key points of fisma reforms of 2013
TRANSCRIPT
Key Points of FISMA Reforms of 2013
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
1
InfoSec Learning Center
April 5, 2013
Background
Known as H.R. 1163 – Federal Information Security Amendments Act of 2013. Approved by House of Representatives on March 20, 2013. May alter the current FISMA landscape and how agencies and corporations are
moving toward address the changing cyber climate. Historically, FISMA has relied on a paper-based approach to governance. CISOs have contented that the current FISMA law limits their ability to
enhance the security posture for their organization.
2
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
Key Changes
Extend the responsibility for cybersecurity to the head of the agency. Each agency is required to designate a Chief Information Security Officer or
(CISO). CISOs must possess the qualifications to conduct and implement the security
program outlined. The CISO is responsible for the implementation of agency-wide security
program. Allow the use of automated technologies to support cyber threat assessments OMB will oversee a Federal government incident response center where
incidents can be maintained, and assist other agencies with their cyber-incidents, with guidance from key organizations including NIST.
3
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
Responsibilities of CISO
Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and agency information systems;
Developing, maintaining and overseeing an agency-wide information security program; Developing, maintaining and overseeing information security policies, procedures and
control techniques to address all applicable requirements; Training and overseeing personnel with significant responsibilities for information
security; Assisting senior agency officials on cybersecurity matters; Ensuring the agency has a sufficient number of trained and security-cleared personnel to
assist in complying with federal cybersecurity law and procedures; Reporting at least annually to agency executives the effectiveness of the agency
information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.
Source: “CISOs: FISMA Reforms Establishes CISO Responsibilities”, Process Unity Press Release, March 21, 2013
4
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
OMB Federal Incident Security Center
Provide guidance and assistance to other agencies on detecting and handling of security incidents.
Compile information on security incidents (and presumably to define metrics and to share best practices with other agencies)
Inform other agencies about the current and potential threat landscape. Work with NIST and any other agencies. Operators of national security systems must also report incidents into the same Center. Director of the Center is responsible for defining and implementing policies and
procedures consistent with HR 1163.
5
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
About TrustedAgent GRC
TrustedAgent Governance, Risk and Compliance (GRC) provides organizations with a central technology platform to manage the organization’s security assessment, authorization, and continuous monitoring for risk and compliance management across the enterprise using several standards including FedRAMP, ISO 27001, HIPAA/HITECH, PCI DSS, COBIT, NERC, and FISMA.
TrustedAgent GRC collects and aggregates results from other ancillary tools such as asset management, configuration management, vulnerability management, and other information security tools and processes for analysis and understanding of the enterprise risk profile, conducting compliance and remediation, and management reporting.
TrustedAgent GRC provides a structured, consistent, and time-saving approach to implement compliance deliverables, accelerates the process of securing authorization, and maintains ongoing support for security assessment and continuous monitoring to meet the challenges of governance for commercial enterprises and government agencies.
6
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
Governance and Security Standards7
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity
About Trusted Integration
Since 2001, Trusted Integration has been a leader in providing Governance, Risk and Compliance management solutions for government and commercial organizations specializing superior-quality, cost-saving Information risk management solutions in the Federal Government Compliance (FISMA, DIACAP, and FedRAMP). In addition, Trusted Integration also provides compliance solutions supporting payment card industry data security standards (PCI-DSS), health care HIPAA/HITECH, and information technology governance including COBIT and ISO 27001.
For more information, visit us at www.trustedintegration.com.
Trusted Integration, Inc.525 Wythe StreetAlexandria, VA 22314(703) [email protected]
8
Company SensitiveThis document is the property of Trusted Integration, Inc.
It should not be duplicated or distributed to any third-party entity