IT Governance: Operations and Administration · Web view2017/10/10 · Information Security...

Office of the Chief Information Security Officer

IT Security Procedural Guide: Information Security Continuous

Monitoring StrategyCIO-IT Security-12-66

Office of the Chief Information Security Officer

Revision 2

May 26, 2023

CIO-IT Security-12-66, Revision 2 Information Security Continuous Monitoring Strategy

VERSION HISTORY/CHANGE RECORD

Change Number

Person Posting Change

Change Reason for ChangePage Number of

Change

Initial Version - June 24, 2015

1 Desai Updates necessary to support requirements within OMB M-14-03.

OMB M-14-03 Throughout the document

2 Desai, Davis Updates necessary to support NIST SP 800-53 R4 and addition of Continuous Monitoring Performance Metrics.

NIST SP 800-53 R4 Throughout the document

Revision 1 - May 11, 2017

1 Dean/Klemens Reformatted to current style and structure. Removed database scanning requirements.

Update to the reflect updates to GSA CIO Order 2100.1 and CIO-IT Security-06-30.

Throughout the document

Revision 2 - May 26, 2023

1 Dean/Feliksa/ Klemens/Desai/ Valenzuela

Restructured document to reflect current GSA ISCM strategy and program.

Updated to align with GSA’s use of Federal CDM tools and Federal guidance on ISCM and ongoing authorization. Incorporated Executive Order 13800 and NIST Cybersecurity Framework.

Throughout the document

U.S. General Services Administration


APPROVAL

IT Security Procedural Guide: Information Security Continuous Monitoring Strategy, CIO-IT Security-12-66, Revision 2, is hereby approved for distribution.

Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division, at [email protected].


11/29/2017

X Kurt GarbarsKurt D. GarbarsChief Information Security OfficerSigned by: KURT GARBARS


Table of Contents

1 Introduction.....................................................................................................................1

1.1 Purpose........................................................................................................................2

1.2 Scope............................................................................................................................2

1.3 Policy............................................................................................................................2

1.4 References................................................................................................................... 4

2 Roles and Responsibilities.................................................................................................5

2.1 The Chief Information Security Officer (CISO)..............................................................5

2.2 Authorizing Official (AO)..............................................................................................5

2.3 Information Systems Security Manager (ISSM)............................................................5

2.4 Information Systems Security Owner (ISSO)................................................................6

2.5 System Owner..............................................................................................................6

3 ISCM Implementation Approach.......................................................................................6

3.1 Prerequisites for Requesting Ongoing Authorization...................................................7

3.2 Achieving Ongoing Authorization.................................................................................7

3.3 Automation Capabilities Supporting ISCM...................................................................8

3.4 GSA Security Capabilities...........................................................................................10

3.4.1 Manage Assets...............................................................................................10

3.4.2 Manage Events...............................................................................................13

3.4.3 Manage Additional ISCM Controls.................................................................15

3.4.4 Monitor ISCM Program and System Risk........................................................17

4 GSA ISCM Program.........................................................................................................17

4.1 Maintenance of Ongoing Authorizations...................................................................18

4.2 Handling Incidents or Significant Change within the ISCM Program..........................18

4.3 Security Assessment Requirements...........................................................................19



5 ISCM Program Reporting................................................................................................20

5.1 OCISO Reviews...........................................................................................................20

5.2 Determination of Adequate or Effective Continuous Monitoring..............................20

Appendix A - Continuous Monitoring Controls.......................................................................22

Appendix B – ISCM Cybersecurity Framework Categories and Subcategories.........................36

Table of Figures and Tables

Figure 1-1. Relationship of Risk Management, ISCM, and CDM...............................................1

Figure 3-1. ISCM/CDM Capability Wheel.................................................................................9

Figure 4-1. Comparison of 3-Year ATO and Ongoing Authorization........................................18

Table A-1. Automated Continuous Monitoring Controls with Verification Methods and Frequencies...........................................................................................................................24

Table A-2. Manual Continuous Monitoring Controls with Verification Methods and Frequencies...........................................................................................................................32

Table B-1. ISCM CSF Subcategory Decriptions.......................................................................36


Risk ManagementISCMCDM


1 Introduction

Information security continuous monitoring (ISCM) as defined by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”, is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The Department of Homeland Security’s (DHS) Continuous Diagnostic and Mitigation (CDM) program has the objective of automating ISCM functions, providing agencies insight into the current state of their networks and systems at any time.

The CDM program, and its tools implemented by agencies, was established to produce the following benefits:

Services to implement sensors and dashboards;

Delivers near-real time results;

Prioritizes the worst problems within minutes, versus quarterly or annually;

Enables defenders to identify and mitigate flaws at network speed; and

Lowers operational risk and exploitation of government IT systems and networks.

Figure 1-1, from DHS’ “Guidance Regarding Improving Continuous Diagnostics and Mitigation Effectiveness Through Cybersecurity Governance and Management”, shows the relationship between risk management, ISCM, and CDM.

Figure 1-1. Relationship of Risk Management, ISCM, and CDM

As stated in NIST 800-137, implementing an effective ISCM strategy and program provides a means to help establish several security-related outcomes, including but not limited to:


http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf



Security metrics monitored frequently across all organizational tiers to provide evidence for decision-making.

Security controls monitored for effectiveness and changed to respond to the evolving threat environment and new operational needs.

Enhanced understanding of IT vulnerabilities to adapt security controls over time. Continued alignment with the mission and the agency’s risk tolerance.

NIST Interagency Report (NISTIR) 8011, “Automation Support for Security Control Assessments, Volume 1: Overview” and “Volume 2: Hardware Asset Management”, (the NISTIR will ultimately consist of 13 volumes) represent a joint effort between NIST and DHS to provide an operational approach for automating security control assessments. Automating assessments will facilitate ISCM and ongoing security authorizations in a way that is consistent with NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach", the RMF, and related NIST publications.

Executive Order (EO), EO 13800, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” requires all agencies to use “The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology (NIST) or any successor document to manage the agency’s cybersecurity risk.” This NIST document is commonly referred to as the Cybersecurity Framework (CSF). The CSF complements, and does not replace, an organization’s risk management process and cybersecurity program. General Services Administration (GSA) uses NIST’s RMF as its foundation for managing risk. The tables in Appendix A show the mapping between NIST RMF security control families and CSF Category IDs.

Every General Services Administration (GSA) IT system will benefit from GSA’s CDM, ISCM, and/or risk management processes based on the continuous monitoring of vulnerabilities and threats and actions taken to reduce, mitigate, or eliminate them. GSA has implemented its ISCM program using CDM and other enterprise security tools, regular vulnerability scanning of systems, and the requirement to maintain Security Assessment and Authorization (A&A) documents in an “as-is” state of the system.

1.1 Purpose

The purpose of this guide is to define GSA’s ISCM strategy and its approach for implementing and maintaining an ISCM program and establishing an ongoing authorization (OA) process for systems based on its ISCM program. The guide provides GSA Federal employees and contractors with significant security responsibilities, and other IT personnel involved in


https://www.nist.gov/sites/default/files/documents/draft-cybersecurity-framework-v1.11.pdf

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-2.pdf

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-1.pdf


implementing the ISCM strategy and program, the specific procedures they are to follow for implementing ISCM features and functions for systems under their purview.

1.2 Scope

The requirements outlined within this guide apply to and must be followed by all GSA Federal employees and contractors who are involved in implementing and maintaining ISCM of GSA information systems and data.

1.3 Policy

GSA CIO Order 2100.1, “GSA Information Technology (IT) Security Policy”, states in:

Chapter 3, paragraph 2.b:

(2) AOs must ensure risk assessments are performed and documented as part of assessment and authorization activities before a system is:

Placed into production;

When significant changes are made to the system;

At least every three (3) years, or

Via continuous monitoring based on continuous monitoring plans reviewed and accepted by the GSA CISO.

Continuous monitoring plans must be prepared IAW GSA CIO-IT Security 12- 66: Information Security Continuous Monitoring Strategy and NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.

Chapter 3, paragraph 2.e:

(5) Information systems with expiring ATOs may request a one-time extension of the current ATO for a period not to exceed one year from the date of expiration if during this time the system will be disposed of or to allow development of near real-time continuous monitoring capabilities to support ongoing authorization. ATO extensions must be supported by current vulnerability assessment results (operating system (including database) and web application (as applicable)) and POA&M identifying weaknesses from all sources. AOs must obtain approval from the CISO for the continuous monitoring plans of systems ATOs that have been extended. Plans must be approved within 6 months of the extension. New systems and systems that have undergone or are undergoing a significant change must adhere to the





https://gsa.gov/portal/getMediaData?mediaId=164806


current processes as documented in GSA CIO-IT Security-06-30 Managing Enterprise Risk.

