Embed Size (px)
Citation preview
Continuous Monitoring &Security Authorization
XACTA® IA MANAGER:COST SAVINGS AND
RETURN ON INVESTMENT
�IA�MANAGER
Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP
Xacta IA Manager Can Reduce Labor, Support Resource Re-AllocationTHE PROBLEM
• Continuous Monitoring, Security Authorization, and Risk Management are complex and time-consuming processes
• FISMA calls for continuous monitoring of IA controls, a lifecycle risk management approach and remediation to ensure sustained compliance
• Every IT system in the federal government must comply with FISMA, via FIPS-199 and FIPS-200
• Cybersecurity skills are in short supply, high demand, and are therefore expensive
• Cybersecurity pros spend too much time on low-value, mundane tasks – formatting documents, cross-walking regulations, and manually tracking POA&Ms
• Without automation, continuous monitoring, risk management, and security authorizations can be manpower intensive and prohibitively expensive
• At the same time, non-compliance is not an option; at risk is your – IT budget ... taxpayer information … personal healthcare diagnosis … public confidence ... national security
THE ANSWER: XACTA IA MANAGER
Xacta IA Manager – the industry’s leading framework for IT security governance, risk management, and compliance – has done more to streamline and automate these complex security processes than any other solution. This data sheet shows how Xacta IA Manager can significantly reduce the cost of FISMA compliance and reporting, including continuous monitoring operations.
When looking for an IT security automation product, it is important to determine the scope of the solution as well as how much manual labor it will save. The solution should automate all six steps of the NIST 800-37r1 Risk Management Framework. Without this breadth of coverage, scarce human cybersecurity resources are wasted performing low-value, mundane tasks, such as formatting security plan documents, parsing regulations, and tracking POA&Ms. Xacta IA Manager automates these tasks, so that cybersecurity professionals can spend their time recommending security controls for new systems, conducting security assessments, evaluating risks, responding to incidents, and communicating with business unit leaders. It also supports transitioning emphasis away from paperwork and onto Continuous Monitoring. This Total Cost of Ownership document should be used as a data point for cybersecurity managers in determining how to best allocate scarce human resources while addressing dynamic operational demands.
®
RMF-1: CATEGORIZE Information Systems Identify & document system purpose and usage model 40 35 Identify & record system data types (NIST 800-60) and C-I-A values for data 24 20 Identify & document system boundary and architecture 24 20 Register system & con�rm C-I-A impact for entire system 8 2 Approve system impact through AO/DAA and senior agency of�cial (SAISO) 8 6
RMF-2: SELECT Security Controls Identify common agency controls & security standards 40 30 Identify minimum controls & supplemental and/or compensating controls 32 16 Develop continuous monitoring strategy 24 4 Coordinate the security control approach & draft system security plan (SSP) 60 40
RMF-3: IMPLEMENT Security Controls Implement system security controls resources – technology, people, processes 96 84 Complete security control documentation in system security plan (SSP) 196 120 Coordinate transition to assessment step 16 8
RMF-4: ASSESS Security Controls Review & revise test cases for controls coverage 96 72 Execute test procedures 264 132 Conduct initial remediations & analyze residual risks 96 72 Publish key reports for Assessment (SAR), Risk Reports, draft POA&Ms 44 16
RMF-5: AUTHORIZE Information System Complete Plans of Action & Milestones (POA&Ms) 44 32 Assemble �nal deliverables – SSP, SAR, POA&Ms 24 16 Make authorization decision & document decision 8 6Total Labor Hours per year for RMF-1 through RMF-5 1144 731
RMF-6: MONITOR Security Controls Review & update all system operating characteristics, based on changes 192 144 Periodically review control selection criteria, based on dynamic threat 92 78 Maintain inventory of resources – technology, people, processes 240 160 Test controls 264 112 Maintain/Remediate system, controls, and all security relevant documentation 256 180 On-going security status reporting 196 44Total Labor Hours per year for RMF-6 1044 674Total Labor Hours per year for RMF-1 through RMF-6 2,384 1,449
HOURS SAVED EACH YEAR 1,935
Steps in the Risk Management Framework (RMF)
Hours Required Per SystemManual Methods Xacta Automated
ANNUAL RISK MANAGEMENT FRAMEWORK LABOR SAVINGS
Assumptions:• The organization is using the NIST 800-37 rev1 RMF (or equivalent)• The organization has 100 systems (each requiring similar effort)• Each system is of moderate size and complexity (450 desktops and 30 servers)• Automation hours reflect efficiencies in workflow and standard knowledgebase of controls and validation methods
Continuous Monitoring & Security Authorization >> TOTAL COST OF OWNERSHIP
Return On Investment
LABOR. Applying traditional C&A methods to the new Risk Management Framework (RMF) can require literally thousands of labor hours. Some specialized tools can help reduce the amount of labor required, but not to the degree that Xacta IA Manager reduces manual effort. For example, conducting security certification testing of servers typically requires about one hour for each server. However, with Xacta HostInfo and AutoTest capabilities, the same testing can often be performed in only five minutes. Using the example of 50 servers, that’s a time savings of 46 hours.
LABOR COST. Using an average labor rate of $100/hour, it can be seen that labor intensive methods are very expensive compared with Xacta IA Manager.
AUTOMATED TOOLS. Commercial off-the-shelf and even some Government off-the-shelf tools are available to help automate parts of the RMF process. These include scanners that perform vulnerability and configuration testing. Xacta IA Manager contains a Security Content Automation Protocol (SCAP) -validated scanner to further automate security testing. The Xacta HostInfo and the Continuous Assessment capabilities have been SCAP-validated. HostInfo automates technical testing by running scripts on machines, which is much more efficient than manual checks and is more accurate than network-based scans. Competitive SCAP products also automate testing, but do not have the ability to address the entire Risk Management Framework, and therefore do not reduce labor costs to the same degree as Xacta IA Manager. Xacta IA Manager is unique in that technical test results are mapped to standard controls, such as NIST 800-53, and tracked in the system’s security authorization evidence and associated documentation. Finally, the Xacta IA Manager framework integrates with many common security tools, and Telos maintains security partnerships with other security product vendors.
