Environmental Protection Agency Shared Service Center INTEGRATED SECURITY

Environmental Protection Agency Shared Service Center INTEGRATED SECURITY SOLUTION FOR FISMA REPORTING

Our Vision Help federal managers & and IT professionals understand & successfully implement the federal risk management framework so they can manage information and IT assets in accordance with federal standards 2

Agenda/Presentation Overview SSC Goals Role in the Risk Management Framework ASSERT Capabilities EPA’s SSC Process Consortium Benefits Implementation Timeframe Pricing Summary 3

Integrated Security Solution – Our Goals Assist your information security program using proven, effective practices Save time and resources spent on FISMA quarterly and annual reporting to OMB Aid performance on the Annual Congressional Scorecard 4

EPA’s Integrated Security Solution FIPS 199 FIPS 200 Information/ Information System categorization 800 -42 800 -60 Monitor FIPS 200 Select Controls 800 -53 a 800 -37 C & A Authorize to Operate 800 -37 Information ASSERT System 800 -53 a FIPS 200 Implement Controls 800 -70 Refine Control Selection Document Controls (Security Planning) Test Controls 800 -53 800 -30 800 -18 800 -64 5

Time to Talk About ASSERT 6

ASSERT Capabilities Secure Web Access Portal for Ease of Use System Categorization System Inventory Management Risk Identification Control Tailoring Continuous Monitoring: Implementation, Testing, and Remediation (POAM Tasks) Management Oversight “Since 2004 SSA has used the ASSERT tool. It has met all our expectations and more as the IG and their contractor have also given it a ‘thumbs up. ’ … We at SSA highly recommend the tool. ” Bob Burch, FISMA Manager Social Security Administration FISMA Reporting Compliance 7

ASSERT Secure Web Access Customized with your logo and colors Post news and announcements for users Conforms with Moderate Baseline & FIPS 140 -2 encryption 8

ASSERT Portal: Ease of Use What you see is based on your job assignments See summary information Focus on critical items Access details via links Perform key functions at the click of a button 9

ASSERT System Categorization Business Orientation Walks users through a structured interview or supports expert mode Extensive links to help Helps users identify Business Areas, Lines of Business Button navigation 10

ASSERT System Categorization Guidance for Users Low Moderate Low Coaching for decisions on confidentiality, integrity, and availability Helps identify Other Factors and Special Factors affecting categorization 11

ASSERT Inventory Management 12 Maintain FISMA or full Agency Inventory Identify GSS/MA Relationships across Agency 12

ASSERT Risk Identification and Control Tailoring 13 Scoping Risk values Review status 13

ASSERT Continuous Monitoring: Implementation Base Control Implementation documented & available for export to Security Plan Enhancements 14

ASSERT Continuous Monitoring: Testing Show expected test step results and require documentation of variances Roll up to Control status Document the test step result Certify the test step result 15

ASSERT Continuous Monitoring: Remediation Tasks for remediating the control 16

ASSERT Management Oversight Real-time report data Export to PDF or Excel or on-screen view 17

ASSERT Management Oversight Color coding and words 18

ASSERT FISMA Reporting Compliance Expands to show totals by categorization level 19

ASSERT FISMA Reporting Compliance 20

ASSERT Technical Specifications Cold. Fusion MX 7 front-end Oracle 10 g database Accessed via the Web using FIPS 140 -2 compliant encrypted connection (https: //) No mobile code or special ports Scalable for number of organizational units, systems and users 21

A Solid Foundation in ASSERT A stable, effective, full-featured tool Secure web-based access to a centralized database Complies with Moderate baseline controls Full cycle of FISMA-mandated activities supported “The elements and phases of the ASSERT SPM appear not only to comply with DITSCAP requirements, but they are much more comprehensive and specify many more steps in the software accreditation and implementation process for EPA. In addition, each element of the ASSERT System has very specific QA requirements for documentation and approval. ” Kevin Hull, December 2006 Independent QA Auditor Reporting capabilities 22

