Module 2: Government Laws & Regulations

Module 2: Government Laws & Regulations

FITSP-A Module 2 Government Laws Leadership Government likes to begin things to declare grand new programs and causes and national objectives. But good beginnings are not the measure of success. What matters in the end is completion. Performance. Results. Not just making promises, but making good on promises. In my Administration, that will be the standard from the farthest regional office of government to the highest office of the land. President George W. Bush My Administration is committed to creating an unprecedented level of

openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government. - President Barack Obama FITSP-A Exam Objectives: Security Topic: Regulatory & Standards Compliance A FITSP-Auditor is expected to understand and to be able to apply: Audit strategies for compliance with the organizations information security program Identify and stay current on all laws, regulations, standards, and best practices applicable to the organization Oversee relationships with all regulatory information security

organizations and appropriate industry groups, forums, and stakeholders Keep informed on pending information security changes, trends, and best practices by participating in collaborative settings Review information security compliance performance measurement components Government Laws Module Overview Section A: Congress & The President Federal Information Security Management Act of 2002 (Title III of the E-Government Act) Evolution of Compliance Elements of a Security Program

Reporting Metrics Section B: NIST National Institute of Standards & Technologies Computer Security Division Risk Management Framework Section C: OMB Office of Management & Budget Circular A-130 Memorandum Section D: DHS Department of Homeland Security Cybersecurity Responsibilities Presidential Directives

Section E: HHS Health & Human Services HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health President: Agenda (PMA) PRA CSA , FISMA OMB: Oversight

Congress: Legislation HIPAA, HITECH n: o s ai CIO i L B ral M O ede

F HIPAA Security Rule HHS/CMS OCR Authority, Guidance, Oversight D Cy HS

Co be Lia or sec iso di u n: na rit to y r HSA CNSS 1253 CNSS NIST Guidanc e

Guidanc e RMF Federal Agencies DHS: Authority Section A CONGRESS AND THE

PRESIDENT Legislative History E-Government Act of 2002 Public Law 107-347 Establishes Office of E-Gov within OMB Areas of E-Gov: Capital planning and investment control for information technology Development of enterprise architectures (FEA) Information Security (Title III) Access to government information

Establishes CIO Counsel in the Executive branch What is FISMA? Title III of E-Gov Act of 2002 Requires Each Federal Agency to Implement an Information Security Program Report annually to OMB Adequacy of security program Address adequacy in plans and reports relating to annual budgets Significant deficiency Continuously Evolving

The Evolution of FISMA Compliance This process is designed to shift our efforts away from a culture of paperwork reports. The focus must be on implementing solutions that actually improve security. Continuous Monitoring Timely, and Role-relevant Information Outcome-based Metrics metrics are a policy statement about what Federal entities should concentrate resources on Monthly Data Feeds Directly from Security Management Tools (CyberScope)

Government-wide Benchmarking on Security Posture (Questionnaire) Agency-specific interviews (CyberStat with DHS) FISMA Reporting Metrics Administration Priorities (AP) Key FISMA Metrics (KFM) Baseline Questions (Base) Knowledge Check This law gave OMB the authority to define policies for US Government Agencies. This law assigned responsibilities to NIST for creating

standards and guidelines relating to securing Federal information systems. This OMB program provides a structure for Agencies to identify business processes. Section B NIST - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY NIST, Computer Security Division Federal Information Security Management Act (FISMA) Implementation Project Protecting the Nation's Critical Information Infrastructure

Standards for categorizing (FIPS 199) Standards for minimum security requirements (FIPS 200) Guidance for selecting security controls (SP 800-53) Guidance for assessing security controls (SP 800-53a) Guidance for the security authorization (SP 800-37) Guidance for monitoring the security controls (SP 800-137) Guidance for identifying National Security Systems (800-59)

Risk Management Framework Section C OMB OFFICE OF MANAGEMENT AND BUDGET The Management Side of OMB

