Professional Documents
Culture Documents
2
an OA pilot program, including anti-virus, configuration team also supports several security-related initiatives,
settings, hardware asset management, software white including Security Operations Center exercises,
listing/asset management, and vulnerability management. penetration tests, threat modeling, and code
After going through various levels of approval (at the review. These enterprise-wide initiatives are important for
USCIS level and DHS level), the AO (CIO) approved maintaining an acceptable risk posture. The team
USCIS being admitted into the OA pilot program. This supports management efforts to address system
involved monthly collaborative ORMB meetings where vulnerabilities and develops a custom application to
Information System Security Officers (ISSOs) discussed manage system inventory across the enterprise.
security patches and compliance and monitored the
system administrators automated reports of Intranet, COMPLIANCE
database, and operating system scans. In addition to the The compliance work stream uses tools to capture and
RMF, FISMA requirements, and NIST guidance, USCIS record six months of trending data, including vulnerability
also followed the in-house DHS 4300 policy. spikes) with monthly reviews. They also use data as
Under USCIS, only four systems were enrolled in May evidence of compliance in case of audit. The compliance
2013 at the beginning of the pilot program. By August work stream focuses on the implementation of RMF Steps
2013, the OA pilot program affected 12 DHS systems with 4, 5 and 6. See Figure 2.
an equal number per component. By July 2016, 96 As part of OA monitoring, Silvia Ruiz says that the OA
systems were enrolled in the OA program at the DHS Team compiles trending data to provide a near real-time
level, according to the Inspector General Report. Today status of systems and the agencys overall security
there are 42 systems enrolled in the OA program under posture. Support teams collaborate to ensure that the
USCIS. systems remain in compliance with NIST guidance and
FISMA ACCESS MANAGEMENT AND DHS policy. Senior Security Officials facilitate the USCIS
INFORMATION SECURITY SERVICES OA program through regular system reviews via
(FAMISS) collaborative ORMB meetings. The OA Team prepares a
DHSs FAMISS contract supports the USCIS Chief quick-glance data trending PowerPoint slide highlighting
Information Security Officers (CISOs) Information the systems security posture, compiled with inputs from
Security Division (ISD) to provide a holistic, risk-based the vulnerability scans, authorization documentation,
approach to information security through the following POA&M status and remediation efforts, and compliance
work streams: with the DHS OA methodology, collectively called the
1. Security Engineering supports the Cyber ORMB Scorecard.
Defense Branch, which focuses on CDM using ISSOs and assessors follow a schedule and standard for
various scanning tools, Tenable Security Center testing controls outlined in the Control Allocations Table
(a repository for Nessus scans), and Splunk as a (CAT). USCIS uses a contractor-developed spreadsheet
data aggregator that presents data in user- mapped to NIST guidance and DHS policy and factors in
friendly dashboards. applicable common controls. The CAT recommends test
2. Compliance supports the Risk Management procedures and evidence and has been instrumental in
Branch, which manages ISSO support, training, ISSOs identifying failing or potentially outdated controls.
governance, and continuous monitoring through With a DHS-provided TRigger and Accountability Log
OA. (TRAL), ISSOs document any change or potential issue
3. Identity, Credential and Access Management, led that could impact the systems security posture from
by Joy Robbins, ISSO, focuses on controlling contract changes, new releases, the status of POA&Ms,
resources from the Office of Information technical refreshes, critical and high vulnerabilities, etc.
Technology office with multi-factor authentication, USCIS considers risk identification and tracking via the
account provisioning, and re-certification. TRAL as a key component to the OA program.