Upon request by a Service or Staff Office (SSO), the Office of the Chief Information Security Officer (OCISO) may accept a GSA information system for ongoing authorization based on its use of CDM and other enterprise ISCM security tools and compliance with the requirements of this guide. Upon acceptance for ongoing authorization, the Information System Security Officer (ISSO) will not need to request re-authorization every three years, however an event driven re-authorization will be required if the system:

Has a significant change as defined in NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems”, Appendix F, Section F.6.

Has a security breach that impacts the security posture of the system.

GSA information systems that do not meet the qualifying requirements for transitioning to ongoing authorization via GSA’s Continuous Monitoring Program must follow one of GSA’s other A&A processes as defined in GSA IT Security Procedural Guide 06-30, “Managing Enterprise Risk”.

1.4 References

The following Federal Laws, Regulations, Guidance, and Standards, and GSA Directives and Guides provide additional information on security, ISCM, and OA.

Federal Laws and Regulations:

FISMA 2014 , Public Law 113-283, “Federal Information Security Modernization Act of 2014”

Executive Order 13800 , “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”

OMB Circular A-130 , “Managing Information as a Strategic Resource”

OMB Memorandum M-14-03 , “Enhancing the Security of Federal Information and Information Systems”

Federal Guidance and Standards:

Federal Information Processing Standard (FIPS) 199 , “Standards for Security Categorization of Federal Information and Information Systems”


http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2014/m-14-03.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf

https://insite.gsa.gov/portal/content/627230

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf


NIST SP 800-37 , Revision 1 , “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”

NIST SP 800-53, Revision 4 , “Security and Privacy Controls for Federal Information Systems and Organizations”

NIST SP 800-137 , “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”

NISTIR 8011, Volume 1 , “Automation Support for Security Control Assessments: Overview”

NISTIR 8011, Volume 2 , “Automation Support for Security Control Assessments: Hardware Asset Management”

Cybersecurity Framework , “Framework for Improving Critical Infrastructure Cybersecurity”

GSA Directives and Guides:

GSA Order CIO 2100.1 , “GSA Information Technology (IT) Security Policy”

GSA Order CIO 2101.1 , “GSA Enterprise Information Technology Management (ITM) Policy”

GSA Order CIO P 2181.1 , “GSA HSPD-12 Personal Identity Verification and Credentialing Handbook”

GSA Order ADM P 9732.1D , “Suitability and Personnel Security”

CIO-IT Security 01-02 , “Incident Response”

CIO-IT Security 01-05 , “Configuration Management”

CIO-IT Security-01-08 , “Audit and Accountability”

CIO-IT Security 06-29 , “Contingency Planning”

CIO-IT Security-06-30 , “Managing Enterprise Risk”

CIO-IT Security-09-44 , “Plan of Action and Milestones (POA&M)”

CIO-IT Security 17-80 , “Vulnerability Management Process”

GSA ISPP , “Information Security Program Plan”














https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

http://dx.doi.org/10.6028/NIST.IR.8011-2

http://dx.doi.org/10.6028/NIST.IR.8011-1


http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf


2 Roles and Responsibilities

There are many roles associated with implementing an effective ISCM strategy and program. The roles and responsibilities provided in this section have been extracted or paraphrased from GSA CIO 2100.1 or summarized from GSA and Federal guidance. Throughout this guide specific processes and procedures for implementing GSA’s ISCM strategy and program are described.

2.1 The Chief Information Security Officer (CISO)

Responsibilities include the following:

Developing, implementing, and maintaining an agency-wide GSA ISCM Strategy and Program.

Reporting to the GSA CIO on the implementation and maintenance of the GSA’s ISCM Program.

Acquiring or developing and maintaining automated tools to support ISCM and ongoing authorizations.

Providing training on the organization’s ISCM program and process. Providing support to information system owners on how to implement ISCM for

their systems.

2.2 Authorizing Official (AO)


Accepting the risk of operating GSA information systems under their purview, including having implemented required continuous monitoring controls and settings in accordance with GSA and Federal policies and requirements.

Ensuring a plan of action and milestones (POA&M) item is established and managed to address any controls required as a part of continuous monitoring that have not been fully implemented.

Reviewing continuous monitoring reports/dashboard and making a risk-based determination on a system’s ongoing authorization status.

Determining whether a breach or information system change requires an event-driven reauthorization.

Ensuring the organization’s ISCM program is applied with respect to a given information system.

2.3 Information Systems Security Manager (ISSM)




Monitoring and supporting the resolution of POA&Ms to mitigate system vulnerabilities regarding continuous monitoring controls for all systems under their purview.

Coordinating with ISSOs to establish and manage ISCM processes and procedures (e.g., reviewing and coordinating ISCM reports/dashboards, reviewing events to determine if an event-driven reauthorization is required, etc.)

2.4 Information Systems Security Owner (ISSO)


Ensuring required continuous monitoring controls and settings are in place and operating in accordance with GSA and Federal policies and requirements.

Developing and maintaining POA&Ms, as necessary, regarding continuous monitoring controls for assigned systems.

Verifying the maintenance of (or maintaining) required continuous monitoring documentation.

Maintaining compliance with continuous monitoring processes and procedures (e.g., inventories are up to date, reports are submitted).

Assisting in remediation activities as necessary to maintain ongoing authorization.

2.5 System Owner


Ensuring required continuous monitoring controls and settings are in place and operating in accordance with GSA and Federal policies and requirements.

Maintaining required continuous monitoring documentation. Reviewing continuous monitoring reports/dashboard and responding, as necessary,

to maintain a system’s ongoing authorization. Assisting in determining whether a breach or information system change requires an

event-driven reauthorization.

3 ISCM Implementation Approach

GSA has implemented its ISCM program as described in the following sections and summarized below.

Systems must meet a set of prerequisites in order to request ongoing authorization.



Systems must have GSA’s CDM and other enterprise ISCM tools deployed on the assets within the system boundary and verify they are operating. Tools are identified in the GSA Enterprise Continuous Monitoring Tools Google Sheet.

Systems must maintain ISCM documentation at the frequencies defined in Appendix A.

Systems must maintain all NIST controls in their control sets as specified in their System Security Plans (SSP), including ensuring inherited controls are accurately documented and the controls in Appendix A, Continuous Monitoring Controls, are updated as specified.

Systems requiring an event-driven reauthorization must update their ongoing authorization letter to reflect re-establishment of its ongoing authorization.

3.1 Prerequisites for Requesting Ongoing Authorization

A GSA information system must meet the following requirements to request ongoing authorization granted by its AO and concurred to by the CISO.

● The information system must have had all of its NIST SP 800-53 security controls for its FIPS 199 level, and any additional controls required by the GSA CISO, assessed and been granted an initial Authority to Operate (ATO) based on a complete A&A package.

● The information system must adhere to GSA’s continuous monitoring processes and procedures as described within this guide, including:

- Deploying GSA’s CDM and other enterprise ISCM tools and verifying they are operating on the platforms listed in the GSA Continuous Monitoring Enterprise Management Tools Google Sheet.

- Maintaining the ISCM manual processes described in Appendix A. Provide updated documents/deliverables supplying evidence on complying with the ISCM controls listed.

- Updating the system’s documentation as described in Appendix A. System documentation must be updated to describe how continuous monitoring controls are using CDM and other enterprise ISCM tools and processes (unless already described in initial A&A documentation).

Note: Information systems with expiring ATOs may request an extension as mentioned in Section 1.3 of this guide in order to implement/develop ISCM capabilities in furtherance of achieving OA.


https://docs.google.com/a/gsa.gov/spreadsheets/d/1M_eZqPO5oc5YcJacidyxVCMPCzGKDoEwBNZRnU0IjGY/edit?usp=sharing




3.2 Achieving Ongoing Authorization

Information systems must develop an ISCM ATO Package , consisting of:

ISCM Plan, including (as attachments):- System Security Plan- Plan of Action and Milestones (POA&M)- FISMA Self-Assessment Results- OS Vulnerability scan results- Unauthenticated Web Vulnerability scan results (as applicable)- Authenticated Web Vulnerability scan results (as applicable)- Penetration Test Results (as applicable)- Hardware Asset Inventory Report generated by automated tool- Software Asset Inventory Report generated by automated tool- Configuration Compliance scan results- Configuration Management Plan- IT Contingency Plan- IT Contingency Plan Test Results- Incident Response Plan- Incident Response Plan Test Results- Privacy Threshold Analysis and Privacy Impact Assessment (PIA) (as applicable)

Ongoing Authorization Letter

Note: Deviations to both configuration settings and policy requirements must be documented using the Security Deviation Request Form. Deviations to configuration settings must also be identified in the applicable Hardening Guide Security Benchmark.

