cont.

'

I

The AFS will be a critical system to access and manage fuel necessary in emergencies from the Strategic Petroleum Reserve (SPR), which is emergency fuel storage of oil maintained by the United States Department of Energy .

It is the largest emergency supply in the world with the capacity to hold up to 713.5 million barrels . Department of Homeland Security (OHS) recently became a partner in the OoD Fuels Program and has expressed interest in standing up an AFS in their St. Louis facility.

The AFS requires command and control level protection. The AFS must be protected from unauthorized access, intentional denial of service, and malicious corruption of data.

..... I Page9 of 26 I ..... Back Next


The Security Plan- The System Description of the AFS, Cont.

'

I

The Fuels Program information, which includes sensitive information, is determined to be vital to the operational readiness and mission effectiveness of deployed and contingency forces . If information is released, intercepted, or compromised, the potential impact could have a serious adverse effect on organizational operations and organizational assets.

Unauthorized modification or destruction of Fuels Program information could result in significant financial loss, inabili ty to track fuel availability, and disable fuel protected repositories . Loss of availability can only be tolerated for a short time and may seriously impact mission effectiveness or operational readiness .

..... I Page 10of 26 I ..... Back Next

ISA220 Risk Management Framework for Practitioners Lesson 3.5 - Initiating a OoO Security Plan RESOURCES I PRINT I HELP

View CR Submit CRThe Security Plan-The System Description of the AFS, Cont.

'

I

Specific threats to the Fuels Program information and associated informat ion systems include: data compromise, data corruption, theft , disruption of service,. and physical destruction.

Because we have several different types of informat ion on the AFS, it will require the Fuels Program Manager to work with the Chief Financial Officer (to address the financial information) and with the Logistics Officer, since they are all considered the "Data Owners."

The AFS Program Manager has identified the overall categorization for the AFS as Moderate Confidentiality, Moderate Integrity and Moderate Availability.

It is expected over t ime that implementat ion of the AFS wi ll streamline processes and gain resource efficiencies.

~ I Page 11 of 26 I ..... Back Next

ISA220 Risk Man agem ent Framework for Practition er s Lesson 3.5 - I nitiating a DoD Security Plan RESOURCES I PRINT I HELP

The Security Plan- Authorization Boundary, Associated Hardware/ Software/ Firmware, and Sy stem Enterprise and Information Security Architecture

The Security Plan template allows you to complete the System Authorization Boundary and Hardware/Software/Firmware sections ( template fields 21, 22) by inserting a link, uploading or attaching an authorization boundary diagram, and a spreadsheet of system hardware, so ftware, and firmware .

Let's take another look at our AFS system boundary and system components. Everything within the AFS Sys tem ,_ Boundary box will be included in our request for AFS authorization. 11

This diagram, our AFS Scenario document , and coordination II with our Cybersecurity Working Integrated Process T earn will assist us in providing information to complete several 11 sections about our AFS within the template .

Please select the magnifying glass icon to view the AFS . ..

~ I P• ge12of26 I .... Back Next~-


The Security Plan- Authorization Boundary, Associated Hardware/Software/ Firmware, and System Enterprise and Information Security Architecture

Fu1U19AFS

f D!ISSt.Louls Internet )l

'

PENTAGON

OoO RJELS Ut1~EllENT PROGRAM

OoD Au,omtttd Fuols System (AFS)

AFS System Boundary

~ I Page12of26 I ...... Back Next

••


The Security Plan- Authorization Boundary, Associated Hardware/Software/Firmware, and System Enterprise and Information Security Architecture

'

I

The Security Plan template allows you to complete the System Authorization Boundary and Hardware/ Software/ Firmware sections ( template fields 21, 22) by inserting a link, uploading

DoD Automated Fuels System (AFS). The AFS System boundary.

Process includes the Router/ switch to AFS mail, print file, and database server to the workstations.

with our Cybersecurity Working Integrated Process Team will assist us in providing information to complete several sections about our AFS within the template .

Please select t he magnifying glass icon to view t he AFS



The Security Plan- Sy stem Enterprise and Information Security Architecture

Drawings and Diagrams must be provided to reflect enterprise, system and functional architecture. These depictions should include any DoD and/or DoD Component Enterprise Architecture or Enterprise Information Assurance Architecture {template field 23) requirements that impact the security of the system and describe the system architecture.

