Enterprise Continuous Monitoring Program Training Date.

Enterprise Continuous Monitoring Program

TrainingDate

ContentsContents

• Continuous Monitoring Refresher• Continuous Monitoring Process Approach for FY08• Task Overview and Activity Breakout• Implementation Process and Next Steps• Q&A

Continuous Monitoring Refresher Continuous Monitoring Refresher

• What is Continuous Monitoring (CM)?

The Federal Information Security Management Act of 2002 (FISMA) requires periodic testing (at least annually) of selected security controls for all federal certified and accredited (C&A) systems to evaluate their effectivenessSystem documentation is updated to reflect changes and modifications to the system While general guidance on continuous monitoring is provided by National Institute of Standards and Technology (NIST) SP 800-37 and SP 800-53A, the Agency follows guidance to help create their process framework

• The establishment of a robust Continuous Monitoring Framework is an integral piece of the information security program

• A solid continuous monitoring approach will keep system stakeholders apprised of their security status and help integrate security into everyday roles and responsibilities

• FY08 framework is based on the need for an enterprise continuous approach and on guidance for the selection of controls and discussion with auditors

Continuous Monitoring Refresher (continued)Continuous Monitoring Refresher (continued)

• Security controls are to be tested on an annual basisContinuous Monitoring would occur between C&A/Security Test & Evaluation (ST&E) cycles for systems

A minimum number of security controls will be tested to monitor the state of security for all systems on a yearly basis as well as satisfying FISMA requirements

Testing throughout the year fosters a more active Plans of Action & Milestones (POA&M) update and reconciliation process strengthening the accuracy and accountability of each system’s POA&M and high volatility controls

• Eventually, continuous monitoring will be integrated into the quarterly POA&M update process allowing the system stakeholders to use these plans to guide future security certification and accreditation activities

Continuous Monitoring Approach for FY08Continuous Monitoring Approach for FY08

• Starting the process earlier in FY08• May use a three-phrase approach for system testing (similar to C&As)• Takes lessons learned from both an audit report and stakeholders

Security controls are to be tested on an annual basisConduct internal meetings, surveys, or questionnaires with System Points of Contact (POCs) and stakeholders to help identify system changes to POCs or security controls (Security Control Assessment Guide provides a list of questions to assist with determining significant changes to the system)Conduct training with all SPMOs on the enterprise continuous monitoring approachProvide Security Program Management Office (SPMO) with a training deck to assist the System POC and testers with security control testingConduct pre-testing kick-off meeting to outline how testing will be conductedCoordinate C&A documentation updates with CM activities Review each system to determine application-specific control set for testing

Task 1: Initiation and PlanningTask 1: Initiation and Planning

TASK 1Initiation and

Planning

TASK 5Analyze Results

TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test

TASK 6Confirm Results

Continuous Monitoring

Cycle

Task 1: Initiation and Planning OverviewTask 1: Initiation and Planning Overview

• The Initiation and Planning task includes activities that will assist in the overall continuous monitoring process.

• Systems undergoing CM during the FISMA year are identified and scheduled for testing.

• C&A documentation from the previous cycle stored in Trusted Agent FISMA (TAF) is downloaded and reviewed to ensure that the appropriate controls are identified, selected, and fed into Task 2.

• Distribute Security Control Selection Guide to assist business owners in identifying any changes necessary to select controls.

• A preliminary update is made to the System Security Plans (SSPs) (via Appendix YY) based on the results from the questions answered from the Security Control Selection Guide.

• Testing of controls will not be the responsibility of any one individual or organization. Depending on the controls selected, the test team may involve Information Technology Business Unit representatives to conduct tests with a technical or operational flavor.

• Stakeholder training will be provided to help set expectations and educate the stakeholders on roles/responsibilities, tasks, activities and schedules

Task 1: Initiation and Planning - Activity BreakoutTask 1: Initiation and Planning - Activity Breakout

SPMO System POC Duration/LOE

Identify systems for Continuous Monitoring 1 day/1 hr

Prepare Schedule (i.e. determine participant availability, determine blackout dates, gather all documentation, etc.) for Continuous Monitoring activities

Provide SPMO with Participant List for CM Testing and Training

1 day/1 hr

Send Schedule to: •Application Development (AD) PMO•Enterprise Operations (EoPS)•System POCs•Business Unit Security PMO•Servicing C&A Office

Review the test schedule, provide feedback to SPMO and prepare for CM

1 day/1 hr

Provide Control Selection Assessment Guide to System POC

Implement guidance to select controls 7 days/1 hr per system

Task 1: Initiation and Planning - Activity Breakout (continued)Task 1: Initiation and Planning - Activity Breakout (continued)


Gather Closed Plan of Action and Milestones (POA&Ms) and previous C&A documentation including previous SAR and ST&E results

Current updates to SSP (Appendix YY)