Office of Federal Financial Management Office of Federal Procurement Policy Office of E-Government and Information Technology Office of Performance and Personnel Management Office of Information and Regulatory Affairs OMB Instructions Circulars A-

Budget State and Local Governments Educational and Non-Profit Institutions Federal Procurement Federal Financial Management Federal Information Resources / Data Collection Other Special Purpose Memoranda M- Providing further explanation and guidance

OMB Circular A-130 Establishes policy for the Management of Federal Information Resources Issued under the authority of the Paperwork Reduction Act and Clinger-Cohen Act Appendix I Federal Agency Responsibilities for Maintaining Records about Individuals Guidance for implementing Privacy Act of 1974 Appendix III Security of Federal Automated Information Resources Establishes concept of a minimum set of security controls Establishes key definitions used by NIST Special Publications

OMB A-130 Background Privacy Act of 1974 Paperwork Reduction Act 1980 Computer Security Act of 1987 Clinger-Cohen Act of 1996 Govt Paperwork Elimination Act of 1998 OMB A-130, Appendix III

Definitions GSS General Support System MA Major Application Adequate security Assignment of Responsibilities Reporting Deficiencies & Corrective Actions Security Plan Summary OMB Memoranda General Guidance

POAMs Continuity Plans FDCC Trusted Internet Connections Reporting Guidance GISRA FISMA Incidents involving PII Policies

Federal Agency Public Websites File Sharing Technology Implementation Guidance Government Paperwork Elimination Act E-Government Act HSPDs Trusted Internet Connections M-09-32 Inventory External Connections Meet TIC Critical Technical Capabilities Implement Critical TIC capabilities

Acquire Telecommunications Connectivity Through Networx Contract Consolidate External Connections Through Approved Access Points (TICAPS) CIO Reporting Metric #7 Boundary Protection Target Level for 2014

Reporting Instructions (Changes) OMB M-11-33/ FISM 11-02/FISM 12-02 CyberScope collection of data should be a by-product of existing continuous monitoring processes, not a bolt-on activity that redirects valuable resources from important mission activities. Monthly Data Feeds Quarterly Reporting Annual Reporting (Mid-November) Information Security Questions CyberStat Review (Conducted by DHS) Sessions and Agency Interviews

FAQ (9) Must the DoD and the ODNI follow OMB policy and NIST guidelines? YES!! FAQ (34) Is Reauthorization Required Every 3 Years NO! FAQ (42) Mandatory use of secure configurations (USGCB) Reporting Instructions (Changes) FY2013 and FY2014 OMB Guidance Continues to evolve in M-14-04. Key changes occurred in the following areas: 1. Increased emphasis on privacy controls 1. Authorizations to Operate (ATO) require Senior Agency Official for Privacy to sign off. 2. SP 800-53 Rev 4 Appendix J Privacy Controls added to

mandatory controls baseline 2. POA&Ms now only track security weaknesses that will be remediated. 3. Monthly and quarterly reporting of CIO metrics required of all CIO Council member agencies vs. smaller list of 24 CFO Act agencies. Reporting Instructions (Changes) FY2013 and FY2014 4. Continuous Monitoring rebranded as Information Security Continuous Monitoring (ISCM) 5. Security Overlays Develop set of security controls to address unique threat profile for community-wide use (health care, intelligence, industrial control systems, cloud computing). New concept from 800-53 Rev 4.