As needed, show the archi tec ture in diagram and data flow form and place it as an appendix to the Security Plan. The diagrams should include the descriptions of the functional architec ture.

If detailed descriptions are provided in other system documentation (such as design documents), references to the documents may be placed in this section in lieu of descriptions. Also include:

• External Interfaces

• User Roles and Access Privileges

• Unique Security Requirements

• Protection Needs of Speci fic Types of Information

• Restoration Priori t ies


ISA220 Ris k Management Framework for Practitioner s

lesson 3.5 - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

The Serurity Plan-Hardware/Software/ Finnware

Within the Security Plan, you must include the hardware used within the system as well as the security software and firmware protecting the system and information ( template field 22).

Security services that may be provided external to the system, such as those provided by a DoD Cybersecurity Service Provider (CSSP) that can provide a spectrum of protect, detect, respond, an sustain services to DoD component systems must also be included.

Description of types o f security protection provided by the hardware, software, and firmware must also include:

• Access control to the computing platform

• Stored files at the operating system level

• Access to data records within a system

18 System Description:

19 Software Category:

20 Mission Criticality:

21 System Authorization Boundary:

22 HardWare/Software/Firmware:

23 System Enterprise and Information SecurityArcMecture:

24 Information Flows/Paths:

25 Network Connection Rules:

...... I Page14of 26 I ..... Back Next


The Security Plan-The AFS Hardware/ Software/ Firmware

•

If we look back at our AFS background information, the AFS will consist of:

• Five Dell, Optiplex GS 270, serials PCOOOl -0005 workstations using Microsoft Windows 10 operating systems

• Three printers (HP Officejet X, serial numbers HPUOl-06 )

• One router (CISCO 7202 (lOOMbps throughput, TCP/ IP) serial number CMROOl -002 running CISCO IOS v .15)

• One switch (CISCO Catalyst 3560 serial CCSOOl running CISCO IOS v .15)

• Four servers (Dell Power1:dge T130, serial number DPESOOOl)

Microsoft Office 365 will be the standard on a ll workstations (Enterprise license), and MS Outlook is used for email communications in support of the Fuels Program.

..... I P• ge15 of26 I .... Back Next


The Security Plan- The AFS Hardware/Software/Firmware, Cont.

'

I

There are significant benefits for our AFS connecting to and being a part of the larger Fuels Management Program Network within the NIPRNet. This allows us to take full advantage of some OoD Enterprise capabilities, such as Common Access Cards for all of our users to satisfy requirements for OoD PK! system authentication.

The AFS will also implement all OoD Enterprise cybersecurity network and endpoint capabilities . These capabilities include Host Based Security System (HBSS) for our servers and workstations, data at rest encryption, antivirus software, and the Automated Compliance Assessment System (ACAS) to address our requirements to scan our systems for software and configuration vulnerabilities.

More information about these capabilities can be found at http://www. dis a. mil/Cybersecurity / Network-De fense.

..... I Page16of 26 I ..... Back Next

http://www


The Security Plan- Interconnected Information Systems and Identifiers

Within the Security Plan, you must describe external interconnections to the sy stem. This includes a list of the interconnected systems and system identification number (template field 26). The items to include are :

• System Name

• Organization

• Sys tem Type

• Interconnec tion Security Agreement on file

• Date of interconnect agreement

• Interconnec tion type (protocols, network services, VLAN, remote)

• Securi ty categories ( for C-I-A)

• a assification level(s) and compartment s

• Authorization status

• Name of authorizing official

..... I P• ge 17 of 26 I ..... Back Next


The Secur ity Plan- Interconnected Information Systems and I dentifiers, Cont.

Any external system that sends data to or receives data from the system should be listed here. In addition, describe how shared information is protected if the system is interconnected with systems external to the organization. Attach the Interconnection Security Agreement as an appendix in the Security Plan.

In addition, list any formal rules for interconnecting systems, security concerns, and Rules of Behavior of the other systems that need to be considered in the protection of this system.

Other system or organization documents may be referenced to provide the descriptions. Some of the connection facilities or services may be provided by the organization or by a common control infrastructure and may be protected by common security controls. In this case, other organizational authorization documents may be referenced or used in the authorization process for the system.



