enterprise continuous monitoring program training date
TRANSCRIPT
Enterprise Continuous Monitoring Program
TrainingDate
Page 2
ContentsContents
• Continuous Monitoring Refresher• Continuous Monitoring Process Approach for FY08• Task Overview and Activity Breakout• Implementation Process and Next Steps• Q&A
Page 3
Continuous Monitoring Refresher Continuous Monitoring Refresher
• What is Continuous Monitoring (CM)?
The Federal Information Security Management Act of 2002 (FISMA) requires periodic testing (at least annually) of selected security controls for all federal certified and accredited (C&A) systems to evaluate their effectivenessSystem documentation is updated to reflect changes and modifications to the system While general guidance on continuous monitoring is provided by National Institute of Standards and Technology (NIST) SP 800-37 and SP 800-53A, the Agency follows guidance to help create their process framework
• The establishment of a robust Continuous Monitoring Framework is an integral piece of the information security program
• A solid continuous monitoring approach will keep system stakeholders apprised of their security status and help integrate security into everyday roles and responsibilities
• FY08 framework is based on the need for an enterprise continuous approach and on guidance for the selection of controls and discussion with auditors
Page 4
Continuous Monitoring Refresher (continued)Continuous Monitoring Refresher (continued)
• Security controls are to be tested on an annual basisContinuous Monitoring would occur between C&A/Security Test & Evaluation (ST&E) cycles for systems
A minimum number of security controls will be tested to monitor the state of security for all systems on a yearly basis as well as satisfying FISMA requirements
Testing throughout the year fosters a more active Plans of Action & Milestones (POA&M) update and reconciliation process strengthening the accuracy and accountability of each system’s POA&M and high volatility controls
• Eventually, continuous monitoring will be integrated into the quarterly POA&M update process allowing the system stakeholders to use these plans to guide future security certification and accreditation activities
Page 5
Continuous Monitoring Approach for FY08Continuous Monitoring Approach for FY08
• Starting the process earlier in FY08• May use a three-phrase approach for system testing (similar to C&As)• Takes lessons learned from both an audit report and stakeholders
Security controls are to be tested on an annual basisConduct internal meetings, surveys, or questionnaires with System Points of Contact (POCs) and stakeholders to help identify system changes to POCs or security controls (Security Control Assessment Guide provides a list of questions to assist with determining significant changes to the system)Conduct training with all SPMOs on the enterprise continuous monitoring approachProvide Security Program Management Office (SPMO) with a training deck to assist the System POC and testers with security control testingConduct pre-testing kick-off meeting to outline how testing will be conductedCoordinate C&A documentation updates with CM activities Review each system to determine application-specific control set for testing
Page 6
Task 1: Initiation and PlanningTask 1: Initiation and Planning
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 7
Task 1: Initiation and Planning OverviewTask 1: Initiation and Planning Overview
• The Initiation and Planning task includes activities that will assist in the overall continuous monitoring process.
• Systems undergoing CM during the FISMA year are identified and scheduled for testing.
• C&A documentation from the previous cycle stored in Trusted Agent FISMA (TAF) is downloaded and reviewed to ensure that the appropriate controls are identified, selected, and fed into Task 2.
• Distribute Security Control Selection Guide to assist business owners in identifying any changes necessary to select controls.
• A preliminary update is made to the System Security Plans (SSPs) (via Appendix YY) based on the results from the questions answered from the Security Control Selection Guide.
• Testing of controls will not be the responsibility of any one individual or organization. Depending on the controls selected, the test team may involve Information Technology Business Unit representatives to conduct tests with a technical or operational flavor.
• Stakeholder training will be provided to help set expectations and educate the stakeholders on roles/responsibilities, tasks, activities and schedules
Page 8
Task 1: Initiation and Planning - Activity BreakoutTask 1: Initiation and Planning - Activity Breakout
SPMO System POC Duration/LOE
Identify systems for Continuous Monitoring 1 day/1 hr
Prepare Schedule (i.e. determine participant availability, determine blackout dates, gather all documentation, etc.) for Continuous Monitoring activities
Provide SPMO with Participant List for CM Testing and Training
1 day/1 hr
Send Schedule to: •Application Development (AD) PMO•Enterprise Operations (EoPS)•System POCs•Business Unit Security PMO•Servicing C&A Office
Review the test schedule, provide feedback to SPMO and prepare for CM
1 day/1 hr
Provide Control Selection Assessment Guide to System POC
Implement guidance to select controls 7 days/1 hr per system
Page 9
Task 1: Initiation and Planning - Activity Breakout (continued)Task 1: Initiation and Planning - Activity Breakout (continued)
SPMO System POC Duration/LOE
Gather Closed Plan of Action and Milestones (POA&Ms) and previous C&A documentation including previous SAR and ST&E results
Current updates to SSP (Appendix YY)
Select Test Team (include IT Business Unit as required)
Provide input into Test Team Selection 1 day/1 hr per system
Conduct training for all stakeholders involved in CM activities
Participate in training and ensure that the required participants are invited to the training
2 days/2 hrs
Page 10
Task 2: Control SelectionTask 2: Control Selection
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 11
Task 2: Control Selection OverviewTask 2: Control Selection Overview
• Test Control Selection is conducted by the business owner based on the Assessment Control Selection Guide
• The list of the mandatory and high volatility NIST SP 800-53 controls to test for each system during the annual cycle is pre-determined and should be used as a starting point for control selection
• Other controls to be selected include closed POA&M controls• Collaboration between the stakeholders will help determine any
additional security controls should be tested throughout the year• Selected controls should reflect the agencies priorities and the
importance of the information system to the agency. For example, certain security controls may be considered more critical than other controls because of the potential impact on the information system if those controls were subverted or found to be ineffective.
