Risk-Based Policy & Implementation Risk-Based Policy & Implementation GuidanceGuidance

Program Management PlanProgram Management Plan

Subordinate System SSPSubordinate System SSP

Management ReportingManagement Reporting

Training & Quarterly WorkshopsTraining & Quarterly Workshops Demonstration DaysDemonstration Days

Friday (3/16): 9am - noonFriday (3/16): 9am - noon Monday (3/19): 9am - noonMonday (3/19): 9am - noon

Cyber Security Assessment & Management

CSAM Highlight of Capabilities

Comprehensive FISMA Compliance, Management & ReportingFive Services, One Complete FISMA Solution

1

2

3

4

5

Risk-Based Policy & Risk-Based Policy & Implementation GuidanceImplementation Guidance

Threats and VulnerabilitiesThreats and Vulnerabilities Roles – Responsibilities - PrivilegesRoles – Responsibilities - Privileges StandardsStandards

Program Management PlanProgram Management Plan

Subordinate System SSPSubordinate System SSP

Management ReportingManagement Reporting

Training & Quarterly WorkshopsTraining & Quarterly Workshops

Cyber Security Assessment & Management

CSAM

1

2

3

4

5

Threats and VulnerabilitiesThreats and Vulnerabilities Roles – Responsibilities – PrivilegesRoles – Responsibilities – Privileges StandardsStandards

Cyber Security Assessment & ManagementRisk-Based Policy & Implementation Guidance

Threats and VulnerabilitiesThreats and Vulnerabilities

Roles – Responsibilities – PrivilegesRoles – Responsibilities – Privileges StandardsStandards

Cyber Security Assessment & ManagementRisk-Based Policy & Implementation Guidance

Threats and VulnerabilitiesThreats and Vulnerabilities Roles – Responsibilities – PrivilegesRoles – Responsibilities – Privileges

StandardsStandards

Cyber Security Assessment & ManagementRisk-Based Policy & Implementation Guidance

Security Control Set Test Cases Expected Results Compliance Guidance &Descriptions Subject Matter Expertise

Enterprise System InventoryEnterprise System Inventory Performance DashboardPerformance Dashboard Cost GuidanceCost Guidance Document Templates & TemplatesDocument Templates & Templates PMP Table of ContentsPMP Table of Contents

Cyber Security Assessment & Management

Program Management Plan

Enterprise System InventoryEnterprise System Inventory

Performance DashboardPerformance Dashboard Cost GuidanceCost Guidance Document Templates & TemplatesDocument Templates & Templates PMP Table of ContentsPMP Table of Contents

Cyber Security Assessment & Management

Program Management Plan

Enterprise System InventoryEnterprise System Inventory Performance DashboardPerformance Dashboard

Cost GuidanceCost Guidance Document Appendices & TemplatesDocument Appendices & Templates PMP Table of ContentsPMP Table of Contents

Cyber Security Assessment & Management

Program Management Plan

$14,903

Enterprise System InventoryEnterprise System Inventory Performance DashboardPerformance Dashboard Cost GuidanceCost Guidance

Document AppendicesDocument Appendices

& Templates& Templates Table of ContentsTable of Contents

Cyber Security Assessment & Management

Program Management Plan

Enterprise System InventoryEnterprise System Inventory Performance DashboardPerformance Dashboard Cost GuidanceCost Guidance Document AppendicesDocument Appendices

& Templates& Templates

Table of ContentsTable of Contents

Cyber Security Assessment & Management

Program Management Plan

Enterprise Program Management Plan Table of Contents• Missions, Strategic Goals, Objectives, Systems• IT Security Management Strategy• Core Program Management Approach• Organization of the IT Security Program• IT Security Program External Guidance• IT Security Program External Interfaces• Roles & Responsibilities• FISMA Reporting• Program Implementation• IT Security Goals and Action Plans

System Security Plan (SSP)System Security Plan (SSP) ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

SSP•Risk Assessment•Threats-Impact•Risk Control Requirements•(Linked to policy (SRTM)

1. System Identification2. System Operational Status3. General Description/ Purpose4. System Environment 5. System Interconnections/Information Sharing6. Sensitivity of Information Handled7. Planning for Security in the Life Cycle8. Security Control Measures

Appendix D: Requirements (RTM) Appendix E: ST&E Plan And ProceduresAppendix F: Certification ResultsAppendix G: Risk Assessment (RA) ResultsAppendix H: Certifier’s RecommendationAppendix I: System Security PolicyAppendix J: System Rules of Behavior (ROB) Appendix K: Security Operating ProceduresAppendix L: Contingency Plan(s) Appendix M: Security Awareness Training PlanAppendix O: Incident Response PlanAppendix P: MOA/Service Level Agreements (SLA) Appendix Q: Configuration Management PlanAppendix R: Accreditation Statement & DocumentationAppendix S & T: Hardware & Software Listings Appendix U: C&A Schedule

SSP Appendices

SSP

SSPSSP

ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

RTM Factor scoping

SSPSSP ScopeScope

CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

800-60 Reference material

SSPSSP ScopeScope CategoryCategory

Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

SSPSSP ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls)

