Corporate Headquarters:
1010 Wayne Avenue, Suite 1150
Silver Spring, Maryland 20910
301.565.2988 Telephone
301.565.2995 Facsimile
www.e-mcinc.com
Navigating the Maze of
Shifting Cyber Security Policies
An e-Management Webinar
Satellite Offices:
80 M Street, S.E., Suite 715
Washington, DC 20003
13800 Coppermine Road, Suite 221
Herndon, Virginia 20171
SBA certified 8(a)
woman-owned,
minority-owned
small business
e-Management - Proprietary Information
Presenter: Rick Randall, PMP, ITILF v3, CISSP
Feb. 25, 2009
Call-in #: 1.866.740.1260 Access code: 3214011
Agenda
 Understanding the Maze – Cyber Security
Policy Background
 Changes Underway and Changes
Predicted
 Navigating the Maze in Your Organization
 Recap
2
e-Management - Proprietary Information
The Maze – Cyber security policy background
The FISMA Law
FISMA – The Federal Information Security
Management Act of 2002* – makes the
head of each federal agency responsible
for:
§ 3544 (a) (2) (C) “implementing policies and
procedures to cost effectively reduce risks to
an acceptable level”
* FISMA is published in Title III of the e-Government Act, Public Law 107-347
3
e-Management - Proprietary Information
The Maze – Cyber security policy background
Other Applicable Federal Laws
 Other public laws (P.L.) affecting cyber
security policy implementation in federal
agencies include:
– P.L. 97-255: Federal Manager’s Financial Integrity
Act of 1982 (FMFIA)
– P.L. 104-106: Clinger Cohen Act
– P.L. 104-191: Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
– P.L. 104-208, Federal Financial Management
Improvement Act of 1996 (FFMIA)
– Agency specific legislation requiring protection of
data
4
e-Management - Proprietary Information
The Maze – Cyber security policy background
Office of Management and Budget (OMB)
Circulars and Memoranda
 The OMB is empowered by the ClingerCohen and FISMA laws to define
government-wide directives for cyber
security. These include, for example:
– OMB Circular A-130 Appendix III: Long standing
policy defining agency security responsibilities
– OMB Memoranda 07-11 and 08-22 : Federal Desktop
Core Configuration (FDCC)
– OMB Memoranda 06-16, 07-16, and 08-21:
Requirements related to Personally Identifiable
Information (PII) protection
– OMB Memoranda 08-05 and 08-27: Trusted Internet
Connections (TIC)
5
e-Management - Proprietary Information
The Maze – Cyber security policy background
Policy Hierarchy
6
e-Management - Proprietary Information
The Maze – Cyber security policy background
Policies are a Subset of Requirements
7
e-Management - Proprietary Information
The Maze – Cyber security policy background
Policies Versus Suggestions
Good
Policies
Weak or Ineffective
Policies
Use Compulsory
Language, such as:
Use Discretionary
Language, such as:
Shall
Required
Directed to
Mandatory
Compliant with
Conform to
Annually / Quarterly
Should
When possible
Advised to
Recommended
Observing best practices
As needed
Regularly
Suggestions do not belong in POLICY documents.
8
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
Changes Currently Underway – Overview
 First, which change trends are likely not
changing soon?
 NIST’s Risk Management Framework (RMF)
 Changes to NIST’s Security Controls Special
Publication, SP 800-53
 Changes in NIST’s Certification and
Accreditation (C&A) guidance
 The future of FISMA?
9
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
Change trends which are likely to continue
 Increasing emphasis by OMB and NIST on
secure configurations
– Federal Desktop Core Configuration (FDCC): Likely not going
away
– Expect to see server platforms addressed in the future
 Increasing emphasis on the automation of
testing
– We currently see this for FDCC compliance
– Policy mandates may expand into other types of security testing
– Expect future mandates on agencies to utilize NIST SP 800-53A
for Security Test and Evaluation (ST&E)
10
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
NIST’s Risk Management Framework (1)
 Defined in draft NIST
Special Publication
(SP) 800-39
 Integrates several NIST
publications into a
coherent risk based
structure
 Describes a risk
executive function
having an organizationwide risk perspective
11
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
NIST’s Risk Management Framework (2)
Plusses / Benefits
Pitfalls/Yellow Flags
 Provides clarity for the
FISMA mandate to “reduce
risks to an acceptable
level”
 The Risk Management
Framework (RMF) is not a
policy – Policies will have
to be modified to require
use of the RMF
 Explains security
management in the context
of a life cycle
 Integrates the concepts of
several existing
publications
 The RMF by itself does not
ease the paperwork burden
of the underlying
component publications
(NIST SPs 800-60, 800-53,
etc)
12
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
Easing the Paperwork Burden through Risk
Management Automation
 Consider NIST SP 800-60:
– 357 pages of material
spanning two volumes
– Improper security
categorization is a
frequently cited finding of
Inspector General (IG)
reports
– Automation of 800-60
analysis reduces errors
and saves hours of time
Automation of NIST SP 800-60 analysis
13
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
NIST SP 800-53 Changes
 Initial Public Draft of NIST SP 800-53 Revision 3 was
posted on February 5, 2009. Proposed changes in this
draft include:
– Eight (8) new System and
Communications Protection
(SC) controls
– Fifteen (15) new security
controls overall
– Sixteen (16) security controls
withdrawn
– Total controls: 101 for low
impact, 151 for moderate, and
162 for high impact systems
Too much to
track manually
in MS-Word
documents!