The Security Plan- Sy stem Use.r Categories

Within the Security Plan, you must list user organizations pertaining to the system, internal or external to the system owner's organization ( template field 30). The plan template provides a drop down menu of DoD User types which include :

• DoD Personnel

• Contractors

• Federal/State/Local

• Organization

• Foreign Nationals

• Coalition Partners

• General Public

You must select all that apply and include access rights and privileges for each box that is checked.

..... I P• ge1Qof26 I ..... Back Next


The Security Plan- Addressing Privacy Information within the Security Plan

'

I

As part of the Risk Management Framework, we no longer only protect classified and sensitive U.S. Government information; we now consider other types of information such as privacy, health and financial information. Specifically regarding a OoD Security Plan, we must address how we will protect privacy information, if it contained on the Information or PIT system.

Privacy fields of the Security Plan template are numbered 31 and 32. They are labeled:

• Privacy Impact Assessment Required

• Privacy Act System of Records Notice Required

..... I Page20 of 26 I ..... Back Next


The Security Plan- Addressing Privacy Information within the Security Plan, Cont.

Our AFS will not contain privacy information and therefore, you may select the "does not contain privacy information" choice within the template . If you support a system that will process privacy information, you may have to apply the Privacy Overlay for security controls and you must conduct a Privacy Impac t Assessment (PIA ) and a System o f Records Notices (SORN) and provide that documentation with your SP. The Privacy Overlay will be addressed in a future lesson.

'

I


ISA220 Risk Management Framework for Practitioners Lesson 3 .5 - Initiating a DoD Security Plan RESOURCES I PRINT I HELP

The Security Plan-Addressing Privacy I nformation within the Security Plan, Cont.

'

I

Our AFS will not contain privacy information and therefore, you may select the "does not contain privacy information" choice within the template . I f you support a system that will process privacy information, you may have to apply the Privacy Overlay for security controls and you must conduct a Privacy Impac t Assessment (PIA ) and a System o f Records Notices (SORN) and provide that documentation with your SP. The Privacy Overlay will be addressed in a future lesson.

Privacy Impact Assessments (PIAs)

PIAs are mandated under the E-Government Act of 2002. They require government agencies to assess the impact on privacy for systems that collect Personally Identifiable Information (PII) in Privacy Impact Assessments (PIAs).

The PIA process also provides a means to assure compliance with applicable laws and regulations governing U.S. Government, public, and employee privacy .

When determining if your system does or does not have Privacy Act and/ or PII information, seek guidance from your organization's privacy office. Privacy issues must be addressed when systems are being developed and privacy protections must be integrated into the development life cycle of information systems .



The Security Plan-Addressing Privacy Information within the Security Plan, Co nt .

Our AFS will not contain privacy informat ion and therefore, you may select the "does not contain privacy information" choice within t he template. If you support a system that will process privacy information, you may have to apply the Privacy Overlay for securit y controls and you must conduct a Privacy Impact Assessment (PIA) and a System of Records Notices (SORN) and provide t hat documentation with your SP. The Privacy Overlay will be add ressed in a fu ture lesson .

System of Records Notices ( SORN)

The Privacy Act of 1974 requires that agencies create and maintain, as necessary, System of Records Notices (SORN) . A system of records consists of any item, col lection, or grouping of information about an indiv idual, where those records can be ret rieved by the name of the indiv idual or by some other type of identifier unique to the individual. As a best pract ice, you should get involved in the regist ration task within RMF Step 1 to start the process early, as it t akes t ime in the review process to make determinat ions regarding Privacy I nformat ion .

..... I Page 21 of 26 I ..... Back Next


Obtaining Approval for the System Security Categorization

To obtain approval for the System Security categorization, submit the draft Security Plan with the categorization information and supporting justifications to the Authorizing Official or Authorizing Official's Designated Representative.

Note: Each respective Au thorizing Official (AO) of the various Component Services will have a written process to obtain their concurrence.

..... I P• ge 22of26 I ...... Back Next


How to Register the Information or PIT System

All OoD Information systems are registered in the OoD Information Technology (IT) Portfolio Repository (DITPR) or the Secure Internet Protocol Network (SIPRNet) IT Registry (SITR) in accordance with current DITPR and SITR guidance at the beginning of the system development life cycle .

The Information System Owner must record the OoD information system registration number, obtained from the DITPR, SITR, or the PIT system registration number obtained from the OoD Component registry, in the System Identification field within the Security Plan.