The ISCM ATO Package documents must include implementation detail of manual processes and automated continuous monitoring controls and the deliverables as identified in Appendix A. Information systems meeting the qualifying requirements must submit their ISCM ATO Package to the OCISO. The CISO will review the system’s security status and documentation and, if the information system meets the ISCM prerequisites and its documentation is acceptable, the CISO will coordinate with the AO in considering the risk to Federal and agency information and operations. If the risk is acceptable, the AO will authorize the system and the CISO will concur by signing the Ongoing Authorization Letter.



https://drive.google.com/open?id=0B8Vm_we57f9tfnpfUVFXVEpjUGI1NVBlNkJoZjQxcC1HUVktTVZ2Mlp3R3JXdnlEQWVVQWc


3.3 Automation Capabilities Supporting ISCM

NIST SP 800-53 defines a security capability as: “A construct that recognizes that the protection of information being processed, stored, or transmitted by information systems, seldom derives from a single safeguard or countermeasure (i.e., security control). In most cases, such protection results from the selection and implementation of a set of mutually reinforcing security controls.”

NIST SP 800-53, Revision 4 further notes that:

Failure of a single control or in some cases, the failure of multiple controls, may not affect the overall security capability needed by an organization.

Employing the broader construct of security capability allows an organization to assess the severity of vulnerabilities discovered in its information systems and determine if the failure of a particular security control (associated with a vulnerability) or the decision not to deploy a certain control, affects the overall capability needed for mission/business protection.

Using this concept of security capability, the DHS CDM program defines and groups ISCM capabilities into 4 families and 15 security capabilities as follows:

1. Manage Assets - What assets do we have and do we have the assets we need?2. Manage Accounts for People and Services - Do the right people have the right access to

do the right things?3. Manage Events - Are we prepared for and can we respond to incidents?4. Security Lifecycle Management - Are we considering security throughout the lifecycle of

our assets?

Figure 1 portrays the DHS CDM Program’s four families and fifteen security capabilities, the figure is also available at the US Computer Emergency Readiness Team (CERT) CDM website.


https://www.us-cert.gov/cdm/faq


Figure 3-1. ISCM/CDM Capability Wheel

Four of the five capabilities are provided within Phase 1 of DHS’ CDM program:

- HWAM - Hardware Asset Management- SWAM - Software Asset Management- CSM - Configuration Settings Management- VUL - Vulnerability Management

3.4 GSA Security Capabilities

This section identifies the security capabilities supporting ISCM/CDM that have been implemented by GSA. In addition to the current ISCM processes for monitoring controls, the GSA Enterprise CDM tools will provide inherited controls for HWAM with ForeScout CounterACT/SecureConnector and IBM Bigfix, SWAM and Security Configuration Compliance (as a part of Configuration Settings Management) with IBM BigFix, White/Blacklisting with Bit9, and Vulnerability Scanning with Tenable. Machine data from these tools will be aggregated and normalized by Splunk and fed to the RSA Archer Dashboard in order to facilitate near real time



diagnostics and on-going authorization. As GSA’s Continuous Monitoring program matures over time, additional capabilities will be added.

System Owners, ISSMs, and ISSOs are responsible for ensuring that all ISCM controls are implemented. For inherited controls, including the common portion of hybrid controls, their responsibility is to ensure the providing system agrees the system is inheriting the control. For technical controls satisfied by the implementation of enterprise tools, they must ensure the tools are deployed and operating as intended by the enterprise.

3.4.1 Manage Assets

The Manage Assets family and its capabilities act as a foundation for the other security automation domains. The primary objective of the Manage Assets family is to manage hardware and software inventories and the security (configuration and vulnerabilities) of the inventoried assets in the organization.

3.4.1.1 Hardware Asset Management (HWAM)

Purpose - Maintain an asset inventory of authorized hardware assets/devices allowed to connect to a network. Identify unauthorized and unmanaged devices that are likely to be used by attackers as a platform from which to extend compromise of a network. The Hardware Asset Management capability ensures that a hardware inventory and supporting processes are in place to confirm that only authorized hardware can be added to a network.

NIST SP 800-53 Controls - Controls related to hardware asset management include but are not limited to CM-8, CM-8(1), CM-8 (2), CM-8(3), CM-8(4), CM-8(5), and CM-8(7).

Target Attack Vectors - Attackable Hardware Devices including all IP-addressable devices (or equivalent) on a network. Attackers continually scan for hardware systems that they can exploit to gain control of and use to access other devices and data. Typically, the most exposed devices are unauthorized or unmanaged.

Implementation Approach - Maintain a list of authorized hardware and who manages it. Treat other hardware on the network as a defect. Remove, authorize/assign, or accept risk of unauthorized hardware assets. This can be accomplished via a combination of system configuration, network management, and license management tools, or with a special–purpose tool. Employ both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic.

GSA Enterprise Tool(s) - GSA uses a combination of agent-based, agentless (discovery scans), network management, IT Service Management, and IP Management solutions to implement hardware asset management. Please refer to the GSA Enterprise Continuous Monitoring Tools




for a detailed list of tools used to implement hardware asset management for different asset categories in the GSA environment.

3.4.1.2 Software Asset Management (SWAM)

Purpose - Maintain an asset inventory of approved software. Identify unauthorized software on devices that are likely to be used by attackers as a platform from which to extend compromise of a network.

NIST SP 800-53 Controls - Controls related to software asset management are CM-2, CM-2(1), CM-2 (2), CM-7(4), and CM-7(5).

Target Attack Vectors - Software products (e.g., MS-Word) and executables (individual program files). Identify executables by their digital fingerprint.

Implementation Approach - Maintain a list of authorized software at both the product and executable level. Treat other software actually on network as a defect. In other words, deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. Remove, authorize/assign, or accept risk of unauthorized software.

GSA Enterprise Tool(s) - GSA uses a combination of agent-based solutions (e.g. BigFix, MaaS360, and Tenable Security Center) to implement software asset management. GSA also uses application whitelisting tools (e.g., Bit9) to prevent software execution in accordance with (IAW) the list of authorized software programs. The GSA Enterprise Continuous Monitoring Tools provides a detailed list of tools used to implement software asset management for different asset categories in the GSA environment.

3.4.1.3 Configuration Settings Management (CSM)

Configuration settings management is primarily focused on the configuration status of computing devices and software across an enterprise. It involves determining compliance by collecting detailed information about specific configuration settings and comparing that data against an organization’s standard configuration. GSA has established a series of hardening guides for commonly used technologies (e.g., operating systems, database management systems) with defined standard configuration settings to which existing and newly added assets will be measured against. Hardening guides are available on the IT Security Technical Guides and Standards webpage. CDM tools (e.g., BigFix, Tenable) will be used for measuring configuration compliance and can support determining root causes for misconfiguration and implementing corrections.







Purpose - Manage configuration settings, monitor changes to settings, collect setting status, and restore settings as needed. Identify configuration settings (CCEs) on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network. Configuration settings are often used as a means to support other capabilities, such as blocking certain software and/or granting/denying privilege(s).

NIST SP 800-53 Controls - Controls related to configuration settings management are CM-6, CM-6 (1), CM-7, CM-7(1), CM-7(2), CM-7(4), and CM-7(5).

Target Attack Vectors - Individual Configuration settings, or groups of such settings.

Implementation Approach - Maintain a list of authorized settings/configuration benchmarks for software product categories such as Operating System, Servers (Web, Email, Application, DNS, Directory, etc.), networking devices (Routers, Switches), multifunction peripheral devices, desktop applications, web browser, etc. Remove, authorize/assign, or accept risk for unauthorized settings.

GSA Enterprise Tool(s) - GSA will leverage existing ISCM enterprise security and CDM tools including BigFix and Tenable to provide asset management for software products installed on applicable endpoints for centrally managing, applying and verifying configuration settings. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to implement configuration compliance.

3.4.1.4 Vulnerability Management (VUL)

Vulnerability management is concerned with understanding the security posture with respect to known vulnerabilities. It involves collecting information regarding vulnerabilities and patch levels of assets across the enterprise.