6. Mobile Device Security added emphasis that data protection (i.e. encryption) and remote access security controls apply to mobile devices Standardized Desktop OS Configuration Settings Federal Desktop Core Configuration (FDCC) Windows XP & Vista US Govt Baseline Configuration (USGBC) Windows 7 & IE 8 Red Hat Enterprise Desktop Linux In Development: Mac OS X & Windows 8

Security Content Automation Protocol (S-CAP) Privacy & Privacy Reporting M-07-16 Safeguarding PII Breach Notification Policy SAOP Reporting Metrics FY2012

Information Security Systems (w/PII) PIAs and SORNs Privacy Training PIA and Web Privacy Policies and Processes Written Privacy Complaints SAOP Advice and Guidance Agency Use of Web Management and Customization Technologies (e.g., cookies, tracking technologies) Privacy & Privacy Reporting M-14-04 & DHS Privacy Metrics

Privacy in OMBs FY2014 Instructions 1. NIST SP 800-53 Appendix J Privacy Controls implementation is mandatory. 2. Privacy Controls and practices may be considered an agency common control. 3. SOAP approval required for ATO of GSS or MA DHS FY2014 SAOP FISMA Privacy Metrics 10 questions covering privacy requirements from the Privacy Act of 1974, E-Govt Act of 2002, and Federal Agency Data Mining Reporting Act of 2007 Knowledge Check This document provides a policy framework for information resources management across the Federal government.

This OMB memo requires that agencies safeguard against and respond to breaches of personally identifiable information. Name an initiative to create security configuration baselines for Information Technology products widely deployed across the federal agencies. Agencies are required to adhere to DHS direction to report data through this automated reporting tool. What is the required frequency of these data feeds? The OMB A-130s stated requirement for reauthorization is at least once every 3 years. What must an agency do to waive that requirement? Section D

DHS - DEPARTMENT OF HOMELAND SECURITY DHS Department of Homeland Security Prevent Terrorism and Enhance Security Secure and Manage our Borders Enforce and Administer our Immigration Laws Safeguard and Secure Cyberspace

Ensure Resilience to Disasters And now Cybersecurity! Cybersecurity Responsibilities M-10-28 Office of Management and Budget Annual FISMA Report to Congress Cybersecurity Portions of the Presidents Budget Cybersecurity Coordinator Cybersecurity Strategy and Policy Development Department of Homeland Security

Critical Infrastructure Protection US-CERT Trusted Internet Connection Initiative Primary Responsibility for the Operational Aspects of Cybersecurity Presidential Decision Directives PDD

Presidential Decision 1993 Directives 2001 Clinton NSPD National Security 2001 Presidential Directives 2009 G. W. Bush

HSPD Homeland Security Presidential Directives 2001- G. W. Bush and Obama PSD Presidential Study Directives

2009- Obama PPD Presidential Policy Directives 2009- Obama Homeland Security

Presidential Directives HSPD-3 Homeland Security Advisory System HSPD-5 Management of Domestic Incidents HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection PDD-8 National Preparedness HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors HSPD-20/NSPD-51 National Continuity Policy HSPD-24 Biometrics for Identification and Screening to Enhance National Security Section E

HHS HEALTH & HUMAN SERVICES History of HIPAA 1996: Health Insurance Portability and Accountability Act (HIPAA) Directed Secretary of HHS to Develop Standards for Protecting (e-PHI) Feb 2003: HHS Published the Security Rule Standard Oct 2008: SP 800-66 r1 An Introductory Resource Guide for Implementing the HIPAA Security Rule Duplication of Effort Stove piping? e-PHI - Electronic Protected Health Information SP 800-60, D.14 - Health

2009: Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) HITECH = Auditing ARRA/HITECH: Game Changers Electronic Health Record (EHR) System Incentives to Accelerate Adoption of EHR Systems among Providers Enforcement Requires Audits for HIPAA Compliance! Notification of Breach - Now Imposes Data Breach Notification Requirements Electronic Health Record Access For Providers

implementing HER, Patients Have the Right to Obtain PHI in an Electronic Format (i.e. ePHI). Business Associates, (Software vendors providing EHR systems) now, Directly "On The Compliance Hook" Cybersecurity Legislative Proposal Many New Cyber-related Bills Protecting the American People Protecting our Nations Critical Infrastructure