• Once selected, a control selection agreement is formalized via the Control Selection Memo process
Page 12
Task 2: Control Selection Overview (continued)Task 2: Control Selection Overview (continued)
• The Assessment Control Selection Guide was created to assist the SPMO/business owner to select the security controls to be tested for the purpose of performing continuous monitoring/annual security control testing.
• The flow of the guide is as follows:The Security Control Selection Guide Overview - will provide the document’s background and purposeThe Security Control Selection Process
• Types of Controls – discusses the types of controls from which a system owner will select the controls to be evaluated during continuous monitoring.
• Types of Security Control Testing – covers the two types of security control testing based on whether a system has performed a Certification and Accreditations (C&A) in the current FISMA cycle.
• Selection of Additional Volatile Controls – details three approaches for further selection an additional subset of controls
A quick reference guide summary
Page 13
Task 2: Control Selection - Activity BreakoutTask 2: Control Selection - Activity Breakout
SPMO System POC Duration/LOE
Identify and Select System Specific Controls for each system.
Work in conjunction (as needed) with the Business Owner and SPMO to assist with any Control Selection
5 days/2 hrs
Once the controls are selected, prepare the Security Control Selection Memo for DAA and SPMO signature.
The signed Control Selection Memo will be sent to the System POC
Review the Control Selection Memo and obtain the DAA signature
2 days/1 hr
Page 14
Task 3: Pre-Test PreparationTask 3: Pre-Test Preparation
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 15
Task 3: Pre-Test Preparation OverviewTask 3: Pre-Test Preparation Overview
• Update testing workbooks with selected controls • Update any security controls with additional technical test cases from
previous C&A effort referring to the ST&E plan for these test cases• Testing workbooks are MS Excel spreadsheets containing controls
selection matrix, security assessment report form and test cases for each control
• A testing schedule is created and finalized during the “pre-test” meeting
• The “pre-test” meeting will be held for each systemInvites will be sent outOutlines specific testing guidelinesAnswers questions about the evidence requiredObtain participation commitments
Page 16
Task 3: Pre-Test Preparation Overview (continued)Task 3: Pre-Test Preparation Overview (continued)
• Workbook Tab – Control Selection Matrix
Page 17
• Workbook Tab – Control test cases and Sample
Task 3: Pre-Test Preparation Overview (continued)Task 3: Pre-Test Preparation Overview (continued)
Page 18
• Workbook Tab – Security Assessment Reporting Form
Task 3: Pre-Test Preparation Overview (continued)Task 3: Pre-Test Preparation Overview (continued)
Page 19
Task 3: Pre-Test Preparation - Activity BreakoutTask 3: Pre-Test Preparation - Activity Breakout
SPMO System POC Duration/LOE
Distribute customize Test Workbooks to the System POCs
Distribute to test team 3 days/TBD
Develop a Testing Schedule Review the Testing Schedule and Prepare for Testing
1 day/1 hr
Conduct the Pre-Test Meeting Participate in Pre-Test Meeting (required)
Agree upon Testing Schedule
5 days/1 hr per system
Page 20
Task 4: Perform TestTask 4: Perform Test
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 21
Task 4: Perform Test OverviewTask 4: Perform Test Overview
• Controls will be tested using NIST 800-53A test procedures and documented in the testing workbooks for each system
Assessment methods are used to assess objects (in parentheses):
- Examine (documents - to include gathered evidence as necessary)- Interview (personnel)- Test (activities or HW/SW)
Note how the NIST guidance aligns with our process
• Input = Phase 2 (Control Selection)• Processing = Phase 3 (Pre-Test Prep)• Output = Phase 4 (Perform Test)
Page 22
Task 4: Perform Test Overview (continued)Task 4: Perform Test Overview (continued)
• CM tests can be conducted via teleconferenceInvitations should be sent out
• Documentation will be updated with test resultsWorkbooks/Reports
SSPs (via Appendix YY)• Appendix YY will be used to document changes from the test results
Contains control status updates
• SSP Appendix YY will be validated with the system stakeholders and any last documentation updates will be made
Page 23
Task 4: Perform Test - Activity BreakoutTask 4: Perform Test - Activity Breakout
SPMO System POC Duration/LOE
Oversee CM Test Conduct CM Testing. Compile Test Results and Update Workbook/Develop Test Report
10 days/2-3 hrs per system
Send email requesting Final Documentation/Artifacts
2 days
Send any testing verification documentation/artifacts to SPMO
2 days/as needed
Validate SSP 3 days/1 hr per system
Finalize Workbook/Test Report
Page 24
Task 5: Analyze ResultsTask 5: Analyze Results
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 25
Task 5: Analyze Results OverviewTask 5: Analyze Results Overview
• Upon completion of the testing workbooks, the System POC delivers the test results to the SPMO
• SPMO will perform analysis of the documented results providing scoring recommendations for the evaluated security controls
• The scoring methodology ensures the test procedures are assessed appropriately and the required evidence is provided for audit purposes
Page 26
Task 5: Analyze Results Overview (continued) Task 5: Analyze Results Overview (continued) • Scoring criteria is based on a “Satisfied” or an “Other than satisfied” for
each determination statement under each control test procedure:
If the results are determined to be sufficient and the test procedure is determined to be satisfied, the determination statement and procedure will be marked as “S/Satisfied”
If the test procedure is not fully addressed or the results determine the system does not comply, the determination statement and procedure will be marked as “O/Other than satisfied”
If the determination statement and procedure is not applicable to the information system, the determination statement and procedure will be marked as “N/A.”