14
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
Changes to NIST C&A Guidance
 NIST has also posted draft Revision 1 to SP 800-37 on
its web site. The proposed changes include:
– Renaming “C&A” to the “Security Authorization Process”
– Linking directly to the Risk Management Framework of
SP 800-39, and addressing the entire life cycle of
systems
– Modifying roles, such as renaming the Certification Agent
role to Security Control Assessor, renaming the DAA role
to Authorizing Official , and introducing the risk executive
function
– Providing more specificity on required activities in the
process – Now totaling thirty three (33) “tasks”
15
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
Additional Changes Predicted
 Possible new presidential directive topics
– Revisions to Homeland Security Presidential Directive 7
(HSPD-7) regarding critical infrastructure responsibilities
 Possible new OMB Memoranda topics from the
Obama administration
– Strengthening of acquisition rules for outsourced IT
functions
– Specific direction regarding supervisory control and data
acquisition (SCADA) systems
– Network security testing and network hardening for
Trusted Internet Connections (TIC)
16
e-Management - Proprietary Information
Cyber security changes underway and changes predicted
The Future of FISMA?
 At some point, the Congress will likely amend
or modify the FISMA law
– Has the current FISMA law been helpful since
2002?
• Accountability has improved
• Some improvements have occurred in the
identification/inventory of systems
– How might the FISMA law change?
• Possibly a greater emphasis on testing
• Possibly more prescriptive responsibilities for agencies
• (Less likely) private sector requirements
17
e-Management - Proprietary Information
Applying Policy Changes Locally
Navigating the Maze in Your Organization (1)
 Recall the policy hierarchy. What can you do to
navigate policy changes in your immediate
organization?
– Ensure first that you have clarity about Roles and
Responsibilities
• Who implements C&A/security authorization services?
• Who implements technical solutions? Who monitors them?
• Who decides on policy waivers or exceptions?
– Remove ambiguities wherever you can
• Define specific frequencies of when things must be done
• Invoke specific standards in your policies – Don’t reinvent the
wheel in policy documents
• Provide a realistic waiver/deviation/exception mechanism
18
e-Management - Proprietary Information
Applying Policy Changes Locally
Navigating the Maze in Your Organization (2)

Work smarter, not harder
– Revisit FIPS 199 ratings on systems at least annually –
Downgrade a FIPS 199 rating (e.g., High to Moderate) when
appropriate and defensible
– Automate artifact and report generation: Steer away from
endless manual MS-Word/MS-Excel document updating
– Mandate greater testing and monitoring rigor in policies for the
systems that truly affect the mission
– Provide specific policy direction regarding who resolves
“mission” questions (i.e., the risk executive function)
– Automate your risk collection and reporting to measure your
organization’s risk posture
19
e-Management - Proprietary Information
Recap
 FISMA requires federal agencies to develop
policies to reduce risks to an acceptable level
 Changes are occurring on many fronts including:
Security configurations, organizational risk
management, NIST 800-53 controls, and C&A
guidance among others
 Greater testing requirements for networks and
SCADA systems may emerge
 Automation is necessary to work smarter and
make the best use of your scarce resources
20
e-Management - Proprietary Information
Q&A
 e-Management
 Rick Randall
Director, Strategic IT Solutions and
e-Gov RPM™ Product Manager
rrandall@e-mcinc.com
1010 Wayne Avenue, Suite 1150
Silver Spring, MD 20910
Phone: 301.565.2988
Fax: 301.565.2995
www.e-mcinc.com
info@e-mcinc.com
Save the Date! Next webinar April 28!
21
e-Management - Proprietary Information