3-YEAR LIFE-CYCLE COST CALCULATIONS AND SAVINGS ESTIMATE
Assumptions:• The organization is using the NIST 800-37 rev1 RMF (or equivalent)• The organization has 100 systems• 85 systems have ATO and 15 systems are new each year• The organization has 50,000 IT assets (45,000 desktops, 3,000 servers, 2,000 others)• All labor is contractor labor (at an average of $100/hour)
Labor Hours for RMF-1 through RMF-5 (15 systems each year for 3 years) 51,480 32,895 Labor Hours for RMF-6 (85 systems per year for 3 years) 46,980 30,330
TOTAL Labor Hours 98,460 63,225 Hourly Rate $100 $100Total Labor Cost $9,846,000 $6,322,500 Vulnerability & Con�guration Scanner Cost and three years of maintenance $1,467,037 $0* Xacta IA Manager † Perpetual License and three years of maintenance $0 $721,344Total Product Cost $1,467,037 $721,344Total 3-Year Cost $11,313,037 $7,043,844
PERCENT SAVED OVER THREE YEARS 38%
Activities
Hours RequiredManual Methods Xacta Automated
* Xacta IA Manager is an SCAP-certified FDCC scanner and works with or without other existing security tools† Includes Xacta IA Manager: Assessment Engone and Xacta IA Manager: Continuous Assessment
From Compliance To Security
“ Certification and Accreditation is essentially a process whereby agencies evaluate every three yearswhat defensive security protections are in place to prevent attacks on their key systems. The process costs taxpayers about $1.3 billion every year and it produces a good deal of paperwork that ends up stored in binders in some clutter-filled room.”Source: Senator Tom Carper, Chairman of the Senate Homeland Security and Governmental Affairs Committee’s Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, October 29, 2009.
“ In 2002, 47% of all agency systems had a Certification & Accreditation in place; whereas, in 2009, 95% of systems had a Certification & Accreditation in place. Despite the improvements as reported by agencies, the Federal Government’s communications and information infrastructure is still far from secure. The FISMA measures reported on annually have led agencies to focus on compliance.”Source: Federal CIO Vivek Kundra, statement before the House Committee on Oversight and Government Reform Subcommittee on Government Management, Organization, and Procurement, March 24, 2010.
As of 2010, OMB wants agencies to implement Continuous Monitoring of security controls and to automate their FISMA reporting. Telos is working closely with DHS representatives to realize the need for automating a feed to CyberScope, OMB’s new FISMA portal.
®
CONGRATULATIONS! You Just Got Your System’s ATO – Approval to Operate.
But suddenly, they’ve changed the rules. Now you have to meet a whole new set of risk management practices, implement different security controls, continuously monitor the new controls, and report into CyberScope.
What will that mean for you? How much will it cost to adapt your current methods to the new controls?
It all depends on the risk management solution you choose. Take a look at the following table to see how costly and cumbersome or how cost-effective and hassle-free it can be:
Copyright © 2010 Telos Corporation. All rights reserved. XIAMTCO122010
19886 Ashburn Road, Ashburn, VA 20147-23581.800.70.TELOS | www.telos.com
Advanced technology solutions that �protect your vital assets TM
Telos’ Flexible Licensing for Xacta IA Manager
Government IT risk management processes and FISMA reporting requirements make it necessary for an agency to account for all of its IT systems. Typical systems have a Program Manager, or System Owner, and are frequently managed using industry standard project management techniques. Consequently, Telos routinely licenses the Xacta IA Manager solution on a per-project basis, where a project correlates to an agency information system. When a per-project perpetual license is purchased, Xacta IA Manager is authorized for use on a specified number of systems, where the system boundary is defined by the customer, while the number of authorized users is unlimited.
Some organizations have a preference to license software on a per-user basis. It can be difficult to anticipate the total number of users that might participate in the security management, risk management, and FISMA reporting processes over an extended period of time across an entire agency. When an organization can estimate the appropriate user population, Telos offers per-user licensing for Xacta IA Manager. When per-user perpetual licenses are purchased, Xacta IA Manager is authorized for use by the specified number of users, while the number of authorized projects, or systems, is unlimited.
Choose the cost-effective, hassle-free solution. Choose Xacta IA Manager.
Re-categorizing systems based on CNSS1253 24 16 Map Existing IA Controls to Agency-Tailored NIST 800-53 controls 112 88
Map existing test results to NIST 800-53A validation procedures 224 182 Re-package security evidence in new formats 192 44
TOTAL Labor Hours per system 552 330 Hourly Rate $100 $100
TOTAL Labor Cost per system $55,200 $33,000 Staff re-training (6 people in 2 day class vs. 2 people) $5,436 $1,812
TOTAL Conversion Cost per system $60,636 $34,812 Process ef�ciency factor – gain after completing �rst system transition 0.5 0.8Conversion Costs for an Agency of 100 systems $3,062,118 $724,090
PERCENT SAVED BY LEVERAGING AUTOMATED TEMPLATES 76%
Activities
Hours RequiredManual Methods Xacta Automated
RISK MANAGEMENT FRAMEWORK CONVERSION COST CONSIDERATIONS
Assumptions:• The organization has 100 systems (each requiring similar effort)• Tools and processes are in place for reporting based on DIACAP or DCID 6/3
®