3.4.1.4.1 Vulnerability Detection

Purpose - Identify vulnerabilities (CVEs) on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

NIST SP 800-53 Controls - Controls related to vulnerability management of known vulnerabilities and patches, and remediating flaws or mitigating vulnerabilities are RA-5, RA-5(1), SI-2, SI-2(2), and SI-2(3).

Targets Attack Vectors - Individual CVEs, or groups of such CVEs.




Implementation Approach - The National Vulnerability Database (NVD) provides a library of vulnerabilities mapped to vulnerable software. Poor coding practices can manifest as vulnerabilities that are discovered and assigned a CVE. Upgrade the software to newer, non-vulnerable versions, apply appropriate patches, modify the code to eliminate or mitigate vulnerabilities, or accept the risk.

GSA Enterprise Tool(s) - GSA uses the Tenable enterprise vulnerability scanning tool to identify known vulnerabilities and will leverage the CDM BigFix tool as an enterprise patch management solution to deploy latest patches for operating systems and applications. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to implement vulnerability and patch management.

3.4.1.4.2 Malware Detection

Purpose - Provide the ability to identify and report on the presence of viruses, Trojan, spyware, or other malicious code on or destined for a target system.

NIST SP 800-53 Controls - Controls related to identifying unauthorized or malicious code and employing protection mechanisms against malicious code execution, and controls related to detect unauthorized changes to software to ensure software and information integrity: SI-3, SI-3(1), SI-7, and SI-7 (3).

Targets Attack Vectors - End-users and organizations via web browsing, email attachments, endpoint devices such as workstations, mobile devices, executables, etc.

Implementation Approach - Employ malware detection tools and mechanisms at information system entry and exit points (e.g., firewalls, email servers, Web servers, proxy servers, remote access servers) and at endpoint devices (e.g., workstations, servers, mobile computing devices) on the network to detect and remove malicious code. Malware detection mechanisms can be configured to perform periodic scans of information systems, as well as real-time scans of files from external sources as the files are downloaded, opened, or executed IAW organizational security policy.

GSA Enterprise Tool(s) - GSA uses centrally managed integrity verification tools and application whitelisting tools that detects and prevents/blocks malicious code execution. GSA also employs Antivirus tools on workstations, servers and mobile devices. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to implement malware detection.






https://nvd.nist.gov/


3.4.2 Manage Events

The Manage Events family and its capabilities use automated tools to identify incidents and events and assist in responding to them. In addition to automated tools, the identification and response to incidents and events requires planning which is typically documented in incident response and contingency plans, and testing/reporting. The primary objective of the Manage Events family is to identify and respond to incidents and events while continuing to perform the business functions of the organization.

3.4.2.1 Prepare for and Detect Incidents and Contingencies

Purpose - Provide the ability to automate the process of monitoring the events occurring in an information system or network and analyzing them for signs of possible incidents and attempting to stop detected events from becoming incidents, and responding to incidents and contingencies when necessary. Review events selected for monitoring and update, as appropriate.

NIST SP 800-53 Controls - Controls related to the process of generating, transmitting, storing, analyzing, and preparing for the response to events and incidents are AU-2, AU-6, AU-6(4), IR-5, IR-8, and SI-4. Controls related to the process of preparing for contingencies are CP-2 and CP-4.

Targets Attack Vectors - Lack of effective security logging and analysis may allow attackers to hide their location, and activities on compromised machines. Without audit logs, an attack may go unnoticed indefinitely. Ineffective contingency plans may allow unforeseen events to cause a system/network to be unavailable or degraded to such an extent the organization cannot perform its business functions.

Implementation Approach - Deploy a logging platform as a management tool for log aggregation and consolidation from multiple sources to enable analysis of correlated events and logs. Develop effective contingency plans allowing systems/networks to effectively operate under emergencies and disasters. Review events selected for monitoring annually and revise, as appropriate.

GSA Enterprise Tool(s) - GSA uses an Enterprise Logging Platform (ELP) tool to centralize review and analysis of audit records from multiple systems to identify correlated events. The ELP tool detects and alerts designated personnel on anomalous events. Incident Response and Handling Tools used by GSA are detailed in Appendix C of GSA Procedural Guide CIO-IT Security-01-02, “Incident Response”.




3.4.2.2 Respond to Incidents and Contingencies

Purpose - Provide the ability to use automation to assist in the process of responding to events occurring in an information system or network or events impacting them, analyzing the events/incidents and taking appropriate action to eliminate or mitigate the threats while allowing the business functions of the organization to continue. Reporting events/incidents, as necessary, to the appropriate parties/organizations. Executing contingency plans when emergencies or disasters require them to be implemented.

NIST SP 800-53 Controls - Controls related to the process of responding to events and incidents are IR-5, IR-6, IR-8, and SI-4. Controls related to responding to contingencies are CP-2 and CP-4.

Targets Attack Vectors - Lack of effectively responding to events or incidents identified by security logging and analysis may allow attackers to continue to perform malicious activities against the system/network and organization. Without effective response, an attack may last longer and subject the organization to extended malicious actions. Ineffective contingency plans may allow systems/networks to be adversely affected to a degree that the organization cannot fulfill its business functions.

Implementation Approach - Deploy Intrusion Detection Systems/Intrusion Preventions Systems (ISDs/IPSs) along with an ELP tool to identify events and incidents that require action. Develop an Incident Response Plan, train and test it to ensure response is timely and effective. Incident Response and Handling Tools used by GSA are detailed in Appendix C of GSA Procedural Guide CIO-IT Security-01-02, “Incident Response”. Develop a Contingency Plan, train and test it to ensure reaction and recovery is timely and effective.

GSA Enterprise Tool(s) - GSA uses IDSs/IPSs and an ELP tool to centralize review and analysis of event and incident data from multiple systems to correlate events and incidents. These tools detect and alert designated personnel when anomalous events/incidents occur so they can take action as required by the Incident Response Plan. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to respond to events and incidents.

3.4.3 Manage Additional ISCM Controls

GSA has selected additional NIST controls as part of its ISCM program. These controls are time driven and require monitoring, update, and verification on the frequency identified in Appendix A. The primary objective of monitoring these additional controls as a part of the ISCM program is to ensure systems maintain effective operational security by monitoring controls across a broad spectrum of NIST families.






3.4.3.1 Review System and Suitability Access and Audited Events

Purpose - Provide assurance that personnel with access to the system and its data have the appropriate suitability determination, have been authorized access (logical and physical), and continue to need that level of authorization (i.e., privileges) their accounts provide to them. Validate the events selected for auditing are sufficient with regard to the system’s current environment and threats.

NIST SP 800-53 Controls - Controls related to verifying access to the system is appropriate are AC-2, AC-3, and AC-6(2). The control related to verifying audit events are sufficient for the system is AU-2(3).

Targets Attack Vectors - Lack of effectively managing who has access may allow personnel to have access who no longer need it. It may allow attackers to exploit unnecessary/unused accounts to access the system to perform malicious activities against the system/network and organization. Retaining ineffective auditing can lead to malicious actions being missed due to either insufficient auditing or ineffective reviews/alerts due to too many events being audited for effective analysis.

Implementation Approach - Accounts should be continuously updated as personnel come on board a program/project/organization and require access or leave and no longer require access. All information systems must perform an annual review and re-certification of privileged and unprivileged user accounts to verify if the account holders require continued access to the system. Record the date of annual user re-certification in the SSP. The ISSM/ISSO should meet with the System Owner/Program Manager to verify that accounts and their access privileges are up to date. Upon completion of account re-certification and privilege verification, prepare an account recertification and privilege verification deliverable documenting the activity. Similarly, the ISSM/ISSO should discuss with them and system/network administrators (as appropriate) to determine if any changes to the events being audited should be made.

3.4.3.2 Perform Assessments/Tests

Purpose - Assess the effectiveness of a system/network’s security features and mechanisms in protecting the system from threats, mitigating and eliminating vulnerabilities, and reducing risks. Performing penetration testing (if required) and annual FISMA assessments along with monitoring the other ISCM capabilities provides assurance that the system/network is maintaining an acceptable risk posture.

NIST SP 800-53 Controls - Controls related to assessing/testing systems are CA-2 and CA-8.



Targets Attack Vectors - Lack of effectively assessing systems may lead to ineffective security features and mechanisms being in place and unknown vulnerabilities being present that attackers can exploit to perform malicious actions impacting the system/network and the organization.