ArtifactsArtifacts POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

SSPSSP ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts

POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

AUTO-GENERATED POA&Ms

SSPSSP ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts

POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

SSPSSP ScopeScope CategoryCategory Inheritance (common controls)Inheritance (common controls) ArtifactsArtifacts

POA&MsPOA&Ms

Cyber Security Assessment & Management

Subordinate System SSP

Org

J

Org

D

O

r

g

E

Org

FOrg

I

Org

C

Org

H

Org

B

Org

G

Org

A

EnterpriseEnterprise SystemSystem RegulatoryRegulatory Ad hocAd hoc

Cyber Security Assessment & Management

Management Reporting

FISMA REPORTS

AGENCY DASHBOARD(PERFORMANCE METRIX &

COMPLIANCE STATUS)

EnterpriseEnterprise SystemSystem RegulatoryRegulatory Ad hocAd hoc

Cyber Security Assessment & Management

Management Reporting

FISMA REPORTS

AUDIT LOGS

EnterpriseEnterprise

SystemSystem RegulatoryRegulatory Ad hocAd hoc

Cyber Security Assessment & Management

Management Reporting

SYSTEM SECURITY PLAN(WITH HYPERLINKS)

EnterpriseEnterprise

SystemSystem RegulatoryRegulatory Ad hocAd hoc

Cyber Security Assessment & Management

Management Reporting

EnterpriseEnterprise SystemSystem

RegulatoryRegulatory Ad hocAd hoc

Cyber Security Assessment & Management

Management ReportingPTA

PIA

EnterpriseEnterprise SystemSystem RegulatoryRegulatory

Ad hocAd hoc

Cyber Security Assessment & Management

Management Reporting

Cyber Security Assessment & Management

Training

Ann

ual T

rain

ing

Req

uire

men

t

Leadership Track

Response Track

Planning Track

IT Security Operations and Technology Track

Executive Overview 4/5, 4/20, 5/18

Incident Response 1/31, 2/06, 3/07

IT Contingency Planning 1/31, 2/06, 3/07

IT Sec Planning & Mgmt 4/19, 5/17, 6/21

Separation of Duties Avail Online 4/1

Protecting the Computing Environ. 3/22, 4/19, 5/17, 6/21

Security Expressions @DOJ tbd

Foundstone @DOJ 3/29

Vulnerability & Config Sec Mgmt 3/21, 4/18, 5/16, 6/20

AppDetective @DOJ tbd

CIO, AOCISO CA

ALL

ISSM, ISSO

ALLISSM, ISSOSA

Resp for FS

Resp for SE

Resp for AD

Resp for CP

Resp for IR

Qua

rte

rly

CSAM ToolkitCyber Sec. Assessment & Mgmt

Training for new users 3rd Fri each month

Training Workshop 3rd Fri each month

CA, ISSM,ISSO, SA,Aud., UserReps

CSAM C&A Web Architecture

SQL Server 2005

Database Application

Web Server

CSAM C&A Client Website

• ASP.NET 2.x Website

• Runs on IIS 5.1 or later

• Uses Crystal Reports Runtime

• Browsers: Internet Explorer Netscape

SSP Generator Application• VB.NET Application

• Processes SSP Requests

• Returns Completed SSP to Database

• Uses Microsoft Word to Generate Documents

C&A Web Daily Process• VB.NET Application

• Removes Temporary Files when no longer needed

• Nightly processing to run account management

and POA&M approval routines.

TrustedAgent Architecture

AgencyIntranet

Bureau StaffOCIO FISMAManagement

System Staff

WebBrowser

OracleDatabase

Server

OMBPOA&Ms

and Metrics

Web andApplication

Server

Server

WebBrowser

SSLJDBC

WebBrowser

Reports

SSL

SSL

SSL

OS: Windows Server Platform Database: Oracle 8i,9i, 10g Web/App Server: Tomcat 4.x, 5.x, JRUN 4.x, IIS 5+,

Apache1.3+ Browser: Internet Explorer 5.5+, Netscape 7.1+

Memory: 4 GB+ Disk space: 100 GB+ Processing: 2 CPUs; 2+ GHz

or higher processing speed each

Industry Standard! Scalable Technology!

Familiarization DemonstrationsFamiliarization Demonstrations:: Friday, March 16thFriday, March 16th:: 9am – noon 9am – noon

Monday, March 19thMonday, March 19th:: 9am – noon 9am – noon Target audienceTarget audience: SSC Solutions Decision Makers: SSC Solutions Decision Makers

C&A Functional UsersC&A Functional Users

IT Configuration TechniciansIT Configuration Technicians

For further information* For further information* :: DOJLOBCSAM@usdoj.govDOJLOBCSAM@usdoj.gov Ken GandolaKen Gandola Jim LeahyJim Leahy

202-353-0081202-353-0081 202-353-8741202-353-8741

Kenneth.d.gandola@usdog.govKenneth.d.gandola@usdog.govjames.t.leahy@usdoj.govjames.t.leahy@usdoj.gov

Cyber Security Assessment & Management

CSAM

* Please have agency project leads coordinate inputs for your agency or identify your position and project role with your inquiry.

Reservations Required