Protecting Federal Government Computers and Networks The Administration proposal would update FISMA and formalize DHS current role in managing cybersecurity for the Federal Governments civilian computers and networks, in order to provide departments and agencies with a shared source of expertise. New NIST Cybersecurity Framework, February 2014 Cybersecurity Framework Government Laws Key Concepts & Vocabulary

Legislative Milestones Paperwork Reduction Act of 1980 Computer Security Act of 1987 Clinger-Cohen Act of 1996 Homeland Security Act & E-Government Act of 2002 (Title III FISMA) NIST Standards & Guidelines NIST SP 800-37r1 Risk Management Framework

OMB Memorandums M 10-28 Cybersecurity Responsibilities of DHS FISM 11-01 Trusted Internet Connections M 07-16 Privacy DHS & Cybersecurity M 08-16 Configuration Baselines FISM 12-02/M 11-33 FISMA Reporting Guidelines CyberScope Lab Activity 1 Searching for Guidance

DHS CNSS Authority HSPDs OMB NIST Guidance Standards (FIPS), Guidelines (SP) Oversight Policy OMB A-130 Questions?

Next Module: Risk Management Framework

Recently Viewed Presentations

  • + Machine Learning and Data Mining Linear regression

    + Machine Learning and Data Mining Linear regression

    If XT is square and independent, this is the inverse. If m > n: overdetermined; gives minimum MSE fit (c) Alexander Ihler. Setting the gradient to zero, we have another linear algebraic equation. We can distribute in X, then move...
  • Chapter 14: Gender and Development Module 14.1 Gender

    Chapter 14: Gender and Development Module 14.1 Gender

    Chapter 14: Gender and Development Module 14.1 Gender Stereotypes Module 14.2 Differences Related to Gender Module 14.3 Gender Identity Module 14.4 Gender Roles in Transition
  • History of the Periodic Table - at Clark University

    History of the Periodic Table - at Clark University

    Argon - nonreactive. Placed at the end of the table. He Ne Kr Ar. Xe. Noble Gases. Non-reactive because they have EIGHT valence electrons ... Period 1 Period 2 Period 3 ... History of the Periodic Table Last modified by:...
  • Existing Lunar Datasets M. S. Robinson School of

    Existing Lunar Datasets M. S. Robinson School of

    UVVIS Nearside High Sun for Color Analysis Chandrayaan Estimate illumination conditions over time Topography near Shackleton (S. Pole) 2 Narrow Angle Cameras (NACs) for Landing Site Certification 1000s of potential landing site observations at 0.5 m/pix Polar mosaics (85.5 to...
  • Acute lower back pain Medhat Michail September 2017

    Acute lower back pain Medhat Michail September 2017

    Saddle anesthesia or paresthesia. Recent onset of bladder dysfunction. Recent onset of faecal incontinence. Perianal/perineal sensory loss. Unexplained laxity of the anal sphincter. Severe or progressive neurological deficits in the lower limbs
  • Feminism - School of English and American Studies at ELTE

    Feminism - School of English and American Studies at ELTE

    Écritureféminine: both theory and practice. A mode of writing that represents what is repressed in the Symbolic order (Derrida and Lacan). Revolutionary articulation of non-hierarchical difference as opposed to a phallocentric language based on binary oppositions like man/woman, mind/body, self/other,...
  • Regents Physics - Forestville Middle-High School

    Regents Physics - Forestville Middle-High School

    Regents Physics Some Kinds of Springs Elastic Potential Energy Energy is stored in a spring when work is done stretching or compressing it This energy is called elastic potential energy Compression / Elongation The compression or elongation of a spring...
  • Innovasjon Norge - Deltagelse i ulike utviklingsprosjekt

    Innovasjon Norge - Deltagelse i ulike utviklingsprosjekt

    Innovasjon Norges tjenestetilbud til reiselivet. Prøysenhuset, 22.10.2015. Christian Hedløv Engh