Implementation Approach - All systems in the ISCM program will perform annual FISMA assessments (i.e., specific security control assessments) as designated by the OCISO. All Internet facing and FIPS 199 High systems will perform annual penetration testing to determine their resistance to attacks. Results of the FISMA assessments will be provided to OCISO ISP using instructions and forms provided. Results of penetration tests will be provided to OCISO ISP in the GSA Pen Test Report template.

3.4.3.3 Maintain POA&Ms and System Documentation

Purpose – Maintain an accurate state of the system, its data, and its environment. Manage the resolution of vulnerabilities by planning actions and establishing milestones to address them. Manage changes to the system to ensure security impacts are assessed when the system’s security posture may be affected.

NIST SP 800-53 Controls - Controls related to maintaining POA&Ms and other system documentation are CA-5, CA-7, CM-9, CP-2, IR-8, PL-2, and AR-2.

Targets Attack Vectors - Lack of effectively managing POA&Ms can result in vulnerabilities being resident on the system/network longer than necessary, exposing the system/network and organization to threats and attackers. Inaccurate system documentation can lead to a false sense of security due the System Owner/Program Manager or AO believing the system is not vulnerable to certain threats or does not contain PII when the opposite may be true. The opposite could also be true, and both conditions can lead to resources not effectively being used.

Implementation Approach – POA&Ms should be updated continuously as actions are taken and milestones achieved or delayed, they are required to be provided to OCISO ISP at least quarterly. ISCM packages, Configuration Management Plans, System Security Plans, Privacy Threshold Analyses (PTAs)/Privacy Impact Assessments (PIAs) (and related documents), Contingency Plans, and Incident Response Plans require annual review and update to ensure they reflect a system/network’s current state. ISSMs/ISSOs should schedule a meeting with the System Owner/Program Manager to ensure these documents are updated and provided to OCISO ISP annually.




3.4.4 Monitor ISCM Program and System Risk

Purpose – Monitor risk at the system and enterprise level to ensure systems are operating within the organization’s risk tolerance level. Monitor system’s adherence to the ISCM strategy and program.

NIST SP 800-53 Controls – The control related to monitoring the ISCM Program and System Risk is CA-7.

Targets Attack Vectors - Lack of effectively monitoring the ISCM Program and System Risk levels can result in risk levels being higher than organizational tolerance, exposing systems/networks and the organization to unexpected threats and attacks.

Implementation Approach – GSA’s CDM tools include an enterprise dashboard providing the ability to review metrics on system and enterprise risks and vulnerabilities. The dashboard is available to System Owners/Program Managers, security personnel, and GSA management, allowing them to monitor and respond, as necessary.

GSA Enterprise Tool(s) - GSA will use existing ISCM and CDM tools to capture data that will output to the CDM dashboard for near real time monitoring. OCISO ISP will review ISCM manual process-based controls and deliverables to ensure systems maintain their Ongoing Authorization. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to monitor automation supported controls.

4 GSA ISCM Program

The overall focus of the GSA ISCM program is to provide sufficient information about a system’s security control effectiveness and its security status to allow GSA management to make informed, timely security risk management decisions aimed at supporting ongoing system authorizations.

The GSA ISCM Program leverages both manual and automated processes that involve monitoring of a system’s NIST security controls. The strategy will ensure all key information security controls are periodically assessed for effectiveness. Monitoring activities are biased towards controls with the greatest impact. GSA’s ISCM program will expand and mature over time to ensure constant improvement. Security control analysis, monitoring and assessment frequencies of continuous monitoring and verification requirements will change IAW with agency needs, and OMB and DHS direction. The OCISO will regularly review the ISCM program to ensure it sufficiently supports agency requirements to operate systems within acceptable risk tolerance levels, identify ways to improve organizational insight into security posture,




effectively support informed risk management decisions, and improve GSA’s ability to respond to known and emerging threats.

After a system has received an ongoing authorization by completing all of the prerequisites, the ongoing authorization must be maintained using the ISCM program.

4.1 Maintenance of Ongoing Authorizations

Maintenance of a system’s ongoing authorization is via maintaining of the security documents and processes identified in the ISCM package and maintaining compliance with security controls in Appendix A, both automated and manual. Figure 4-1, Comparison of 3-Year ATO and Ongoing Authorization, shows how ongoing authorization leads to a continuous assessment of risk based on automation, manual updates, and the monitoring of metrics.

Figure 4-1. Comparison of 3-Year ATO and Ongoing Authorization

Specifically, once an information system has been granted ongoing authorization, it must provide the deliverables and maintain automation content as listed in Appendix A. A system doing so and showing satisfactory performance based on the ISCM program’s performance metrics should be able to maintain its ongoing authorization.



4.2 Handling Incidents or Significant Change within the ISCM Program

Information systems undergo frequent changes to hardware, software, firmware, or supporting networks during the system’s life cycle. Such changes are typically addressed via configuration management and control processes ensuring all proposed changes are tested to observe the effects and impact of the change, and are approved prior to implementation, thereby minimizing the risk of adverse results. All system changes, regardless of size, should follow the formal, documented change management process for the system, and that change management process should contain the steps for completing a Security Impact Analysis on any proposed change. Additionally, the continuous monitoring strategy for the system should also address the requirement to determine the extent to which any proposed change to the system will affect the security state of the system. Not all system changes will have an impact on security, and the ISSO should be involved in the analysis prior to the change to determine the risks the change presents and recommend an appropriate course of action.

Significant changes must be coordinated with the OCISO prior to a final determination being made and a course of action agreed upon for handling the change.

Examples of significant changes to an information system include:

Installation of a new or upgraded operating system, middleware component, or application;

Modifications to system ports, protocols, or services;

Installation of a new or upgraded hardware platform;

Modifications to cryptographic modules or services; or

Modifications to security controls.

Examples of significant changes to the environment of operation include:

● Moving to a new facility;

● Adding new core missions or business functions;

● Acquiring specific and credible threat information that the organization is being targeted by a threat source; or

● Establishing new/modified laws, directives, policies, or regulations;

● Virtualization of the system;

● Addition of telecommunication capability; or



● Moving the system to the “Cloud”.

Incidents or significant changes regarding a system may require its reauthorization. The reauthorization process differs from the initial authorization inasmuch as the AO can initiate: a complete zero-base review of the information system or common controls; or a targeted review based on the type of event that triggered the re-authorization, the assessment of risk related to the event, and the organizational risk tolerance. Re-authorization is a separate activity from the ongoing authorization process, though security- and privacy-related information from the organization’s ISCM program may still be leveraged to support re-authorization.

4.3 Security Assessment Requirements

Changes that are designated as significant (and agreed to by the OCISO) require security controls assessment of the impacted controls or new controls using the GSA Assessment Test Cases and will require either reauthorization following the system’s A&A process in CIO-IT Security-06-30 or a refresh of its ISCM ATO Package.

When assessing the controls for any impact as a result of the planned change, steps should be taken to not only ensure that existing controls were not compromised, but also to look for any new vulnerabilities that the change may have introduced and, if necessary, implement new controls that were not previously required. To that effect, assessment activities must include vulnerability scans. All identified weaknesses from the security controls assessment and vulnerability scanning activities must be documented in the POA&M.

The updated authorization package will be either an ISCM ATO Package or an A&A ATO Package based on the system’s A&A process as determined by the OCISO and AO.

5 ISCM Program Reporting

A feedback mechanism is necessary ensure agency information systems continue to perform in accordance with its ISCM Plan as approved by the AO and the CISO. The OCISO will provide semiannual status reports to the AO on system performance with the ISCM program. The status reports provide information agency management can use to measure performance related to the commitments made in the system’s ISCM Plan. The report will track submission of required ISCM deliverables to the OCISO and continued effectiveness of ISCM/CDM automated capabilities for each information system (as applicable).



5.1 OCISO Reviews

The OCISO will use performance metrics as listed in the ISCM Performance Metrics Google Sheet to evaluate a system’s performance within the ISCM program and measure the effectiveness of the implemented continuous monitoring controls and security automation domains. Semiannual status reports using the defined performance metrics will be sent to the AOs and the CISO with a copy to the ISSM, ISSO, and system owner for performance tracking. Performance metrics summarize the system’s overall security posture and will serve as a means for the AO and CISO to make a risk based decision on maintaining the system in ongoing authorization. As the CDM Dashboard is implemented, a majority of the metrics will be provided within it and it will become the primary source for monitoring ISCM performance.