• Based on the determination statement results, the test teams should mark the control as “In Place, Partial, Planned, risk based decision, or Not Applicable”
Scoring criteria consistent with NIST guidance has been applied to ensure that test procedure is assessed to determine if the result sufficiently addresses the focus of the test procedure and that the required evidence is provided
• Should all of the determination statements and test procedures for a control be marked as “S/Satisfied”, then the control will be scored as “In Place”.
• Should one or more of the determination statements and test procedures for a control be marked as “O/Other than satisfied”, then the control will be scored as “Partially in Place”.
• Should most or all of the determination statements and test procedures for a control be marked as “O/Other than satisfied” or “N/A.”, then the control will be scored as “Planned, RBD, or N/A”.
Page 27
Task 5: Analyze Results - Activity BreakoutTask 5: Analyze Results - Activity Breakout
SPMO System POC Duration/LOE
Perform analysis of test results 20 days
Complete Results/Scoring in Workbooks 1 day
Page 28
Task 6: Confirm ResultsTask 6: Confirm Results
TASK 1Initiation and
Planning
TASK 5Analyze Results
TASK 2Control
Selection
TASK 3Pre-Test
Preparation
TASK 4Perform Test
TASK 6Confirm Results
Continuous Monitoring
Cycle
Page 29
Task 6: Confirm Results OverviewTask 6: Confirm Results Overview
• Following the completion of results analysis by SPMO, SPMO representatives will deliver the “CM Package” to the system POCs
• The CM package contains the analysis of each system’s respective test results, including an executive-style report describing the scoring recommendations and identifying all weaknesses to each system
CM Package also contains the Signed Control Selection MemoThe system owner will review and concur with the resultsThis will allow the system stakeholders and the SPMO the opportunity to discuss scoring recommendations made by the SPMO, and give the SPMO representatives the opportunity to explain scoring rationale and justifications
• Upon agreement between the system stakeholders and SPMO representatives, the confirmed results will be used to update each system’s respective POA&M
If not in agreement, SPMO representatives will work with system stakeholders to ensure results are agreed upon before the system POC updates their system POA&M (if applicable)
• Finally, the DAA is briefed of the results by the system POC and the SPMO uploads the final CM Package to TAF
Page 30
Task 6: Confirm Results - Activity BreakoutTask 6: Confirm Results - Activity Breakout
SPMO System POC Duration/LOE
Complete Results/Scoring in Workbooks
Deliver CM Package to System POC.
The CM package will include the Test Reports, Scored Workbooks, and Signed Control Selection Memo.
The SSPs will be sent to Servicing C&A Office’s mailbox for version control and upload to TAF
Review and Concur with Results 5 days/2-3 hrs per system
Update POA&M with Identified Weaknesses 5 days/2-3 hrs per system
Assist System POC in Briefing DAA (upon request) Brief System DAA 1 day/1 hr
Upload Test Results to TAF
Page 31
Implementation Process and Next StepsImplementation Process and Next Steps
• SPMOs Train Test Teams and start control selection process: Feb 2008• Hold Pretest Status Meetings: Feb 2008
Deliver Control Selection memos and test workbooks to begin FY08 testingObjective – ensure test teams to prepared to start testing
• Complete Control Selection Matrix• Review Control Selection Memo and request DAA signature • Provide Workbooks with expected test completion dates• Start testing
• Provide test support during all test phases: Feb 2008 – Apr 2008• Hold Close-out Status Meeting: May 2008
Objective is to close-out previous test phase and begin next test phase
• Close-out to Discuss/resolve issues associated with test results, process, etc.• Review executive summary and request signature• Update SSP (if necessary)
• Start new cycle with FISMA 09 Status Meeting: June 2008
Page 32
Q&AQ&A