USDA Cyber Security Program

1

• USDA Cyber Security Program
• July 2005

2
Cyber Security Program

• Establishes a standard oversight structure to
  ensure that adequate security is provided for all
  USDA information collected, processed,
  transmitted, stored, or disseminated by USDA
  information technology.

3
Program Goals

• Comply with applicable laws and guidance
• Reduce and manage security risks to acceptable
  levels
• Assure operational continuity

4
Applicable laws and regulatory references

• Federal Information Security Management Act
• OMB Circular No A-130 Security of Federal
  Automated Information Resources (Appendix III)
  (11/00)
• Clinger-Cohen Act
• DM 3500 Cyber Security Manual
• DR 3140-001 Information Systems Security Policy
• Computer Security Act of 1987 (Public Law
  100-235)
• Privacy Act of 1974

5
Roles and Responsibilities

• Chief Information Officer (CIO)
• Associate Chief Information Officer (ACIO for
  Cyber Security)
• Agency CIO/Designated Approving Authority (DAA)
• Agency Information System Security Program
  Manager (ISSPM)
• Agency Information System Security Officer (ISSO)
• USDA users, contractors, other employees

6
Programs

• Federal Information Security Management Act
  (FISMA)
• Contingency Planning
• Security Awareness and Training
• Configuration Management
• Certification and Accreditation
• Privacy
• Incident Response

7
Compliance

• Oversight Security Reviews
• Risk Assessments
• Security Plan Review
• Capital Planning and Investment Control (CPIC)
• Independent Validation and Verification (IVV)
• FISMA reporting (Security Metrics)
• Self-assessments
• OIG and GAO audits
• Certification and Accreditation
• Plans of Action and Milestones (POAMs)
• Operating System Configurations
• Scanning
• Incident Response

8
Compliance Framework

• Control objective documented in a security policy
• Controls documented as procedures
• Procedures have been implemented
• Procedures and security controls have been tested
  and reviewed
• Procedures and security controls are fully
  integrated procedures and controls

9
Policy (baseline)

• Management Controls focus on the management of
  the IT security system and the management of risk
  for a system
• Operational Controls address security methods
  focusing on mechanisms primarily implemented and
  executed by people. These controls improve the
  security of a particular system
• Technical Controls focuses on security controls
  that the system executes. The controls can
  provide automated protection for unauthorized
  access or misuse, facilitate detection of
  security violations, and support security
  requirements for applications and data.

10
Management Controls

• Risk Management
• Review of Security Controls
• Life Cycle
• Authorize Processing (CA)
• System Security Plan

11
Operational Controls

• Personnel Security
• Physical Security
• Production Input/Output controls
• Contingency Planning
• Hardware and Systems Software Maintenance
• Data Integrity
• Documentation
• Security Awareness Training and Education
• Incident Response Capability

12
Technical Controls

• Identification and Authentication
• Logical Access Controls
• Audit Trails

13
Technical support

• Technical Security Architecture
• Mainframe security Tier I
• Desktops/Laptops security/database security
  Tier II
• Network Security Tier III
• Telecommunications
• Software and Tools products for patch
  management, anti-virus, authentication,
  firewalls, wireless

14
Process Support

• Waivers
• CPIC (OMB 300s)
• Liaisons
• Statements of Work (SOWs)/Blanket Purchase
  Agreements (BPAs)
• Technical Working Groups
• Enterprise Architecture

15
OMB 300

• Security and Privacy
• Cost and Funding
• FISMA
• Met Security Requirements?
• CA
• Security Plan
• Security Controls Tested?
• Security Awareness Training
• Incident Handling
• Privacy

16
2005 Strategic Plan

• POAMs improve the database to identify and
  track agencies and department milestones.
• Certification and Accreditation Complete
  accreditation of remaining systems inventory
• Incident management develop database to
  automate incident management process
• Cyber Security Metrics develop performance
  metrics to achieve cyber security requirements
• Security Architecture standardize products and
  product selection
• Wireless evaluate wireless controls in USDA

17
Questions and Answers
Kelvin Fairfax 202-720-2362
Kelvin.Fairfax_at_usda.gov