FISMA Certification Workflow, Communication & Management Framework

 Solving for Security Compliance

 Business Case / Requirements

 Design

 Architecture

 Approach

 User Interface

 Functional Highlights

 Functional Details

 Value Added / ROI

 Company Profile

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Overview

2

Solving for Security Compliance

We believe that a logical and physical security program should be implemented on an agency enterprise level to provide information security for the information and information systems that support the operations and assets of the organization, including those provided or managed by another agency, contractor, or other sources . We assist agencies in doing this through the ...A PRISMA Methodology (Program Review for

Information Security Management Assessment).

FISMA / PRISMA Methodology

 Overall Focus

Review the strategic and technical aspects of the logical/physical security program. The review identifies the level of maturity of the security program and the customers and/or corporate ability to comply with existing requirements in (9) topic areas (TA).

Assessment Model

Analyze five levels of compliance maturity: policy, procedures, implementation, test, and integration that employs a standardized approach to review and measure the information security posture of an information security program.

Policy Mapping

TA

Procedures Analysis

& Documentation

Tests Verification &

STE Case Analysis

Implementation

Security Control

Alignment

Integration into

FISMA Lifecycle

6

7

4

5

8

9

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

1

2

3

Management, Operational, and Technical

Areas

Security Management & Culture

Security Planning

Security Awareness, Training, and Education

Budget and Resources

Life Cycle Management

Certification and Accreditation

Critical Infrastructure Protection

Incident and Emergency Response

Security Controls

3

Business Case / Requirements

Modern Information Security Oversight Presents Several Challenges…

• Distributed Risks

• Lack of Visibility / Tracking

• Complex Compliance Frameworks (FISMA, HIPAA, etc.)

• Timeliness

• Certification & Accreditation (C&A) Requirements

• Increasing and hard to manage costs

…That Can Be Overcome By Leveraging A Proven Methodology And A Modern,

Purpose-Built Tool pure

FISMA

enables effective risk management by:

• Providing insight into organizational Risks, distributed or local

• Guiding information gathering & management workflows, from system initiation through continuous monitoring

• Streamlining the review & approval of submitted information systems

• Tracking Events and Notifying in Real-Time

• Delivering high-level compliance metrics for organizational oversight

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 4

Customizable Application Framework

 Highly Scalable

• No account or seat limitations

• Easily adapts to increases in user/data volume

 Interoperable

• Can run on multiple platforms

 Open Architecture

• Allows for future functionality & features to address changes in organizational requirements

 Simplified Enhancement /

Version Deployment

• New features are available to all users instantly, eliminates time and effort of distributed, independent upgrading

Application Capability

User Functionality

 Stakeholder/Responsible

Party/User Management &

Tracking

• Customizable Authentication &

Authorization for Users

 Pre-Populated Security Control

Definitions

• NIST SP 800-53 / SP 800-53(A)

 Input/Edit Security Control

Implementation Statements

• Statements mapped to controls, history and audit trail, and Policy

Management

 One click, detailed reporting

• Scope filters, full search capability

• Linking to POA&M, C&A

Documentation, and Continuous

Monitoring

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 5

Application Overview

The pure FISMA tool is made up of a data model and business logic layer designed to support a compliance workflow management system having a particular set of generalized core features.

• These core features are delivered via a User Interface tailored to Client specifications after requirements have been gathered:

– Role/Group-Based User permissions

– Integration with various Directory Servers for authentication

– Task Management

– Scheduling / Event Triggering

– Subscription-Based Notifications / Reminders

– Notification Center

– Reporting

– Versioning

– Data Import Engine (for importing scan data from 3 rd party vulnerability scanning tools)

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Architecture

User

Interface

Application

Layer

Data Storage

Application Architecture

Technology Environment

Adobe Flex

BlazeDS

•Apache

•IIS

Java

Spring

Hibernate

SQL Database

•Tomcat

•JBoss

•WebSphere

•WebLogic

l

MySQL l

Oracle l

SQL Server

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 7

Application Approach

pure FISMA was designed around 3 distinct audiences or ‘perspectives’, each presenting a particular functional emphasis*:

Organization (e.g., Study Center / Information System)

– Information Input

– Continuous Monitoring

– Asset Management

Compliance (e.g., Mission Assurance Team / Information Security Dept)

– Input Approval/Rejection

– Commenting

Executive (e.g., Program Office / Department Head)

– Aggregation

– Insight

– Communication

*The perspective presented is determined at login based on the authenticated user’s role

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Highlights

Real-Time FISMA Compliance Monitoring

 C&A Workflow Management

• Track/Update C&A progress, Documentation package, and ATO Status

• Document repository with Built-in Revision Tracking and Restore

• POA&M items and Continuous Monitoring tasks

 Configuration Management

• Hardware inventory

• Vulnerability scan files and tracking

• In-place control verification and tracking

 Automatic Event Notification System

• Unified Notification Center

• Subscription-Based Email alerts, including:

– Missing/upcoming control requirements

– Continuous Monitoring Defects

 POA&M Tracking System

• Sort by issue type; control family

• Map to security control; responsible party

• Author (user or accreditation source)

• Scheduled completion date

• Full resolution history

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 9

User Interface

pure FISMA features robust and modern user interface using the latest open source technology to provide highly customizable features.