3
KEY #1: COLLABORATION KEY #3: TRANSPARENCY WITH DATA
USCIS has developed a culture of collaboration among all The goal of continuous monitoring is to have a dashboard
stakeholders involved, including ISSOs, Privacy, the OA for ISSOs to use. They can use the dashboard to identify
Manager, various teams, etc. Collaboration and the top 10 vulnerabilities and prioritize remediation
communication, both internally and externally, is important according to the risk level. Several tools assist the ISSO
for successful implementation of a holistic, risk-based in managing the system and complying with DHS
approach to information security. The teams across all requirements. They are continuously up-to-date with their
three work streams collaborate to improve efficiency by systems and can identify risks quicker than with the
sharing information and best practices, discussing the previous pre-OA quarterly model. ISSOs are responsible
programs status, strategizing and leveraging resources for validating and maintaining accurate asset inventories
on heavy lift tasks, and brainstorming solutions. Megan in Security Center 5 (SC5). ISSOs have access to near
Kane thought the layout of the contracts task structure real- time scanned data. For manual processes, ISSOs
helped with efficiency by providing opportunities for reach- receive detailed reports within one business day.
back support. If necessary, teams were also able to Monthly reviews to further escalate issues to the OA
contact the contracting team supporting DHSs Federal Manager and gain concurrence and/or new direction on
Emergency Management Agency (FEMA), also risk-based decisions supported a goal of accountability.
participating in OA. The AO also receives monthly briefings on the security
Additionally, direct interactions with the client proved posture of systems, escalated risks (triggers), and
helpful. USCISs ISD federal leads also work weakness remediation plans, or WEARs.
collaboratively across the work streams. Improvements to the OA program include re-focusing on
As each task area supports continuous monitoring, this more POA&M oversight and accountability, as well as
collaborative effort has significantly benefited the OA more efficiently remediating vulnerabilities and applying
program, as open communication allows the client to patches. Applying OA-provided insight into the systems
make informed decisions and produces effective results. security posture leads to fewer surprises, mitigated risk,
KEY #2: FLEXIBILITY and communication leading to the actions by the
Being flexible is a contributor to USCISs success. appropriate authorities. Implementing OA has raised
Originally, there was less guidance because OA was overall awareness at DHS.
relatively new and agencies were trying to understand KEY #4: EXPERIENCE
how to effectively and efficiently implement OA. In many Implementing a successful OA program can be
cases, USCIS had to develop their own standards by complicated without clear guidance and a roadmap. DHS
leveraging others experiences and implementing test looks to experienced contractors to provide the necessary
cases to determine what worked. guidance and innovation to achieve high levels of
For instance, understanding time restrictions, the team success. Kane and King said they were lucky to have
recommended shorter and more frequent ORMB meetings resources on the contract who know and understand NIST
with focused discussion as opposed to reviewing all guidance, DHS policy, and the supporting RMFs.
systems in one day. The new format allowed the client to KEY #5:
accomplish more and allowed the systems support teams TRAINING
to join. We try to think ahead, said Ms. Kane. The training team on HHS ESPS is similar but
Another key factor even better because theres more involvement
Additionally, they learned to think strategically about what for a successful
information might be helpful to the client and how to get in terms of financial and personnel resources,
OA program is as well as interest from the agency staff.
better inputs. It is important to continuously assess OA ensuring that
programs, to see what is and is not working, as well as to resources have access to the knowledge and tools
review the OA methodology to focus on DHSs intentions necessary to complete their work. USCIS values training
for the Department. In doing so, the team can identify so much that they have dedicated an entire team to
opportunities to streamline processes and procedures and ensuring the support teams have the tools they need and
help USCIS maintain its position as a leader in OA know how to use them. USCIS offers a 3-day Basic
implementation. Fortunately, the USCIS CISO encourages Training course for ISSOs and support teams focusing on
innovation, researching current and developing tools and roles and responsibilities, compliance, how to use the
technology, and utilizing industry best practices to stay tools, drafting documentation, and vulnerability scanning.
ahead of the game.