PIT systems are identified, designated as such, and centrally registered at the OoD Component levels but are not recorded in the DITPR or SITR since they are not subject to Federal In formation Sys tem Modernization Ac t CFISMAl reporting .

Information System Owners are responsible for registering the IS or PIT system in their Component information system registry. Specific component information implementation policy and detailed procedures should be available on the relevant Component website/ portal. Specific information for individual OoD Components may also be available under the OoD Component Workspaces ( https: //rmfks.osd.mil/ks/ Collaboration/ ComponentWorkspaces/ Pages/ de fault.aspx (CAC enabled)) section on the RMF KS.

Special Access Programs (SAP) information systems should also be registered with the OoD Component SAP Central Office (SAPCO).


https://rmfks.osd.mil/ks/Collaboration/ComponentWorkspaces/Pages/default.aspx


How to Register the Information or PIT System

All OoD Information systems are registered in the OoD Information Technology (IT) Portfolio Repository (DITPR) or the Secure Internet Protocol Network (SIPRNet) IT Registry (SITR) in accordance with current DITPR and SITR guidance at the beginning of the system development life cycle .

The Information System Owner must record the OoD information system registration number, obtained from the DITPR, SITR, or the PIT system registration number obtained from the OoD Component registry, in the System Identification field within the Security Plan.

PIT systems are identified, designated as such, and centrally registered at the OoD Component levels but are not recorded in the DITPR or SITR since they are not subject to Federal In formation Sys tem Modernization Ac t CFISMAl reporting .

Federal I nformation Security Modernization Act ( FISMA)

FISMA 2014 is a United States federal law enacted in 2002 (and updated in 2014) as Title III of the EGovernment Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The Act requires each federal agency to develop, document, and implement an agency- wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy" for cost-effective security. FISMA requires agency program officials, chief information officers, and inspectors general ( IGs) to conduct annual reviews of the agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the Act.


ISA220 Risk Management Framework for Practitioners Lesson 3 .5 - Initiating a OoO Security Plan RESOURCES I PRINT I HELP

Knowledge Review 1

Based on the Automated Fuels System (AFS) scenario, the impact levels were initially determined as Moderate for Confidentiality, Moderate for Integrity, and Moderate for Availability. Recently, within the U.S., gas prices exceeds $5.00 per gallon and the company Advancing Resources has been added to the team to develop a proprietary application for the AFS that restricts access to specific information using file encryption to protect how fuel reserves information is accessed and shared. This has added a new information type that the AFS must support, proprietary information (PROPIN).

Therefore, you must engage Or. Jack Bright, Mission Owner of the Fuels Program, to discuss how the addition of PROPIN affects the impact levels that have been determined for the AFS. In addition to the Fuels Program Financial and Logistics Information Owners, who are the other members of the AFS team that you need to engage to address the final impact levels to categorize the AFS (select all that apply )?

D AFS Information System Owner D U.S. Army Authorizing Official

~ Fuels Program Chief Financial Officer (CFO)

~ Fuels Program Logistics Officer

Check Answer

Or. Bright should discuss impact levels with the Fuels Program Chief Financial Officer and the Fuels Program Logistics Officer.



Knowledge Review 2

Colonel Jack Sparrow, the new Program Manager and Information Owner for the Fuels Program facility security information that will be processed on the Automated Fuels System, has determined the facility security information impact levels to be Low for Confidentiality, Low for Integrity, and Low for Availability. This will result in a change to the overall Categorization of AFS to:

Moderate for Confidentiality, Low for Integrity, and Low for Availability

LJ High for Confidentiality, Moderate for In tegrity, and Low for Availabili ty

Moderate for Confidentiality, Low for In tegrity, and Moderate for Availabili ty

~ No change at all

Check Answer

There will be no change at all. The facility security information impact levels are to be Low for Confidentiality, Low for Integrity, and Low for Availability

..... I P• ge2Sof26 I ..... Back Next


Lesson Completion

You have completed the content for this lesson.

To continue, select another lesson from the Table o f Contents on the left.

If you have closed or hidden the Table of Contents, click the Show TOC button at the top in the Atlas navigation bar.

..... I P• ge26of26 I ..... Back Next

isa220 risk management framework for practitioners · isa220 risk management framework for...

Documents