April Earley, WPS GHA, Senior Information System Security

CSCOUT

Page 1

August 2018

Security Impact Analysis

(SIA)April Earley, WPS GHA, Senior Information System Security Officer

CSCOUT

Page 2

August 2018

Requirements/Guidance

• ARS, MAC ARS/BPSSM

– Control CM-4

• The organization analyzes changes to the information system to determine potential security and privacy impacts prior to change implementation. Activities associated with configuration changes to the information system are audited.

• Risk Management Handbook, Chapter 5: Configuration Management

• Security Impact Analysis Checklist

• Technical Direction Letter TDL-180061

CSCOUT

Page 3

August 2018

GOAL! What goal?

• Analysis of changes to the information system

• Determine security and privacy impacts before implementation

• Purpose:

– Identify potential and real security and privacy risks

– Develop effective safeguards to address security and privacy risks

– Develop effective security and privacy testing

CSCOUT

Page 4

August 2018

Who’s going to do the work?

• CMS Information System Security Officer

• Information System Security Officer

• Information System Security Manager

• Information System Administrator

• Information System Security Engineer

CSCOUT

Page 5

August 2018

When?

• Throughout the life cycle of the system so that the impact of changes on security is considered during each stage:

– Before a Change is Deployed

– During Development, Acquisition/Implementation and Assessment

*Note* Review the SIA after a change is deployed. Conducting an SIA after deployment is NOT acceptable.

CSCOUT

Page 6

August 2018

What do I include?

• Brief description on purpose of SIA

• Description of System Changes

• Known security configuration Baseline Changes

• Security Risks

– How will security risks be addressed

• Planned Deployment Initiation and Completion Dates

• Control Families/Controls impacted

– How they are impacted

CSCOUT

Page 7

August 2018

Types of Events

• New Revision of ARS, MAC ARS/BPSSM

– Affects existing controls or adds new controls

• No ATO exists

– ATO has expired or doesn’t exist

– Significant Change requiring New ATO

• Current ATO exists

– System/Host ATO expires in x months

• Security Classification

– Security Category lowered or raised

• Target of Threat

– Specific and Credible Information

CSCOUT

Page 8

August 2018

Types of Events continued

• System boundary

– Expired or missing ATO for host GSS

– Changed Interconnections

– Architecture/Topological change

– Change to Logical Access Points

– New Processing Location(s)

– New User Population

– Protocol Change

– Change or Addition of Hosting Infrastructure or Site

• Equipment Upgrades

– Laptops/desktops, Communications equipment, New (different) Servers, Other equipment

CSCOUT

Page 9

August 2018

More Events

• Majors system Updates

– New OS release, New Anti-Malware Product, New (different) OS

• Patch Updates

– Software, Servers, Anti-Malware

• Laws, Regulations, Directives

• Issue or Update Other NIST Documents

• Security Components

– Cryptographic Modules

– Identification and Authentication

– Security Controls

CSCOUT

Page 10

August 2018

Even more Events

• Mission/Business requirements

– New Mission added

– Mission or function termination or change of status

• Core Mission/Business functions

– Changes

– New Mission or Business Function added

– Mission or Business Function termination

• Vulnerability (New or Existing)

– Attacks Developed

– Attacks Succeeded Elsewhere

– Found (no attacks known)

– CMS Attacked

CSCOUT

Page 11

August 2018

Types of Changes

• Minor Change

– No changes to or additional controls (ARS, MAC ARS/BPSSM)

• Non-Compliant System

– Expired or non-existent ATO

• Possible/Potential Significant Change

– Security Category lowered, System boundary

– Equipment upgrades, Patch updates, Major system updates

– Mission/Business requirements

– New or changes to Laws, Regulations, Directives or NIST Documents

• Risk Level Evaluation

– New or Existing Vulnerability (attacks developed or succeeded elsewhere)

CSCOUT

Page 12

August 2018

More types of Changes

• Risk Identified

– New or existing vulnerability found (no known attacks)

• Standard Operating Procedure

– No ATO in place, ATO will expire soon

– Anti-malware patch updates

• Target of Risk

– Target of Threat, specific and credible information

– New or existing vulnerability (CMS attacked)

CSCOUT

Page 13

August 2018

Even more Changes

• Significant Change

– Core Mission/Business Function change, added, removed

– Security Category raised

– New (different) Servers, New (different) OS, New ARS or MAC ARS/BPSSM controls

– Change to Mission Essential Functions

– System boundary

• New processing location(s), new user population, protocol change, change or addition of Hosting Infrastructure Site

– Security Components

• Cryptographic modules

• Identification and Authentication

CSCOUT

Page 14

August 2018

That was not Significant, now what?

• Conduct the SIA

• Develop/document a defensible position

• Retain a copy of the SIA

– CFACTS – SAR section

– Protected, network drive

• Notify CMS ISSO, if appropriate

CSCOUT

Page 15

August 2018

Oh NO! A Significant Change! Now what?

• TDL-180061: Medicare Administrative Contractor (MAC) Significant Change Responsibilities – Issued 11/16/17

– Submit completed SIA to CMS ISSO

– Do NOT proceed with the change until CMS ISSO approves

– Contact Contracting Officer’s Representative (COR)

– Ensure ALL appropriate testing is conducted

• Security Control Assessment (SCA)

– Required, coordinate with your CMS ISSO

– Load SCA Report Results into CFACTS

• Track POA&Ms – if any findings exist

• Authority to Operate (ATO)

– Required, re-authorization of the system, coordinate with your CMS ISSO

CSCOUT

Page 16

August 2018

CMS Involvement?

• When to involve/contact your CMS ISSO

– Any significant changes

• See Appendix I of RMH Chapter 5: Configuration Management

– Transparency about other changes they may be interested in

• When not to involve/contact your CMS ISSO

– Standard Operating Procedure situations

• When to involve the MAC Contracting Officer’s Representative (COR)?

– Any significant changes

• See Appendix I of RMH Chapter 5: Configuration Management

CSCOUT

Page 17

August 2018

References Docs

• ARS, MAC ARS/BPSSM – https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-

Technology/InformationSecurity/Information-Security-Library.html

– https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/2018-Transmittals-Items/R14SS.html?DLPage=1&DLEntries=10&DLFilter=IOM%20100-17&DLSort=1&DLSortDir=ascending

• Risk Management Handbook, Chapter 5: Configuration Management– https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-

Technology/InformationSecurity/Downloads/RMH-Chapter-05-Configuration-Management.pdf

• Security Impact Analysis Checklist– https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-

Technology/InformationSecurity/Info-Security-Library-Items/Security-Impact-Analysis-Checklist-Template.html?DLPage=1&DLEntries=10&DLFilter=security%20imp&DLSort=0&DLSortDir=ascending

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library.html

https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/2018-Transmittals-Items/R14SS.html?DLPage=1&DLEntries=10&DLFilter=IOM 100-17&DLSort=1&DLSortDir=ascending

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH-Chapter-05-Configuration-Management.pdf

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/Security-Impact-Analysis-Checklist-Template.html?DLPage=1&DLEntries=10&DLFilter=security imp&DLSort=0&DLSortDir=ascending

CSCOUT

Page 18

August 2018

Q&Aand

Thank You!