1 / 39

Environmental Protection Agency Shared Service Center

Environmental Protection Agency Shared Service Center. INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING. Our Vision. Help federal managers & and IT professionals understand & successfully implement the federal risk management framework so they can manage information

oshin
Télécharger la présentation

Environmental Protection Agency Shared Service Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Environmental Protection AgencyShared Service Center INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

  2. Our Vision • Help federal managers & and IT • professionals understand • & successfully implement the • federal risk management framework • so they can manage information • and IT assets in accordance with • federal standards

  3. Agenda/Presentation Overview • SSC Goals • Role in the Risk Management Framework • ASSERT Capabilities • EPA’s SSC Process • Consortium Benefits • Implementation Timeframe • Pricing • Summary

  4. Integrated Security Solution – Our Goals • Assistyour information security program using proven, effective practices • Savetime and resources spent on FISMA quarterly and annual reporting to OMB • Aidperformance on the Annual Congressional Scorecard

  5. EPA’s Integrated Security Solution FIPS 199 FIPS 200 FIPS 200 800-42 800-60 800-53 800-53a ASSERT Information System C&A 800-37 800-30 800-37 800-18 FIPS 200 800-53a 800-64 800-70

  6. Time to Talk AboutASSERT

  7. Secure Web Access Portal for Ease of Use System Categorization System Inventory Management Risk Identification Control Tailoring Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks) Management Oversight FISMA Reporting Compliance ASSERTCapabilities • “Since 2004 SSA has used • the ASSERT tool.  It has • met all our expectations • and more as the IG and • their contractor have also • given it a ‘thumbs up.’  • … We at SSA highly • recommend the tool.”  • Bob Burch, • FISMA Manager • Social Security Administration

  8. ASSERTSecure Web Access Customized with your logo and colors Conforms with Moderate Baseline & FIPS 140-2 encryption Post news and announcements for users

  9. ASSERTPortal: Ease of Use See summary information What you see is based on your job assignments Focus on critical items Perform key functions at the click of a button Access details via links

  10. ASSERTSystem CategorizationBusiness Orientation Helps users identify Business Areas, Lines of Business Walks users through a structured interview or supports expert mode Extensive links to help Button navigation

  11. ASSERTSystem CategorizationGuidance for Users Coaching for decisions on confidentiality, integrity, and availability Low Low Moderate Helps identify Other Factors and Special Factors affecting categorization

  12. ASSERTInventory Management Maintain FISMA or full Agency Inventory Identify GSS/MA Relationships across Agency 12

  13. ASSERTRisk Identification and Control Tailoring Scoping Risk values Review status 13

  14. ASSERTContinuous Monitoring: Implementation Base Control Implementation documented & available for export to Security Plan Enhancements

  15. ASSERTContinuous Monitoring: Testing Show expected test step results and require documentation of variances Roll up to Control status Document the test step result Certify the test step result

  16. ASSERTContinuous Monitoring: Remediation Tasks for remediating the control

  17. ASSERTManagement Oversight Real-time report data Export to PDF or Excel or on-screen view

  18. ASSERTManagement Oversight Color coding and words

  19. ASSERTFISMA Reporting Compliance Expands to show totals by categorization level

  20. ASSERTFISMA Reporting Compliance

  21. ASSERTTechnical Specifications • ColdFusion MX7 front-end • Oracle 10g database • Accessed via the Web using FIPS 140-2 compliant encrypted connection (https://) • No mobile code or special ports • Scalable for number of organizational units, systems and users

  22. A Solid Foundation inASSERT • A stable, effective, full-featured tool • Secure web-based access to a centralized database • Complies with Moderate baseline controls • Full cycle of FISMA-mandated activities supported • Reporting capabilities “The elements and phases of the ASSERT SPM appear not only to comply with DITSCAP requirements, but they are much more comprehensive and specify many more steps in the software accreditation and implementation process for EPA. In addition, each element of the ASSERT System has very specific QA requirements for documentation and approval.” Kevin Hull, December 2006 Independent QA Auditor 22

  23. EPA’s Shared Service Center:Customized Services 23

  24. EPA’s Shared Service Center Offerings • Implementation support • Software deployment • Ongoing management & operational support • Technical hosting options • Consortium membership

  25. SSC Implementation Support • Evaluate current processes and security environment • Recommend implementation plan based on effective practices • If requested, provide CISO and staff with business and technical consulting • Help migrate existing data, tailor controls • Offer user training and help desk support

  26. SSC Software Deployment • Flexibility through customization of… • Agency logo and preferred colors • Organizational structure • Standardized terms • Support for loading information • System-user information • Assessment and POAM history • Agency specific NIST-compliant policies to reference • Agency specific common controls, risk management decisions

  27. SSC Management & Operational Support • Sharing of best practices • FISMA management and reporting services: • Management and business process consultation • Analysis, such as policy alignment • Customized reports • Staff augmentation • Comprehensive user training • Relates software to business processes • Can qualify as specialized IT training • Help desk support

  28. SSC Technical Hosting Options • EPA hosting service • Centralized database instance for each agency, with segregation of data • System platforms, management and monitoring • Fully certified and accredited environments • Participant agency hosting • Provide own system platforms, management and monitoring

  29. ASSERTConsortium • Consortium Board sets vision and directs software evolution • Configuration Control Board oversees the ASSERTfeature set • Members share best practices and leverage costs • Reasonablypriced to accommodate agencies of all sizes • 2006 membership: • EPA, GSA, SSA, USDA

  30. Consortium Members’ Security Grades: 2001-2005 NOTE: USDA joined in 2006.

  31. Consortium Process Gather Requirements Analyze & Define Review by Consortium Board Formalize Request Approval by CCB Develop & Deploy Process repeats as necessary

  32. EPA’s Integrated Security Solution: Getting There

  33. Cost: Sliding Scale * To Be Negotiated 33

  34. SummaryEPA’s Integrated Security Solution • A proven business model • Conformance to the federal risk management framework • Proven, stable software solution since 2002 • Services to support implementation and beyond • Consortium in operation since 2004 • Consortium members got “A’s” on 2005 Congressional Scorecard

  35. Benefits • Conforms to the federal risk management framework and federal standards • Standardizes and integrates security practices with business processes • Affordable for agencies of all sizes • Comprehensive solution: • Services for implementation plus ongoing management and operations support • ASSERTsoftware

  36. Benefits (continued) • Well-integrated with OMB regulations and NIST methodology for continuous monitoring of controls • Active consortium of government agencies • Direct the system vision and development • Reduce costs through shared resources • Sets software feature direction

  37. Summary: This Approach Standardizes and integrates security practices with business processes… …with the help of an agency that has been there before.

  38. EPA Open House • Consortium Open House, April 5 from 9 am to 3 pm • At EPA East, 12th & Constitution, Rooms 1117A & B • Come for panel discussions, Q&A, and demos 38

  39. Environmental Protection AgencyShared Service Center FISMA Reporting Solution For more information, please contact: Don Huddleston U.S. EPA 202-566-1462 huddleston.don@epa.gov Bernice Bealle U.S. EPA 202-566-0716 bealle.bernice@epa.gov Marian Cody, CISO U.S. EPA 202-566-0302 cody.marian@epa.gov 39

More Related