Advanced

Search & Filtering

Customized,

Real-Time

Dashboard

High-Level Aggregate

Compliance Metrics

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 10

Functional Details – Users & Permissions

pure FISMA includes the following 7 pre-defined roles, which can be extended / tailored based on client requirements:

Organization

User

•Default: Read Only

•Full Control: As Assigned

•Per Control

•Control Family

•Control Class

Admin

•Default: Full Control

•Create Org User

•Assign Responsible Party

•Submit System for Approval

Admin (System Owner)

•Same as Admin

Compliance

User

•Default: Read Only (All Orgs)

•Approve/Reject: As Assigned

•Per Org

Admin

•Default: Approve/Reject (All

Orgs)

•Create Organization Admin

•Create Compliance User

•Assign Org

•Submit System for ATO

User

Executive

•Default: Read Only

•Limited Reporting

Admin

•Default: Full Control

•Create Compliance Admin

•Create Executive User

•Send Broadcast Message

•Full Reporting

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Integration

pure FISMA is designed to leverage existing enterprise directory services for authentication, including:

– Active Directory (Microsoft)

– Open Directory (Apple)

– eDirectory (Novell)

– Oracle Internet Directory

– ApacheDS (open source)

– OpenDS (open source)

Additionally, pure FISMA can support multifactor authentication schemes, including:

– Complex device identification

– Mobile (via SMS)

– Others (may require additional hardware / software)

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Task Management

pure FISMA’s

POA&M list:

– Automatically adds items based on deficiencies identified during:

• Continuous Monitoring

• Security Assessment

– Manually add items based on deficiencies identified during other assessments:

• Privacy Impact Assessment

• Risk Assessment pure FISMA provides each user with a personalized task list, including:

– User-Defined Tasks

• Can be manually associated with one or more security controls

– Auto-Generated Tasks (e.g., expiring control)

– Automated Reminders

• In-Application reminders via Notification Center

• Outbound email reminders

– Automated POA&M Integration

• When a deficiency affecting a particular security control is added to the POA&M list, a task is automatically created for the party responsible for that control

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Schedules & Triggers

pure FISMA understands the importance of timeliness in the C&A process as well as

Continuous Monitoring and assists system owners and users by:

– Accepting user-defined frequencies for security controls requiring regular review

– Allowing users to define the reminder ‘window’

• How early the reminder notification is sent

– Automatically notifying responsible parties and system owners when a required review has not taken place

• A task is automatically created when a required/scheduled review is missed

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Notifications & Messaging

pure FISMA accumulates all notifications, reminders, and messages in a unified

‘Notification Center’.

• Items may be added to a user’s notification center based on their:

– Organization / System

– Role (User, Admin, Admin Owner)

– Responsible Party (per control, family, class)

– Subscription Preferences

• Subscribable events include:

– Control Updated

– Control Reminder

– Control Expiration

– System Updated

– System Reminder

– Asset Added

– Broadcast Message

– POA&M Added

– POA&M Updated

– POA&M Reminder

– Continuous Monitoring

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Reporting & Documentation

pure FISMA provides robust reporting within all three perspectives, built to detailed specifications gathered from the client.

• Examples include:

– Aggregate Stats (Counts, Avgs, etc)

– ATO Status

– Security Posture / FISMA Compliance

– Continuous Monitoring Activity

– pure FISMA usage statistics

Additionally, pure FISMA can use information stored in its database to produce formatted, downloadable documents for hardcopy archival and distribution

– Study Center Security Plan

– Study Center Security Assessment

– Hardware Inventory

– POA&M

– ATO Letter

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Versioning

• Inputs

– All informational changes made to the system are fully tracked and auditable

• Downloadable transaction logs available to Organization Admin user in .csv format

– Security Control Implementation Statements are versioned with incremental rollback

– All changes to POA&M list are versioned

• Asset Repository

– Selected file-based assets are versioned on upload :

• Study Center Security Plan (if provided)

• Risk Assessment

• Study Center Security Assessment

• Privacy Impact Assessment

• POA&M

• Network Topology Diagram

• Policies & Procedure Documents

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Functional Details – Data Import

Currently being designed, pure FISMA will include a data import engine to analyze the output files of selected vulnerability scanning tools. When in place, the import engine will allow for increased automation of vulnerability scan interpretation and remediation tracking, as described below:

1.

Scan file is uploaded and added to the Asset Repository

2.

File is parsed and resulting details stored in database

3.

Discovered devices are compared existing hardware inventory

4.

Vulnerability details evaluated and mapped to security controls

5.

POA&M item created based on vulnerability or device details and impact to related security control

6.

Notification sent to user assigned to affected control / system owner

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved

Company Profile

 Founded in 2004

 Service Disabled Veteran Owned Small

Business (SDVOSB) – Retired USAF

 Woman Owned Small Business

 Performed over $75 million in services

 Contract Vehicles:

– GSA IT Schedule 70

– GSA/OMB MOBIS Schedule 847

Awards:

– Named HP BSA Implementation Partner of the Year in 2010

– Designated one of the fastest growing companies in America by Inc. 500/500 in

2011

Service Disabled

Veteran Owned

Small Business

(SDVOSB)

Pure Integration, LLC Confidential & Proprietary, All Rights Reserved 19