Select Test Team (include IT Business Unit as required)

Provide input into Test Team Selection 1 day/1 hr per system

Conduct training for all stakeholders involved in CM activities

Participate in training and ensure that the required participants are invited to the training

2 days/2 hrs

Task 2: Control SelectionTask 2: Control Selection


Planning


TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test



Cycle

Task 2: Control Selection OverviewTask 2: Control Selection Overview

• Test Control Selection is conducted by the business owner based on the Assessment Control Selection Guide

• The list of the mandatory and high volatility NIST SP 800-53 controls to test for each system during the annual cycle is pre-determined and should be used as a starting point for control selection

• Other controls to be selected include closed POA&M controls• Collaboration between the stakeholders will help determine any

additional security controls should be tested throughout the year• Selected controls should reflect the agencies priorities and the

importance of the information system to the agency. For example, certain security controls may be considered more critical than other controls because of the potential impact on the information system if those controls were subverted or found to be ineffective.

• Once selected, a control selection agreement is formalized via the Control Selection Memo process

Task 2: Control Selection Overview (continued)Task 2: Control Selection Overview (continued)

• The Assessment Control Selection Guide was created to assist the SPMO/business owner to select the security controls to be tested for the purpose of performing continuous monitoring/annual security control testing.

• The flow of the guide is as follows:The Security Control Selection Guide Overview - will provide the document’s background and purposeThe Security Control Selection Process

• Types of Controls – discusses the types of controls from which a system owner will select the controls to be evaluated during continuous monitoring.

• Types of Security Control Testing – covers the two types of security control testing based on whether a system has performed a Certification and Accreditations (C&A) in the current FISMA cycle.

• Selection of Additional Volatile Controls – details three approaches for further selection an additional subset of controls

A quick reference guide summary

Task 2: Control Selection - Activity BreakoutTask 2: Control Selection - Activity Breakout


Identify and Select System Specific Controls for each system.

Work in conjunction (as needed) with the Business Owner and SPMO to assist with any Control Selection

5 days/2 hrs

Once the controls are selected, prepare the Security Control Selection Memo for DAA and SPMO signature.

The signed Control Selection Memo will be sent to the System POC

Review the Control Selection Memo and obtain the DAA signature

2 days/1 hr

Task 3: Pre-Test PreparationTask 3: Pre-Test Preparation


Planning


TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test



Cycle

Task 3: Pre-Test Preparation OverviewTask 3: Pre-Test Preparation Overview

• Update testing workbooks with selected controls • Update any security controls with additional technical test cases from

previous C&A effort referring to the ST&E plan for these test cases• Testing workbooks are MS Excel spreadsheets containing controls

selection matrix, security assessment report form and test cases for each control

• A testing schedule is created and finalized during the “pre-test” meeting

• The “pre-test” meeting will be held for each systemInvites will be sent outOutlines specific testing guidelinesAnswers questions about the evidence requiredObtain participation commitments

Task 3: Pre-Test Preparation Overview (continued)Task 3: Pre-Test Preparation Overview (continued)

• Workbook Tab – Control Selection Matrix

• Workbook Tab – Control test cases and Sample


• Workbook Tab – Security Assessment Reporting Form


Task 3: Pre-Test Preparation - Activity BreakoutTask 3: Pre-Test Preparation - Activity Breakout


Distribute customize Test Workbooks to the System POCs

Distribute to test team 3 days/TBD

Develop a Testing Schedule Review the Testing Schedule and Prepare for Testing

1 day/1 hr

Conduct the Pre-Test Meeting Participate in Pre-Test Meeting (required)

Agree upon Testing Schedule

5 days/1 hr per system

Task 4: Perform TestTask 4: Perform Test


Planning


TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test



Cycle

Task 4: Perform Test OverviewTask 4: Perform Test Overview

• Controls will be tested using NIST 800-53A test procedures and documented in the testing workbooks for each system

Assessment methods are used to assess objects (in parentheses):

- Examine (documents - to include gathered evidence as necessary)- Interview (personnel)- Test (activities or HW/SW)

Note how the NIST guidance aligns with our process

• Input = Phase 2 (Control Selection)• Processing = Phase 3 (Pre-Test Prep)• Output = Phase 4 (Perform Test)

Task 4: Perform Test Overview (continued)Task 4: Perform Test Overview (continued)

• CM tests can be conducted via teleconferenceInvitations should be sent out

• Documentation will be updated with test resultsWorkbooks/Reports

SSPs (via Appendix YY)• Appendix YY will be used to document changes from the test results

Contains control status updates

• SSP Appendix YY will be validated with the system stakeholders and any last documentation updates will be made

Task 4: Perform Test - Activity BreakoutTask 4: Perform Test - Activity Breakout


Oversee CM Test Conduct CM Testing. Compile Test Results and Update Workbook/Develop Test Report