5.2 Determination of Adequate or Effective Continuous Monitoring

After a system is granted ongoing authorization and is integrated into the ISCM program, the system must meet agency defined performance metrics, as listed in the ISCM Performance Metrics Google Sheet, and be compliant with the controls listed in Appendix A. The performance metrics are used as a means to provide the CISO and AO a holistic view of the security posture of the systems in the ISCM program. The performance measures include areas covered by security automation domains and manual deliverables. Metrics have been defined to align with the information security goals for each of the automation domains (hardware/software asset management, configuration settings management, vulnerability management, and event management). The performance metrics have been evaluated by risk impact and based on responses to said metrics a status (red, yellow, green) will be associated with each metric that will identify performance in that specific area . In addition, an executive level dashboard will summarize all performance metric information captured and provide trending information. These trends will give upper management the ability to see the progress or regression of a system within the ISCM program.

The CISO and AO will determine if a system’s previously approved ISCM Plan is being effectively implemented by reviewing the system’s semiannual performance metrics.

If the AO and the CISO determine that the system’s ISCM Plan is not effectively implemented the System Owner/Program Manager and ISSM/ISSO will be notified of the observed deficiencies. They will be given a period of thirty days to address the deficiencies that were identified.

If the observed deficiencies are not adequately addressed during the thirty day period the system will be required to undergo a complete security assessment based on its A&A process


https://drive.google.com/open?id=1j9uI_7LcrHIvMd9uKw7WXGzG-XC-l5aFfVOztjgWm1U





from CIO-IT Security-06-30 and receive a new ATO prior to requesting to rejoin the ISCM program.



Appendix A - Continuous Monitoring Controls

The GSA ISCM control baseline with continuous monitoring processes and deliverables, as applicable, are identified in Tables A-1 and A-2. In cases where security controls are determined to be inadequate, the ISCM program is predicated on prioritizing responses based on the risk and impact to the system and GSA. Effectively risks that have the highest impact to GSA and system operations should be addressed first. The CSF Subcategory IDs in the table are provided to show the mapping between the CSF and NIST controls. NIST only mapped the CSF Subcategory IDs to individual controls not control enhancements. The CSF Subcategory IDs mapped to control enhancements were selected based on analyzing the enhancement and the CSF Subcategory IDs mapped to the control and selecting the most relevant ID. If a NIST control did not have any CSF Subcategory IDs mapped to it, then that control and any of its enhancements are listed as Not Applicable (N/A). The CSF Subcategory included in Table A-1 are listed below, specific information on the subcategories is contained in Appendix B. Additional information is available in the NIST CSF document.

CSF Function

CSF Category Unique Identifier - Category

Description

DETECT (DE)

DE.AE - Anomalies and Events Anomalous activity is detected in a timely manner and the potential impact of events is understood.

DE.CM - Security Continuous Monitoring

The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.

DE.DP - Detection Processes Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

IDENTIFY (ID)

ID.AM - Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.RA – Risk Assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

PROTECT PR.DS - Data Security Information and records (data) are managed consistent with the organization’s risk strategy to protect the

U.S. General Services Administration 26



(PR)

confidentiality, integrity, and availability of information.

PR.IP - Information Protection Processes and Procedures

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.PT - Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

RESPOND (RS)

RS.AN - Analysis Analysis is conducted to ensure adequate response and support recovery activities.

RS.CO - Communications Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.

RS-MI - Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

The selected ISCM controls include manual processes and automated tools and are to be implemented on a continuous basis. Controls in Table A-1 have been identified as automated, however they will still require verification by system personnel and oversight by OCISO personnel. As the CDM dashboard is implemented, it will support the verification process by displaying the status and results of many automated activities. Manual or process-based controls will be vetted by OCISO personnel either reviewing the process results or document deliverable as identified in Table A-2.

Note: The verification frequency identified for each control is the frequency when the effectiveness of control implementation will be vetted by OCISO. The frequency at which the activity or process is executed will vary based on the activity or process. For example, automated activities will be executed based on how the automated tools are configured and can vary from a few minutes to weekly or monthly. Processes such as managing POA&Ms are expected to be updated as soon as new POA&Ms are required or as actions to resolve POA&Ms occur. Documentation updates should also occur as events dictate. For example, if a system changed now requires the system to contain personally identifiable information, the system’s Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), and SSP as it relates to Privacy controls need to be updated and the additional controls



assessed. Another triggering event could be a change made via the system’s configuration/change management process (e.g., changing the password length parameter) which would require re-assessing of Identification and Authentication and Configuration Management controls to reflect the change to the parameter and the system’s baseline configuration.

Table A-1 contains the controls with automated monitoring. Table A-2 contains controls where manual processes are used to monitor them. Controls in Table A-1 may have their implementation inherited if GSA CDM or other enterprise ISCM tools are used. Controls in Table A-2 are typically system-specific, requiring systems to independently implement them. However, systems residing on a Major Information System (this term has replaced General Support System and Major Application) may inherit all or part of the manual controls as well. For example, many systems may inherit all or a portion of their contingency planning controls from such a system. The GSA Information Security Program Plan (ISPP) contains enterprise-wide common and hybrid controls provided within GSA that may be inherited by information systems.

Table A-1. Automated Continuous Monitoring Controls with Verification Methods and Frequencies

ControlCSF

CategoryControl Name Description

Verification Method

Verification Frequency

AU-2 N/A Audit Events The specific events audited within the information system based on their significance and relevancy to the security of the system. GSA hardening guides include security benchmarks establishing the events required to be audited.

OCISO Oversight

using Automated

Tools

Semiannually

AU-6 DE.AE-2

DE.AE-3

DE.DP-4

RS.CO-2

RS.AN-1

Audit Review, Analysis, and Reporting

Audit records must be reviewed frequently for signs of unauthorized activity and other security events.

Monitoring and reviewing system and security activity logs, including administrator activity is integral to maintaining sound system controls.

OCISO Oversight

using Automated

Tools

Annually




ControlCSF


Verification Method


AU-6 (4) DE.AE-2

DE.AE-3

DE.DP-4

RS.CO-2

RS.AN-1

Audit Review, Analysis, and Reporting | Central Review and Analysis

Systems not integrated with GSA’s Enterprise Logging Platform for their logging solution must have a similar capability or otherwise meet the requirements stated in CIO-IT Security-01-08, “Audit and Accountability”, to perform to review and analysis of audit records from different systems and multiple components within a system centrally.

GSA’s Enterprise Logging Platform is configured to analyze and correlate audit records from different systems and alert appropriate personnel when records and the platform’s rules identify a need to do so.

OCISO Oversight

using Automated

Tools

Annually

CM-2 PR.DS-7

PR.IP-1

DE.AE-1

Baseline Configuration

All information systems must describe what the system prescribes for standard baseline configuration, system image, and/or standard build configuration. In other words, all information systems must maintain a list of hardware, software, and patches/service packs for all assets in the information system boundary.

OCISO Oversight

using Automated

Tools

Semiannually

CM-2(1) PR.IP-1 Baseline Configuration | Reviews and Updates

System baseline configurations are reviewed annually and updated when necessary due to changes to the system (e.g., upgrades and/or new components).

OCISO Oversight

using Automated

Tools

Annually



ControlCSF


Verification Method


CM-2(2) PR.IP-1 Baseline Configuration | Automation Support for Accuracy / Currency

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain the baseline configuration of information systems hosted at GSA facilities.

OCISO Oversight

using Automated

Tools

Semiannually

CM-6 PR.IP-1 Configuration Settings

All systems must adhere to GSA hardening guides, United States Government Configuration Baseline, NIST guidelines, Center for Internet Security (CIS) Benchmarks (Level 1), or industry best practice guidelines, as deemed appropriate by the AO. All information systems must document and get approval for any deviations from GSA agency-wide hardening guides.

This control often is inherited from the underlying major information system.

OCISO Oversight

using Automated

Tools

Security Deviation

Request Form and GSA Security

Benchmarks, as applicable

Semiannually





ControlCSF


Verification Method


CM-6 (1) PR.IP-1 Configuration Settings | Automated Central Management / Application / Verification

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to implement and monitor security configuration settings of information systems IAW GSA hardening guides, United States Government Configuration Baseline, NIST guidelines, Center for Internet Security (CIS) Benchmarks (Level 1), or industry best practice guidelines, as deemed appropriate by the AO.

OCISO Oversight

using Automated

Tools

Semiannually

CM-7 PR.PT-3 Least Functionality

GSA has established a series of hardening guides and security benchmarks for commonly used technologies (e.g., operating systems, database management systems) with defined standard configuration settings which are designed to prohibit non-secure, risky functions, ports, protocols, and services. System’s specific functions, ports, protocols, as services are defined during development and then operation, as deemed appropriate by the AO.

