INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

1
Environmental Protection AgencyShared Service
Center

• INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

2
Our Vision
Help federal managers and IT professionals
understand successfully implement the federal
risk management framework so they can manage
information and IT assets in accordance with
federal standards
3
Agenda/Presentation Overview

• SSC Goals
• Role in the Risk Management Framework
• ASSERT Capabilities
• EPAs SSC Process
• Consortium Benefits
• Implementation Timeframe
• Pricing
• Summary

4
Integrated Security Solution Our Goals

• Assist your information security program using
  proven, effective practices
• Save time and resources spent on FISMA quarterly
  and annual reporting to OMB
• Aid performance on the Annual Congressional
  Scorecard

5
EPAs Integrated Security Solution
FIPS 199
FIPS 200
FIPS 200
800-42
800-60
800-53
800-53a
ASSERT
Information System
CA
800-37
800-30
800-37
800-18
FIPS 200
800-53a
800-64
800-70
6
Time to Talk About ASSERT
7

ASSERT Capabilities

• Secure Web Access
• Portal for Ease of Use
• System Categorization
• System Inventory Management
• Risk Identification
• Control Tailoring
• Continuous Monitoring Implementation, Testing,
  and Remediation (POAM Tasks)
• Management Oversight
• FISMA Reporting Compliance

Since 2004 SSA has used the ASSERT tool.  It
has met all our expectations and more as the IG
and their contractor have also given it a
thumbs up.  We at SSA highly recommend the
tool.  Bob Burch, FISMA Manager Social
Security Administration
8
ASSERT Secure Web Access
Customized with your logo and colors
Conforms with Moderate Baseline FIPS 140-2
encryption
Post news and announcements for users
9
ASSERT Portal Ease of Use
See summary information
What you see is based on your job assignments
Focus on critical items
Perform key functions at the click of a button
Access details via links
10
ASSERT System Categorization Business Orientation
Helps users identify Business Areas, Lines of
Business
Walks users through a structured interview or
supports expert mode
Extensive links to help
Button navigation
11
ASSERT System Categorization Guidance for Users
Coaching for decisions on confidentiality,
integrity, and availability
Low
Low
Moderate
Helps identify Other Factors and Special Factors
affecting categorization
12
ASSERT Inventory Management
Maintain FISMA or full Agency Inventory
Identify GSS/MA Relationships across Agency
12
13
ASSERT Risk Identification and Control Tailoring
Scoping
Risk values
Review status
13
14
ASSERT Continuous Monitoring Implementation
Base Control
Implementation documented available for export
to Security Plan
Enhancements
15
ASSERT Continuous Monitoring Testing
Show expected test step results and require
documentation of variances
Roll up to Control status
Document the test step result
Certify the test step result
16
ASSERT Continuous Monitoring Remediation
Tasks for remediating the control
17
ASSERT Management Oversight
Real-time report data
Export to PDF or Excel or on-screen view
18
ASSERT Management Oversight
Color coding and words
19
ASSERT FISMA Reporting Compliance
Expands to show totals by categorization level
20
ASSERT FISMA Reporting Compliance
21
ASSERT Technical Specifications

• ColdFusion MX7 front-end
• Oracle 10g database
• Accessed via the Web using FIPS 140-2 compliant
  encrypted connection (https//)
• No mobile code or special ports
• Scalable for number of organizational units,
  systems and users

22
A Solid Foundation in ASSERT

• A stable, effective, full-featured tool
• Secure web-based access to a centralized database
• Complies with Moderate baseline controls
• Full cycle of FISMA-mandated activities supported
• Reporting capabilities

The elements and phases of the ASSERT SPM appear
not only to comply with DITSCAP requirements, but
they are much more comprehensive and specify many
more steps in the software accreditation and
implementation process for EPA. In addition, each
element of the ASSERT System has very specific QA
requirements for documentation and
approval. Kevin Hull, December 2006 Independent
QA Auditor
22
23
EPAs Shared Service CenterCustomized Services
Participation Level Items
Government Off-the-Shelf (GOTS) Downloadable software
Consortium Membership Technology updates and refreshes Membership on the Configuration Control Board
Readiness Review Implementation Requirements
Additional Services Data conversion Training reports Other Security related services
23
24
EPAs Shared Service Center Offerings

