Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CSCOUT
Page 1
August 2018
Security Impact Analysis
(SIA)April Earley, WPS GHA, Senior Information System Security Officer
CSCOUT
Page 2
August 2018
Requirements/Guidance
• ARS, MAC ARS/BPSSM
– Control CM-4
• The organization analyzes changes to the information system to determine potential security and privacy impacts prior to change implementation. Activities associated with configuration changes to the information system are audited.
• Risk Management Handbook, Chapter 5: Configuration Management
• Security Impact Analysis Checklist
• Technical Direction Letter TDL-180061
CSCOUT
Page 3
August 2018
GOAL! What goal?
• Analysis of changes to the information system
• Determine security and privacy impacts before implementation
• Purpose:
– Identify potential and real security and privacy risks
– Develop effective safeguards to address security and privacy risks
– Develop effective security and privacy testing
CSCOUT
Page 4
August 2018
Who’s going to do the work?
• CMS Information System Security Officer
• Information System Security Officer
• Information System Security Manager
• Information System Administrator
• Information System Security Engineer
CSCOUT
Page 5
August 2018
When?
• Throughout the life cycle of the system so that the impact of changes on security is considered during each stage:
– Before a Change is Deployed
– During Development, Acquisition/Implementation and Assessment
*Note* Review the SIA after a change is deployed. Conducting an SIA after deployment is NOT acceptable.
CSCOUT
Page 6
August 2018
What do I include?
• Brief description on purpose of SIA
• Description of System Changes
• Known security configuration Baseline Changes
• Security Risks
– How will security risks be addressed
• Planned Deployment Initiation and Completion Dates
• Control Families/Controls impacted
– How they are impacted
CSCOUT
Page 7
August 2018
Types of Events
• New Revision of ARS, MAC ARS/BPSSM
– Affects existing controls or adds new controls
• No ATO exists
– ATO has expired or doesn’t exist
– Significant Change requiring New ATO
• Current ATO exists
– System/Host ATO expires in x months
• Security Classification
– Security Category lowered or raised
• Target of Threat
– Specific and Credible Information
CSCOUT
Page 8
August 2018
Types of Events continued
• System boundary
– Expired or missing ATO for host GSS
– Changed Interconnections
– Architecture/Topological change
– Change to Logical Access Points
– New Processing Location(s)
– New User Population
– Protocol Change
– Change or Addition of Hosting Infrastructure or Site
• Equipment Upgrades
– Laptops/desktops, Communications equipment, New (different) Servers, Other equipment
CSCOUT
Page 9
August 2018
More Events
• Majors system Updates
– New OS release, New Anti-Malware Product, New (different) OS
• Patch Updates
– Software, Servers, Anti-Malware
• Laws, Regulations, Directives
• Issue or Update Other NIST Documents
• Security Components
– Cryptographic Modules
– Identification and Authentication
– Security Controls
CSCOUT
Page 10
August 2018
Even more Events
• Mission/Business requirements
– New Mission added
– Mission or function termination or change of status
• Core Mission/Business functions
– Changes
– New Mission or Business Function added
– Mission or Business Function termination
• Vulnerability (New or Existing)
– Attacks Developed
– Attacks Succeeded Elsewhere
– Found (no attacks known)
– CMS Attacked
CSCOUT
Page 11
August 2018
Types of Changes
• Minor Change
– No changes to or additional controls (ARS, MAC ARS/BPSSM)
• Non-Compliant System
– Expired or non-existent ATO
• Possible/Potential Significant Change
– Security Category lowered, System boundary
– Equipment upgrades, Patch updates, Major system updates
– Mission/Business requirements
– New or changes to Laws, Regulations, Directives or NIST Documents
• Risk Level Evaluation
– New or Existing Vulnerability (attacks developed or succeeded elsewhere)
CSCOUT
Page 12
August 2018
More types of Changes
• Risk Identified
– New or existing vulnerability found (no known attacks)
• Standard Operating Procedure
– No ATO in place, ATO will expire soon
– Anti-malware patch updates
• Target of Risk
– Target of Threat, specific and credible information
– New or existing vulnerability (CMS attacked)
CSCOUT
Page 13
August 2018
Even more Changes
• Significant Change
– Core Mission/Business Function change, added, removed
– Security Category raised
– New (different) Servers, New (different) OS, New ARS or MAC ARS/BPSSM controls
– Change to Mission Essential Functions
– System boundary
• New processing location(s), new user population, protocol change, change or addition of Hosting Infrastructure Site
– Security Components
• Cryptographic modules
• Identification and Authentication
CSCOUT
Page 14
August 2018
That was not Significant, now what?
• Conduct the SIA
• Develop/document a defensible position
• Retain a copy of the SIA
– CFACTS – SAR section
– Protected, network drive
• Notify CMS ISSO, if appropriate
CSCOUT
Page 15
August 2018
Oh NO! A Significant Change! Now what?
• TDL-180061: Medicare Administrative Contractor (MAC) Significant Change Responsibilities – Issued 11/16/17
– Submit completed SIA to CMS ISSO
– Do NOT proceed with the change until CMS ISSO approves
– Contact Contracting Officer’s Representative (COR)
– Ensure ALL appropriate testing is conducted
• Security Control Assessment (SCA)
– Required, coordinate with your CMS ISSO
– Load SCA Report Results into CFACTS
• Track POA&Ms – if any findings exist
• Authority to Operate (ATO)
– Required, re-authorization of the system, coordinate with your CMS ISSO
CSCOUT
Page 16
August 2018
CMS Involvement?
• When to involve/contact your CMS ISSO
– Any significant changes
• See Appendix I of RMH Chapter 5: Configuration Management
– Transparency about other changes they may be interested in
• When not to involve/contact your CMS ISSO
– Standard Operating Procedure situations
• When to involve the MAC Contracting Officer’s Representative (COR)?
– Any significant changes
• See Appendix I of RMH Chapter 5: Configuration Management
CSCOUT
Page 17
August 2018
References Docs
• ARS, MAC ARS/BPSSM – https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/Information-Security-Library.html
– https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/2018-Transmittals-Items/R14SS.html?DLPage=1&DLEntries=10&DLFilter=IOM%20100-17&DLSort=1&DLSortDir=ascending
• Risk Management Handbook, Chapter 5: Configuration Management– https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/Downloads/RMH-Chapter-05-Configuration-Management.pdf
• Security Impact Analysis Checklist– https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/Info-Security-Library-Items/Security-Impact-Analysis-Checklist-Template.html?DLPage=1&DLEntries=10&DLFilter=security%20imp&DLSort=0&DLSortDir=ascending
CSCOUT
Page 18
August 2018
Q&Aand
Thank You!