10 days/2-3 hrs per system

Send email requesting Final Documentation/Artifacts

2 days

Send any testing verification documentation/artifacts to SPMO

2 days/as needed

Validate SSP 3 days/1 hr per system

Finalize Workbook/Test Report

Task 5: Analyze ResultsTask 5: Analyze Results


Planning


TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test



Cycle

Task 5: Analyze Results OverviewTask 5: Analyze Results Overview

• Upon completion of the testing workbooks, the System POC delivers the test results to the SPMO

• SPMO will perform analysis of the documented results providing scoring recommendations for the evaluated security controls

• The scoring methodology ensures the test procedures are assessed appropriately and the required evidence is provided for audit purposes

Task 5: Analyze Results Overview (continued) Task 5: Analyze Results Overview (continued) • Scoring criteria is based on a “Satisfied” or an “Other than satisfied” for

each determination statement under each control test procedure:

If the results are determined to be sufficient and the test procedure is determined to be satisfied, the determination statement and procedure will be marked as “S/Satisfied”

If the test procedure is not fully addressed or the results determine the system does not comply, the determination statement and procedure will be marked as “O/Other than satisfied”

If the determination statement and procedure is not applicable to the information system, the determination statement and procedure will be marked as “N/A.”

• Based on the determination statement results, the test teams should mark the control as “In Place, Partial, Planned, risk based decision, or Not Applicable”

Scoring criteria consistent with NIST guidance has been applied to ensure that test procedure is assessed to determine if the result sufficiently addresses the focus of the test procedure and that the required evidence is provided

• Should all of the determination statements and test procedures for a control be marked as “S/Satisfied”, then the control will be scored as “In Place”.

• Should one or more of the determination statements and test procedures for a control be marked as “O/Other than satisfied”, then the control will be scored as “Partially in Place”.

• Should most or all of the determination statements and test procedures for a control be marked as “O/Other than satisfied” or “N/A.”, then the control will be scored as “Planned, RBD, or N/A”.

Task 5: Analyze Results - Activity BreakoutTask 5: Analyze Results - Activity Breakout


Perform analysis of test results 20 days

Complete Results/Scoring in Workbooks 1 day

Task 6: Confirm ResultsTask 6: Confirm Results


Planning


TASK 2Control

Selection

TASK 3Pre-Test

Preparation

TASK 4Perform Test



Cycle

Task 6: Confirm Results OverviewTask 6: Confirm Results Overview

• Following the completion of results analysis by SPMO, SPMO representatives will deliver the “CM Package” to the system POCs

• The CM package contains the analysis of each system’s respective test results, including an executive-style report describing the scoring recommendations and identifying all weaknesses to each system

CM Package also contains the Signed Control Selection MemoThe system owner will review and concur with the resultsThis will allow the system stakeholders and the SPMO the opportunity to discuss scoring recommendations made by the SPMO, and give the SPMO representatives the opportunity to explain scoring rationale and justifications

• Upon agreement between the system stakeholders and SPMO representatives, the confirmed results will be used to update each system’s respective POA&M

If not in agreement, SPMO representatives will work with system stakeholders to ensure results are agreed upon before the system POC updates their system POA&M (if applicable)

• Finally, the DAA is briefed of the results by the system POC and the SPMO uploads the final CM Package to TAF

Task 6: Confirm Results - Activity BreakoutTask 6: Confirm Results - Activity Breakout


Complete Results/Scoring in Workbooks

Deliver CM Package to System POC.

The CM package will include the Test Reports, Scored Workbooks, and Signed Control Selection Memo.

The SSPs will be sent to Servicing C&A Office’s mailbox for version control and upload to TAF

Review and Concur with Results 5 days/2-3 hrs per system

Update POA&M with Identified Weaknesses 5 days/2-3 hrs per system

Assist System POC in Briefing DAA (upon request) Brief System DAA 1 day/1 hr

Upload Test Results to TAF

Implementation Process and Next StepsImplementation Process and Next Steps

• SPMOs Train Test Teams and start control selection process: Feb 2008• Hold Pretest Status Meetings: Feb 2008

Deliver Control Selection memos and test workbooks to begin FY08 testingObjective – ensure test teams to prepared to start testing

• Complete Control Selection Matrix• Review Control Selection Memo and request DAA signature • Provide Workbooks with expected test completion dates• Start testing

• Provide test support during all test phases: Feb 2008 – Apr 2008• Hold Close-out Status Meeting: May 2008

Objective is to close-out previous test phase and begin next test phase

• Close-out to Discuss/resolve issues associated with test results, process, etc.• Review executive summary and request signature• Update SSP (if necessary)

• Start new cycle with FISMA 09 Status Meeting: June 2008

Q&AQ&A

Enterprise Continuous Monitoring Program Training Date.

Documents

Transcript of Enterprise Continuous Monitoring Program Training Date.