GSA uses CDM tools (e.g., BigFix, Tenable) to verify systems comply with the hardening guides and only have essential functions, ports, protocols, and services enabled.

OCISO Oversight

using Automated

Tools

Semiannually





ControlCSF


Verification Method


CM-7 (1) PR.PT-3, DE-CM-7

Least Functionality | Periodic Review

GSA has established a series of hardening guides and security benchmarks for commonly used technologies (e.g., operating systems, database management systems) with defined standard configuration settings which are designed to limit unnecessary functionality (e.g., functions, ports, protocols, and services).

GSA uses CDM tools (e.g., BigFix, Tenable) to verify systems comply with the hardening guides and do not have unnecessary functions, ports, services enabled.

OCISO Oversight

using Automated

Tools

Semiannually

CM-7 (2) PR.PT-3 Least Functionality | Prevent Program Execution

GSA’s Hardening Guides and Security Benchmarks were developed to configure systems only install, configure, and permit required programs on them.

GSA uses Bit9 and Tripwire to prevent unauthorized programs from executing. If these tools or other ISCM/CDM tools do not identify the program as allowed to execute, its execution will be prevented.

OCISO Oversight

using Automated

Tools

Semiannually

CM-7 (4) PR.PT-3 Least Functionality | Authorized Software / Blacklisting

Software blacklisting tools identify software by a digital fingerprint and deny software on the blacklist from executing.

GSA uses Bit9 and Tripwire to implement application blacklisting to defend against zero-day and APT threats.

OCISO Oversight

using Automated

Tools

Semiannually



ControlCSF


Verification Method


CM-7 (5) PR.PT-3 Least Functionality | Authorized Software / Whitelisting

Software whitelisting tools identify software by a digital fingerprint and allow authorized software to run, blocking everything else.

GSA uses Bit9 and Tripwire to implement application whitelisting to defend against zero-day and APT threats.

OCISO Oversight

using Automated

Tools

Semiannually

CM-8 ID.AM-1

ID.AM-2

PR.DS-3

DE.CM-7

Information System Component Inventory

All information systems must maintain an up-to-date and readily available hardware asset inventory using the GSA Inventory Template provided on the ISCM ATO Package Google Drive. Automated tools (e.g., ForeScout/Secure/Connector, BigFix) will supplant the inventory sheet as the CDM process matures. Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain an up-to-date and readily available hardware asset inventory.

Note: The Hardware Asset inventory must provide coverage for all assets in the system inventory including physical servers and virtual servers or virtual machines, workstations, mobile devices, and network devices (as applicable).

OCISO Oversight

using Automated

Tools

Semiannually

CM-8 (1) PR.DS-3 Information System Component Inventory | Updates During Installations/ Removals

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain an up-to-date and readily available hardware asset inventory.

OCISO Oversight

using Automated

Tools

Semiannually




hhttps://docs.google.com/a/gsa.gov/spreadsheets/d/1M_eZqPO5oc5YcJacidyxVCMPCzGKDoEwBNZRnU0IjGY/edit?usp=sharing

hhttps://docs.google.com/a/gsa.gov/spreadsheets/d/1M_eZqPO5oc5YcJacidyxVCMPCzGKDoEwBNZRnU0IjGY/edit?usp=sharing




ControlCSF


Verification Method


CM-8 (2) DE.CM-7 Information System Component Inventory | Automated Maintenance

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain an up-to-date and readily available hardware asset inventory.

OCISO Oversight

using Automated

Tools

Semiannually

CM-8 (3) DE.CM-7 Information System Component Inventory | Automated Unauthorized Component Detection

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain an up-to-date and readily available hardware asset inventory, including unauthorized component detection.

OCISO Oversight

using Automated

Tools

Semiannually

CM-8 (4) DE.CM-7 Information System Component Inventory | Accountability Information

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to maintain an up-to-date and readily available hardware asset inventory with accountability information.

OCISO Oversight

using Automated

Tools

Semiannually

CM-8(5) ID.AM-1 Information System Component Inventory | No Duplicate Accounting of Components

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to ensure components are not duplicated in system hardware asset inventories.

OCISO Oversight

using Automated

Tools

Semiannually











ControlCSF


Verification Method


CM-8(7) PR.DS-3 Information System Component Inventory | Centralized Repository

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used to provide a centralized repository for hardware asset inventory.

OCISO Oversight

using Automated

Tools

Semiannually

RA-5 ID.RA-1

PR.IP-12

DE.CM-8

DE.DP-4

DE.DP-5

RS.CO-3

RS.MI-3

Vulnerability Scanning

For all systems hosted in GSA Facilities, OCISO will conduct vulnerability scans IAW GSA IT Security Procedural Guide CIO-IT Security-17-80, “Vulnerability Management Process.”

No deliverable needs to be provided by internally hosted systems. However, the ISSO for the information system needs to ensure that all of their assets have the agent installed (for agent-based tool) and/or all assets are being scanned for vulnerabilities using the enterprise scan tool.

OCISO Oversight

using Automated

Tools

Semiannually

RA-5 (1) DE.CM-8

DE.DP-5

Vulnerability Scanning | Update Tool Capability

For systems scanned by GSA OCISO, the Security Operations Division (ISO) will update scanning tools.

For systems not scanned by ISO, scanning tool updates must be performed prior to scans.

OCISO Oversight

using Automated

Tools

Semiannually





ControlCSF


Verification Method


SI-2 ID.RA-1

PR.IP-12

Flaw Remediation

SSOs must use an automated tool for flaw remediation and patch management.

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used for flaw remediation and patch management.

OCISO Oversight

using Automated

Tools

Semiannually

SI-2(2) ID.RA-1 Flaw Remediation | Automated Flaw Remediation Status

SSOs must use an automated tool to determine the status of systems regarding flaw remediation and patches.


OCISO Oversight

using Automated

Tools

Semiannually

SI-2(3) PR.IP-12 Flaw Remediation | Time to Remediate Flaws/ Benchmarks for Corrective Actions

SSOs must use an automated tool to determine the time between flaw identification and remediation.


OCISO Oversight

using Automated

Tools

Semiannually









ControlCSF


Verification Method


SI-3 DE.CM-4

DE.DP-3

Malicious Code Protection

GSA uses automated tools such as Bit9 and Tripwire to protect systems from malware.

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used for centrally managing malicious code protection.

OCISO Oversight

using Automated

Tools

Semiannually

SI-3(1) DE.CM-4

DE.DP-3

Malicious Code Protection | Central Management

GSA centrally manages the implementation and monitoring of the automated tools used to protect systems.

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used for centrally managing malicious code protection.

OCISO Oversight

using Automated

Tools

Semiannually







ControlCSF


Verification Method


SI-4 ID.RA-1

PR.DS-5

PR.IP-8

DE.AE-1

DE.AE-2

DE.AE-3

DE.AE-4

DE.CM-5

DE.CM-6

DE.CM-7

DE.DP-2

DE.DP-3

DE.DP-4

DE.DP-5

RS.CO-3

RS.AN-1

Information System Monitoring

SSOs must employ automated capabilities such as ELP, IDS, IPS and others to perform information system monitoring and log management and event analysis. Tools used by SSOs must be capable of integrating feeds with the enterprise ELP tool OCISO uses which correlates data from IDS, IPS and other components to support near real-time analysis of events.

OCISO Oversight

using Automated

Tools

Semiannually



ControlCSF


Verification Method


SI-7 PR.DS-6 Software, Firmware, and Information Integrity

GSA centrally manages the implementation and monitoring of the automated tools used to perform integrity verification of systems.

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used for detecting unauthorized changes to the information system.

OCISO Oversight

using Automated

Tools

Semiannually

SI-7(3) PR.DS-6 Software, Firmware, and Information Integrity | Centrally-Managed Integrity Tools

GSA centrally manages the implementation and monitoring of the automated tools used to perform integrity verification of systems.

Please refer to the GSA Continuous Monitoring Enterprise Management Tools for enterprise tool(s) used for detecting unauthorized changes to the information system.

OCISO Oversight

using Automated

Tools

Semiannually







Table A-2. Manual Continuous Monitoring Controls with Verification Methods and Frequencies

ControlCSF


Verification Method


AC-2 PR.AC-1

PR.AC-4

DE.CM-1

DE.CM-3

Account Management

All information systems must perform an annual review and recertification of user accounts to verify if the account holder requires continued access to the system.

Record the date of annual user re-certification in the SSP. Document the annual user re-certification process and results. This document should include addressing AC-6 and AC-6(2).