4
Additionally, the Training Team hosts monthly brown bag become available. After the AO initiates the ATO, an
sessions focused on specific issues or tools. ISCM program is in place, and the system moves to the
With the five keys of DHSs success, they kept ahead of production environment, the OA program can begin. It is
the threats by constantly striving to do more testing and to also important to assess proposed security controls before
think of risks as opportunities to protect against collecting data.
vulnerabilities. BENEFITS
APPLICATION IN REAL-TIME Currently, system monitoring for ATO is on a quarterly
HHS-SPECIFIC APPLICATION schedule model, or longer, where the damage could be
According to FITARA, HHSs responsibilities are to done by the time it is detected. The road to ATO can be
time-consuming, cumbersome, and wasteful.
manage the following: (1) a comprehensive inventory of
OA, on the other hand, ties with event-driven triggers.
data centers owned, operated, or maintained by or on
Event-driven assessments include incidents, new threat
behalf of the agency; and (2) a multi-year strategy to
information, major changes to operating environments,
consolidate and optimize inventoried data centers.
results of a risk assessment, etc. Because of
Requires such strategies to include performance metrics,
predetermined triggers, frequency of network activity and
timelines, and year-by-year calculations of investment and
summary metrics, updates can be by minute, hour, day,
cost savings to measure progress toward meeting goals of
week, month, or as needed.
the Federal Data Center Consolidation Initiative.
Note that Federal Acquisition Regulation (FAR) 52.204-21, Agencies most interested in the ability for senior leaders to
Basic Safeguarding of Covered Contractor Information make well-informed decisions quickly should use OA. The
use of actionable metrics will ensure a faster response
Systems (June 2016), relating to FITARA, has been
than to data that is a quarter, a year, or three years old.
revised to only apply to contractor-owned contractor-
The government needs to focus on the short-term data as
operated information systems and holds contractors to
that data will create the long-term results that the
NIST and FISMA requirements.
government seeks.
CREATE A PROCESS AND PLAN DHS USCISs keys to success for implementing an OA
Creating a process and plan for migrating the system to program were communication, flexibility, transparency with
OA for the AOs approval is crucial. The CDM and ISCM data, experienced personnel, and training. Internal and
Program is HHSs solution to support the ISCM mandate external communication, flexibility involving innovation,
for federal agencies. In terms of a process, Charles contractors creating transparent database collection
Livingston, the CDM and ISCM Program Lead for HHS systems, and having the personnel be risk management
ESPS, stated that eGlobalTech already drafted the ISCM subject matter experts are all factors for success. While
policy. Operational Divisions have reviewed the draft and training was helpful, it could have been better with a team
the anticipated signature will be by the end of April or May like the one established for HHS ESPS.
2017. Phase 2 of the CDM and ISCM Program has In addition, when comparing DHSs best practices to
already begun. NASAs lessons learned, it is important to highlight having
The plan should include independent assessments and an RMF and ISCM process as well as CIO buy-in.
security categorization of each security control according DHS had OA, an RMF, an ISCM strategy, and a robust
to the RMF and FIPS 199, a framework mapped to CDM CDM Program, augmented by ISSO testing of controls
capabilities, a gap analysis of each systems current and validation by the Information System Security
control testing capabilities, and a way to report risk to the Manager. When an organization has all four, senior
AO in near real-time. leadership has an on-demand high-level view of the
The recommendation is to apply the lessons learned from organizations cybersecurity posture and each systems
NASAs failures and DHSs successes gradually, using contribution to it. Also, since the CIO leads the ISCM
the snowball effect. The idea is to start small and build program, it is most important that he or she is fully
on successes with low-impact systems to ease the committed to the program and has all the information he
transition and collect lessons learned prior to applying or she requires.
them to high-impact systems. According to the
KEY TAKEAWAYS
Supplemental Guidance on OA, A phased approach for
the generation of security-related information may be As presented in this white paper, federal agencies have
necessary in the interim as additional automated tools moved from static cyber-surveillance based on
compliance checklist exercises conducted once every 3
5
years to dynamic, near real-time authorization and implementing successful ISCM and OA programs. eGT
continuous monitoring for risk-based cybersecurity. welcomes the opportunity to work with HHS on gradually
With the help of eGlobalTech, the Department of HHS moving toward an OA model.
could get to the state that is as good as or better than ABOUT EGLOBALTECH
DHSs state so there will be flexible OA and CDM.