EPA’s Shared Service Center: Customized Services Participation Level Items Government – Off-the-Shelf (GOTS) Downloadable software Consortium Membership Technology updates and refreshes Membership on the Configuration Control Board Readiness Review Implementation Requirements Additional Services Data conversion Training & reports Other Security related services 23

EPA’s Shared Service Center Offerings Implementation support Software deployment Ongoing management & operational support Technical hosting options Consortium membership 24

SSC Implementation Support Evaluate current processes and security environment Recommend implementation plan based on effective practices If requested, provide CISO and staff with business and technical consulting Help migrate existing data, tailor controls Offer user training and help desk support 25

SSC Software Deployment Flexibility through customization of… • Agency logo and preferred colors • Organizational structure • Standardized terms Support for loading information • • System-user information Assessment and POAM history Agency specific NIST-compliant policies to reference Agency specific common controls, risk management decisions 26

SSC Management & Operational Support Sharing of best practices FISMA management and reporting services: • • Management and business process consultation Analysis, such as policy alignment Customized reports Staff augmentation Comprehensive user training • • Relates software to business processes Can qualify as specialized IT training Help desk support 27

SSC Technical Hosting Options EPA hosting service • • • Centralized database instance for each agency, with segregation of data System platforms, management and monitoring Fully certified and accredited environments Participant agency hosting • Provide own system platforms, management and monitoring 28

ASSERT Consortium Board sets vision and directs software evolution Configuration Control Board oversees the ASSERT feature set Members share best practices and leverage costs Reasonably priced to accommodate agencies of all sizes 2006 membership: EPA, GSA, SSA, USDA 29

Consortium Members’ Security Grades: 2001 -2005 Agency 2001 2002 2003 2004 2005 Environmental Protection Agency D+ D- C B A+ General Services Administration D D C+ A- Social Security Administration C+ Founded D Joined B- B+ B A+ Joined NOTE: USDA joined in 2006. 30

Consortium Process Gather Requirements Analyze & Define Review by Consortium Board Formalize Request Approval by CCB Develop & Deploy Process repeats as necessary 31

EPA’s Integrated Security Solution: Getting There Timeframe Activities FY 2007 Evaluation of current processes and security environment FY 2008 Migrate data, implement system, and train users FY 2009 Improved security program 32

Cost: Sliding Scale Participation Level Year 1 Annual GOTS None Consortium Membership Readiness Review Additional Services Mega Agency TBN* Large Agency $250, 000 Mid-size Agency $150, 000 Small Agency $ 50, 000 Micro Agency Shared instance Mega Agency Large Agency Mid-size Agency Small Agency Micro Agency TBN $25, 000 Included TBN Mega Agency Large Agency Mid-size Agency Small Agency Micro Agency TBN $250, 000 $150, 000 $ 50, 000 TBN None Priced per request * To Be Negotiated 33

Summary EPA’s Integrated Security Solution A proven business model Conformance to the federal risk management framework Proven, stable software solution since 2002 Services to support implementation and beyond Consortium in operation since 2004 Consortium members got “A’s” on 2005 Congressional Scorecard 34

Benefits Conforms to the federal risk management framework and federal standards Standardizes and integrates security practices with business processes Affordable for agencies of all sizes Comprehensive solution: • Services for implementation plus ongoing management and operations support • ASSERT software 35

Benefits (continued) Well-integrated with OMB regulations and NIST methodology for continuous monitoring of controls Active consortium of government agencies • Direct the system vision and development • Reduce costs through shared resources • Sets software feature direction 36

Summary: This Approach Standardizes and integrates security practices with business processes… …with the help of an agency that has been there before. 37

EPA Open House Consortium Open House, April 5 from 9 am to 3 pm At EPA East, 12 th & Constitution, Rooms 1117 A & B Come for panel discussions, Q&A, and demos 38

Environmental Protection Agency Shared Service Center FISMA Reporting Solution For more information, please contact: Marian Cody, CISO U. S. EPA 202 -566 -0302 cody. marian@epa. gov Bernice Bealle U. S. EPA 202 -566 -0716 bealle. bernice@epa. gov Don Huddleston U. S. EPA 202 -566 -1462 huddleston. don@epa. gov 39