Fisma 2 0 a ciso perspective
Download
1 / 11

FISMA 2.0: A CISO Perspective - PowerPoint PPT Presentation


  • 279 Views
  • Uploaded on

FISMA 2.0: A CISO Perspective. Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC. INTRODUCTION. FISMA 1.0: Focus on compliance rather than proven security measures. “ FISMA 2.0 ” Senate Bill S. 3474, Senator Tom Carper

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FISMA 2.0: A CISO Perspective' - Mia_John


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fisma 2 0 a ciso perspective

FISMA 2.0: A CISO Perspective

Marian Cody, CISO, EPA

Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC


Introduction
INTRODUCTION

  • FISMA 1.0: Focus on compliance rather than proven security measures.

  • “FISMA 2.0”

    • Senate Bill S. 3474, Senator Tom Carper

    • Approved by Senate Homeland Security and Governmental Affairs Committee in September

    • Purpose: Strengthen federal IT security


Significant changes
SIGNIFICANT CHANGES

  • Annual independent audits rather than evaluations

  • Increased responsibility for the CISO

  • Requirement for Operational Evaluations by DHS

  • Establishment of a CISO Council

  • Requirement for standard, government-wide contract language

  • Annual DHS reports to Congress


Annual independent audit requirement
ANNUAL INDEPENDENT AUDIT REQUIREMENT

  • Changes in auditing standards

  • Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems

  • Audit report must include overall conclusion about effectiveness of security controls


Ciso responsibilities
CISO RESPONSIBILITIES

  • Appointment by the agency head

  • Separation of duties between CIO and CISO mandated

  • Quarterly submission of “security architecture framework documentation” to US-CERT

  • CISO directly responsible for security programs of subordinate organizations

  • Responsible for creating IT security performance measurement system

  • Authority to disconnect agency IT systems

  • CISO granted enforcement authority


Operational evaluations
OPERATIONAL EVALUATIONS

  • To be conducted at least annually by DHS

  • Agencies to establish security controls testing protocols

  • Findings to be reported to the agency head, CIO, and CISO

  • CISO to respond to results with corrective action plan within 30 days to agency head and CIO


Ciso council
CISO COUNCIL

  • Purpose is to establish best practices and recommendations for operational evaluations

  • Promote the development and use of standard performance metrics

  • Recommend CISO qualifications


Contract language
CONTRACT LANGUAGE

  • OMB to publish standard security contract language in coordination with NIST

  • Include standard terms for

    • security of systems

    • collection and transmission of information

    • incident response procedures

  • COTS products must comply with security requirements


Annual dhs report to congress
ANNUAL DHS REPORT TO CONGRESS

  • DHS to report on results of operational evaluations and testing protocols

  • Provide detailed information on agency evaluation including results and pending corrective actions

  • Describe effectiveness of testing protocols

  • Describe information security posture of the federal government


Significant changes1
SIGNIFICANT CHANGES

  • Annual Audits rather than Evaluations

  • Increased responsibility for the CISO

  • Requirement for Operational Evaluations by DHS

  • Establishment of a CISO Council

  • Requirement for standard, government-wide contract language

  • DHS annual report to Congress



ad