fisma 2 0 a ciso perspective
Download
Skip this Video
Download Presentation
FISMA 2.0: A CISO Perspective

Loading in 2 Seconds...

play fullscreen
1 / 11

FISMA 2.0: A CISO Perspective - PowerPoint PPT Presentation


  • 279 Views
  • Uploaded on

FISMA 2.0: A CISO Perspective. Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC. INTRODUCTION. FISMA 1.0: Focus on compliance rather than proven security measures. “ FISMA 2.0 ” Senate Bill S. 3474, Senator Tom Carper

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FISMA 2.0: A CISO Perspective' - Mia_John


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fisma 2 0 a ciso perspective

FISMA 2.0: A CISO Perspective

Marian Cody, CISO, EPA

Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC

introduction
INTRODUCTION
  • FISMA 1.0: Focus on compliance rather than proven security measures.
  • “FISMA 2.0”
    • Senate Bill S. 3474, Senator Tom Carper
    • Approved by Senate Homeland Security and Governmental Affairs Committee in September
    • Purpose: Strengthen federal IT security
significant changes
SIGNIFICANT CHANGES
  • Annual independent audits rather than evaluations
  • Increased responsibility for the CISO
  • Requirement for Operational Evaluations by DHS
  • Establishment of a CISO Council
  • Requirement for standard, government-wide contract language
  • Annual DHS reports to Congress
annual independent audit requirement
ANNUAL INDEPENDENT AUDIT REQUIREMENT
  • Changes in auditing standards
  • Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems
  • Audit report must include overall conclusion about effectiveness of security controls
ciso responsibilities
CISO RESPONSIBILITIES
  • Appointment by the agency head
  • Separation of duties between CIO and CISO mandated
  • Quarterly submission of “security architecture framework documentation” to US-CERT
  • CISO directly responsible for security programs of subordinate organizations
  • Responsible for creating IT security performance measurement system
  • Authority to disconnect agency IT systems
  • CISO granted enforcement authority
operational evaluations
OPERATIONAL EVALUATIONS
  • To be conducted at least annually by DHS
  • Agencies to establish security controls testing protocols
  • Findings to be reported to the agency head, CIO, and CISO
  • CISO to respond to results with corrective action plan within 30 days to agency head and CIO
ciso council
CISO COUNCIL
  • Purpose is to establish best practices and recommendations for operational evaluations
  • Promote the development and use of standard performance metrics
  • Recommend CISO qualifications
contract language
CONTRACT LANGUAGE
  • OMB to publish standard security contract language in coordination with NIST
  • Include standard terms for
    • security of systems
    • collection and transmission of information
    • incident response procedures
  • COTS products must comply with security requirements
annual dhs report to congress
ANNUAL DHS REPORT TO CONGRESS
  • DHS to report on results of operational evaluations and testing protocols
  • Provide detailed information on agency evaluation including results and pending corrective actions
  • Describe effectiveness of testing protocols
  • Describe information security posture of the federal government
significant changes1
SIGNIFICANT CHANGES
  • Annual Audits rather than Evaluations
  • Increased responsibility for the CISO
  • Requirement for Operational Evaluations by DHS
  • Establishment of a CISO Council
  • Requirement for standard, government-wide contract language
  • DHS annual report to Congress
ad