With OA, the resilience of the system will mean more than eGT is a woman-owned management consulting and IT
the date a system received an ATO, and the high-impact solutions firm based in Arlington, Virginia with additional
and critical systems will receive greater attention. As offices in Alexandria, Virginia and Baltimore, Maryland.
more agencies see this, the OA umbrella will include eGT supports multiple federal customers including the
more and more systems. Departments of HHS, Homeland Security, State,
Ideally, OA is a mix of automated tools and manual Education, Labor, Energy, the General Services
processes for analyzing those tools to have near real-time Administration, and Defense. For more information,
continuous monitoring. Mr. Livingston says, Too often please visit http://www.eglobaltech.com.
people translate near real-time to automation, but there is RESOURCES
also a mature manual process engaged. As we heard 1. Dempsey, Kelley, Nirali Shah Chawla, Arnold Johnson,
from Megan, theyre reviewing four to five systems two to Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and
three times a week. We will never get to 100% Kevin Stine. 2011. ISCM for Federal Information Systems
and Organizations. Special Publication 800-137.
automation because we need man in the loop to say, This Gaithersburg, MD, September.
isnt trending the right way. These tools arent making 2. Dempsey, Kelley, Ron Ross, and Kevin Stine.
sense. Tools just spit out. Analysis cannot be Supplemental Guidance on OA. PDF. Gaithersburg, MD:
automated. Some manual systems and processes will NIST, June 2014.
never go away because people are essential to validating 3. H.R. 1232, 113th Cong. (2014) (enacted).
4. Joint Task Force Transformation Initiative. 2010. Guide for
the data that information systems produce. Applying the Risk Management Framework to Federal
Information Systems. Special Publication 800-37.
He says that they Gaithersburg, MD, February.
Analysis cannot be automatedCharles are leveraging 5. Livingston, Charles, Silvia Ruiz, Megan Kane, and Julie
Livingston, CDM and ISCM Program Lead best practices King. "OA Interview. Interview by author. March 7, 2017
and March 9, 2017.
from USCIS in 6. Miller, Jason. DHS putting post-FISMA approach to cyber
terms of establishing the OA program and structure and through a trial run. FederalNewsRadio.com. May 08, 2013.
helping the environment to mature. Only experience Accessed February 23, 2017.
provides maturity. Having a Capability Maturity Model http://federalnewsradio.com/technology/2013/05/dhs-
putting-post-fisma-approach-to-cyber-through-a-trial-run/.
Integration (CMMI) work stream helps because the 7. --. House approves FISMA modernization bill, two other
outcome of a CMMI assessment identifies the level of cyber bills. FederalNewsRadio.com. April 17, 2013.
maturity of the environment, which is more important than Accessed February 23, 2017.
whether they have automated tools. Tools help, but http://federalnewsradio.com/congress/2013/04/house-
approves-fisma-modernization-bill-two-other-cyber-bills/.
human interaction and collaboration is more proactive and 8. --. NASAs act of desperation demonstrates continued
cuts down vulnerability. Continuous monitoring can cyber deficiencies. FederalNewsRadio.com. August 24,
translate into continuous improvement. Collaboration 2016. Accessed February 24, 2017.
takes time because ISSOs, groups, and support teams http://federalnewsradio.com/reporters-notebook-jason-
change. Setting up processes like checklists, standard miller/2016/08/nasas-act-desperation-demonstrates-
continued-cyber-deficiencies/.
operating processes, and concepts of operation helps with 9. Ross, Ron, Stu Katze, Arnold Johnson, Marianne Swanson,
stability throughout transitions. Gary Stoneburner, and George Rogers. 2007.
eGlobalTech (eGT) resources have the knowledge that Recommended Security Controls for Federal Information
provides insight into best practices. Not many Systems. Special Publication 800-53, Revision 2.
Gaithersburg, MD: NIST, December.
organizations have four years of hands-on experience with
a highly effective and mature OA program or as much
exposure. eGT can reach out to their employees with OA
program experience and have access to lessons learned
from DHS and FEMA as well.
It makes a difference to work with a company that has a
strong understanding of the RMF and experience