1 / 11

FISMA 2.0: A CISO Perspective

FISMA 2.0: A CISO Perspective. Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC. INTRODUCTION. FISMA 1.0: Focus on compliance rather than proven security measures. “ FISMA 2.0 ” Senate Bill S. 3474, Senator Tom Carper

Mia_John
Download Presentation

FISMA 2.0: A CISO Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FISMA 2.0: A CISO Perspective Marian Cody, CISO, EPA Richard Prentiss, CISO, OTS/Treasury Pat Howard, CISO, NRC

  2. INTRODUCTION • FISMA 1.0: Focus on compliance rather than proven security measures. • “FISMA 2.0” • Senate Bill S. 3474, Senator Tom Carper • Approved by Senate Homeland Security and Governmental Affairs Committee in September • Purpose: Strengthen federal IT security

  3. SIGNIFICANT CHANGES • Annual independent audits rather than evaluations • Increased responsibility for the CISO • Requirement for Operational Evaluations by DHS • Establishment of a CISO Council • Requirement for standard, government-wide contract language • Annual DHS reports to Congress

  4. ANNUAL INDEPENDENT AUDIT REQUIREMENT • Changes in auditing standards • Changes in scope to include audit of sub-set of both government-owned and contractor-owned IT systems • Audit report must include overall conclusion about effectiveness of security controls

  5. CISO RESPONSIBILITIES • Appointment by the agency head • Separation of duties between CIO and CISO mandated • Quarterly submission of “security architecture framework documentation” to US-CERT • CISO directly responsible for security programs of subordinate organizations • Responsible for creating IT security performance measurement system • Authority to disconnect agency IT systems • CISO granted enforcement authority

  6. OPERATIONAL EVALUATIONS • To be conducted at least annually by DHS • Agencies to establish security controls testing protocols • Findings to be reported to the agency head, CIO, and CISO • CISO to respond to results with corrective action plan within 30 days to agency head and CIO

  7. CISO COUNCIL • Purpose is to establish best practices and recommendations for operational evaluations • Promote the development and use of standard performance metrics • Recommend CISO qualifications

  8. CONTRACT LANGUAGE • OMB to publish standard security contract language in coordination with NIST • Include standard terms for • security of systems • collection and transmission of information • incident response procedures • COTS products must comply with security requirements

  9. ANNUAL DHS REPORT TO CONGRESS • DHS to report on results of operational evaluations and testing protocols • Provide detailed information on agency evaluation including results and pending corrective actions • Describe effectiveness of testing protocols • Describe information security posture of the federal government

  10. SIGNIFICANT CHANGES • Annual Audits rather than Evaluations • Increased responsibility for the CISO • Requirement for Operational Evaluations by DHS • Establishment of a CISO Council • Requirement for standard, government-wide contract language • DHS annual report to Congress

  11. QUESTIONS ?

More Related