Deliverable Annual

AC-3 PR.AC-4

PR.PT-3

Access Enforcement

Ensure that system and application level authorizations are completed on all users before allowing system access. Access authorization documentation should be maintained for all users.

Access Authorization

Records

Annual

AC-6 PR.AC-4

PR.DS-5

Least Privilege Ensure users (administrators, other privileged users, and standard users) and equivalent groups are limited to only those privileges required to perform their functions and tasks. As necessary additional roles, groups, or account types may be added to implement/enforce the least privilege principle.

Note: The security activity of verifying appropriate user privileges must be performed on a continual basis. The annual verification should be included in the deliverable for AC-2.

Deliverable (included in

AC-2 deliverable)

Annual



ControlCSF


Verification Method


AC-6 (2) PR.AC-4

PR.DS-5

Least Privilege | Non-Privileged Access For Nonsecurity Functions

Ensure segregation of user and administrator accounts. Ensure that Administrators have two accounts: A normal user account and an Administrator account. The normal user account should not be included in the Administrators group. Administrator privileged accounts should only be used by Administrators when they need Administrator privilege to perform a job function - otherwise this account level should not be in use.

Note: The security activity of verifying segregation of user and privilege accounts must be performed on a continual basis. The annual verification should be included in the deliverable for AC-2.

Deliverable (included in

AC-2 deliverable)

Annual

AU-2 (3) N/A Audit Events | Reviews and Updates

The list of auditable events for the information system must be reviewed at least annually and updated if necessary.

Record the date of audit event review in the SSP.

Deliverable (SSP)

Annually



ControlCSF


Verification Method


CA-2 ID.RA-1

PR.IP-7

DE.DP-1

DE.DP-2

DE.DP-3

DE.DP-4

DE.DP-5

RS.CO-3

Security Assessments

The GSA ISCM controls must be assessed at least annually using automated or manual methods.

An annual FISMA self-assessment will be performed based on controls selected by the OCISO. The specific controls, assessment test cases, and deadlines will be coordinated through Information System Security Managers (ISSMs) and Information System Security Officers (ISSOs).

Deliverable (Annual FISMA

Assessment Results)

Annually

CA-5 N/A Plan of Action and Milestones

System POA&Ms must be updated at least quarterly and made available for OCISO review IAW CIO-IT Security-09-44, “Plan of Action and Milestones (POA&M)”.

OCSIO will review POA&Ms quarterly and provide reports based on the review to ISSOs/ISSMS, AOs, and the CISO.

Deliverable (POA&M Updates)

Quarterly



ControlCSF


Verification Method


CA-7 ID.RA-1

PR.IP-7

PR.IP-8

DE.AE-2

DE.AE-3

DE.CM-1

DE.CM-2

DE.CM-3

DE.CM-6

DE.CM-7

DE.DP-1

DE.DP-2

DE.DP-3

DE.DP-4

DE.DP-5

RS.CO-3

RS.AN-1

RS.MI-3

Continuous Monitoring

ISCM Plans, including all attached documents, must be updated annually.

OCISO will review ISCM Plans, including all attached documents, upon receipt.

Deliverable (ISCM Plans,

including attached

documents)

Annually



ControlCSF


Verification Method


CA-8 ID.RA-1 Penetration Testing

All Internet facing and FIPS 199 High systems must have penetration tests performed annually and provided to OCISO IAW CIO-IT Security-11-51, “Conducting Penetration Test Exercises”.

OCISO will review penetration test reports, as necessary.

Deliverable (Penetration

Testing Report)

Annually

CM-9 PR.IP-1 Configuration Management Plan

System Configuration Management Plans must be reviewed annually and updated as necessary IAW CIO-IT Security-01-05, “Configuration Management”.

Deliverable (Configuration Management

Plan)

Annually



ControlCSF


Verification Method


CP-2 ID.AM-5

ID.AM-6

ID.BE-1

ID.BE-5

PR.DS-4

PR.IP-7

PR.IP-9

DE.AE-4

RS.RP-1

RS.CO-1

RS.CO-3

RS.CO-4

RS.AN-2

RS.AN-4

RS.IM-1

RS.IM-2

RC.IM-1

RC.IM-2

RC.CO-3

Contingency Plan

System Contingency Plans must be reviewed annually and updated when necessary IAW CIO-IT Security-06-29, “Contingency Planning”.

Deliverable (IT Contingency

Plan)

Annually



ControlCSF


Verification Method


CP-4 PR.IP-4

PR.IP-10

Contingency Plan Testing

System Contingency Plans must be tested annually IAW CIO-IT Security-06-29, “Contingency Planning”.

Deliverable

(IT Contingency

Plan Test Report)

Annually

IR-5 DE.AE-3

DE.AE-5

RS.AN-1

RS.AN-4

Incident Monitoring

Incidents must be tracked and monitored to support incident reporting IAW CIO-IT Security-01-02, “Incident Response” and GSA’s “Information Security Program Plan”.

Deliverable

(Incident Response

Plan)

Annually

IR-6 RS.CO-2 Incident Reporting

Incidents must be reported in IAW the system’s incident response IAW CIO-IT Security-01-02, “Incident Response” and GSA’s “Information Security Program Plan”.

Deliverable

(Incident Reports)

Annually



ControlCSF


Verification Method


IR-8 PR.IP-7

PR.IP-9

DE.AE-3

DE.AE-5

RS.RP-1

RS.CO-1

RS.CO-2

RS.CO-3

RS.CO-4

RS.AN-4

RS.IM-1

RS.IM-2

RC.RP-1

RC.IM-1

RC.IM-2

Incident Response Plan

Incident Response Plans must be reviewed annually and updated when necessary IAW CIO-IT Security-01-02, “Incident Response” and GSA’s “Information Security Program Plan”.

Deliverable

(Incident Response

Plan)

Annually

PL-2 PR.IP-7

DE.DP-5

System Security Plan

System Security Plans must be reviewed annually and updated when necessary IAW CIO-IT Security-06-30, “Managing Enterprise Risk”.

Deliverable

(SSP)

Annually



ControlCSF


Verification Method


AR-2 N/A Privacy Impact and Risk Assessment

PTAs/PIAs must be reviewed annually and updated when necessary IAW the ISPP and GSA Privacy Program requirements.

Deliverable

(PTA/PIA as required)

Annually



Appendix B – ISCM Cybersecurity Framework Categories and Subcategories

Table B-1 contains descriptions of the CSF categories and subcategories associated with the ISCM controls in Table A-1. Additional information is available in the NIST CSF document.

Table B-1. ISCM CSF Subcategory Decriptions

CSF Subcategory ID

Description

DE.AE - Anomalies and Events

DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed

DE.AE-2 Detected events are analyzed to understand attack targets and methods

DE.AE-3 Event data are aggregated and correlated from multiple sources and sensors

DE.AE-4 Impact of events is determined

DE.CM - Security Continuous Monitoring

DE.CM-4 Malicious code is detected

DE.CM-5 Unauthorized mobile code is detected

DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events

DE.CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed

DE.CM-8 Vulnerability scans are performed

DE.DP - Detection Processes

DE.DP-2 Detection activities comply with all applicable requirements

DE.DP-3 Detection processes are tested

DE.DP-4 Event detection information is communicated to appropriate parties

DE.DP-5 Detection processes are continuously improved

ID.AM - Asset Management

ID.AM-1 Physical devices and systems within the organization are inventoried

ID.AM-2 Software platforms and applications within the organization are inventoried

ID.RA – Risk Assessment




ID.RA-1 Asset vulnerabilities are identified and documented

PR.DS - Data Security

PR.DS-3 Assets are formally managed throughout removal, transfers, and disposition

PR.DS-5 Protections against data leaks are implemented

PR.DS-6 Integrity checking mechanisms are used to verify software, firmware, and information integrity

PR.DS-7 The development and testing environment(s) are separate from the production environment

PR.IP - Information Protection Processes and Procedures

PR.IP-12 A vulnerability management plan is developed and implemented

PR.IP-8 Effectiveness of protection technologies is shared with appropriate parties

PR.PT - Protective Technology

PR.PT-3 Access to systems and assets is controlled, incorporating the principle of least functionality

RS.AN - Analysis

RS.AN-1 Notifications from detection systems are investigated

RS.CO - Communications

RS.CO-2 Events are reported consistent with established criteria

RS.CO-3 Information is shared consistent with response plans

RS-MI - Mitigation

RS.MI-3 Newly identified vulnerabilities are mitigated or documented as accepted risks


Date post:	05-Oct-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

IT Governance: Operations and Administration · Web view2017/10/10 · Information Security...

Documents