• Implementation support
• Software deployment
• Ongoing management operational support
• Technical hosting options
• Consortium membership

25
SSC Implementation Support

• Evaluate current processes and security
  environment
• Recommend implementation plan based on effective
  practices
• If requested, provide CISO and staff with
  business and technical consulting
• Help migrate existing data, tailor controls
• Offer user training and help desk support

26
SSC Software Deployment

• Flexibility through customization of
• Agency logo and preferred colors
• Organizational structure
• Standardized terms
• Support for loading information
• System-user information
• Assessment and POAM history
• Agency specific NIST-compliant policies to
  reference
• Agency specific common controls, risk management
  decisions

27
SSC Management Operational Support

• Sharing of best practices
• FISMA management and reporting services
• Management and business process consultation
• Analysis, such as policy alignment
• Customized reports
• Staff augmentation
• Comprehensive user training
• Relates software to business processes
• Can qualify as specialized IT training
• Help desk support

28
SSC Technical Hosting Options

• EPA hosting service
• Centralized database instance for each agency,
  with segregation of data
• System platforms, management and monitoring
• Fully certified and accredited environments
• Participant agency hosting
• Provide own system platforms, management and
  monitoring

29
ASSERT Consortium

• Consortium Board sets vision and directs software
  evolution
• Configuration Control Board oversees the ASSERT
  feature set
• Members share best practices and leverage costs
• Reasonably priced to accommodate agencies of all
  sizes
• 2006 membership
• EPA, GSA, SSA, USDA

30
Consortium Members Security Grades 2001-2005
Agency 2001 2002 2003 2004 2005
Environmental Protection Agency D D- Founded C B A
General Services Administration D D D C Joined A-
Social Security Administration C B- B B Joined A
NOTE USDA joined in 2006.
31
Consortium Process
Gather Requirements
Analyze Define
Review by Consortium Board
Formalize Request
Approval by CCB
Develop Deploy
Process repeats as necessary
32
EPAs Integrated Security Solution Getting There
Timeframe Activities
FY 2007 Evaluation of current processes and security environment
FY 2008 Migrate data, implement system, and train users
FY 2009 Improved security program
33
Cost Sliding Scale
Participation Level Year 1 Annual
GOTS None None
Consortium Membership Mega Agency TBN Large Agency 250,000 Mid-size Agency 150,000 Small Agency 50,000 Micro Agency Shared instance Mega Agency TBN Large Agency 250,000 Mid-size Agency 150,000 Small Agency 50,000 Micro Agency TBN
Readiness Review Mega Agency TBN Large Agency 25,000 Mid-size Agency 25,000 Small Agency Included Micro Agency TBN None
Additional Services Priced per request
To Be Negotiated
33
34
SummaryEPAs Integrated Security Solution

• A proven business model
• Conformance to the federal risk management
  framework
• Proven, stable software solution since 2002
• Services to support implementation and beyond
• Consortium in operation since 2004
• Consortium members got As on 2005
  Congressional Scorecard

35
Benefits

• Conforms to the federal risk management framework
  and federal standards
• Standardizes and integrates security practices
  with business processes
• Affordable for agencies of all sizes
• Comprehensive solution
• Services for implementation plus ongoing
  management and operations support
• ASSERT software

36
Benefits (continued)

• Well-integrated with OMB regulations and NIST
  methodology for continuous monitoring of controls
• Active consortium of government agencies
• Direct the system vision and development
• Reduce costs through shared resources
• Sets software feature direction

37
Summary This Approach
Standardizes and integrates security practices
with business processes with the help of an
agency that has been there before.
38
EPA Open House

• Consortium Open House, April 5 from 9 am to 3 pm
• At EPA East, 12th Constitution, Rooms 1117A B
• Come for panel discussions, QA, and demos

38
39
Environmental Protection AgencyShared Service
Center
FISMA Reporting Solution
For more information, please contact
Bernice Bealle U.S. EPA 202-566-0716 bealle.bernic
e_at_epa.gov
Don Huddleston U.S. EPA 202-566-1462 huddleston.do
n_at_epa.gov
Marian Cody, CISO U.S. EPA 202-566-0302 cody.maria
n_at_epa.gov
39