OMB Requesting Comments on Metrics for Annual FISMA Reporting by Federal Agencies
こんにちは、丸山満彦です。2010年のFISMAレポートの評価・測定についてコメントを求めていますね。。。「順守」状況から「改善」状況にシフトしていくようですね。
領域については
=====
System Inventory
Hardware Inventory
Software Inventory
Connections Inventory
Configuration Management
Integration of Security into SDLC
Remote Access Managment
Incident Management
Training
====
ですね。よくよんでおかないとね。。。
■NIST
News & Events・2009.12.08 OMB Requesting Comments on Metrics for Annual FISMA Reporting by Federal Agencies
●requesting comments on potential metrics
=====
1 System Inventory
Please provide the number of agency-owned and contractor systems by component with the following information FIPS 199 risk category
Certification and accreditation status
Whether annual testing occurred
Whether a tested contingency plan exists
The number of systems assessed at E-Authentication levels 3 or 4
2 Hardware Inventory
Can the agency provide a real-time data feed of its asset inventory of all devices connected to its network?
3 Hardware Inventory
Sub questions:
How frequently updated is the D/A’s asset inventory of all devices connected to the network and the network devices themselves, recording at least the network address, device name(s), purpose of each system, and an asset owner responsible for each device?
Is this capability manual, partially automated or fully automated for all D/A devices?
Does the D/A have the technical ability to block introduction of unauthorized hardware to any device connected to the network? Is there a process to respond if detected?
Does the D/A regularly test this capability by attaching devices not already in the inventory to the network?
Does the D/A technically scan and discover/inventory all devices connected to the enterprise network?
If the D/A does not currently maintain such an inventory, what are its plans to do so and by when?
4 Software Inventory
Can the agency provide a real-time data feed of its asset inventory of all software installed on all devices connected to its networks?
5 Software Inventory
Sub-questions:
How frequently updated is the D/A’s asset inventory of all software installed on devices connected to the network, recording at least the operating system, version number, patch level, and the applications installed on it?
Is this capability manual, partially automated or fully automated for all D/A devices?
Does the D/A technically scan and discover/inventory all software on devices connected to the enterprise network?
If the D/A does not currently maintain such an inventory, what are its plans to do so and by when?
Does the D/A have the technical ability to block introduction of unauthorized software to any device connected to the network? Is there a process to respond if detected?
Does the D/A regularly test this capability by attempting to install unapproved software on D/A devices?
6 Connections Inventory
Can the agency provide a real-time data feed of all of its external connections as defined in the TIC architecture?
7 Connections Inventory
Sub-questions:
How frequently updated is the D/A’s inventory of all external connections as defined in the TIC architecture?
Is this capability manual, partially automated or fully automated for all D/A connections?
Does the D/A technically block connections of unauthorized devices to the network?
Does the D/A employ technical means to scan and map all IPs on each enclave?
If the D/A does not currently maintain a connections inventory, what are its plans to do so and by when?
8 Configuration Management
For various hardware and software, agencies will be asked the following questions:
Standard baseline configuration defined
Checklist Used
Number of instances that can be and the number that are technically scanned for compliance with standard baseline
Frequency of scanning of all instances (Average number of days)
Number of instances with settings found to be compliant with standard baseline
Average time to apply high security criticality patch to 95% of machines
What technology is used for scanning?
9 Integration of Security into SDLC
What number of new systems (by 199 level) went live during the reporting period?
What number of new systems used 800-53 controls as system design requirements?
What number of new systems used 800-53A in the process of system acceptance testing?
What number of contract systems have the FISMA requirements in the contract or equivalent language?
10 Remote Access Management
Can the agency provide a real-time data feed of all of its external connections?
11 Remote Access Management
Sub-questions:
For GFE, do you automatically mitigate deviations from the minimum D/A configurations before allowing connection to proceed?
For personally-owned equipment (if permitted for use), do you require the user’s system to meet minimum D/A configurations before allowing the connection to proceed?If you are unable to prohibit connections when minimum D/A configuration standards are not met, when do you plan to have that functionality in place?
If you are unable to actively validate that remotely connected devices meet D/A configuration standards upon connection, when do you plan to have that functionality in place?
What percentage of remote access connections to the D/A network do you monitor?
Does your D/A monitor for: (a) intrusions, (b) malware, (c) data loss, (d) data flows (e.g., source/destination IP), (e) authorized user information (e.g., user ID), (f) resource(s) accessed, (g) other
12 Remote Access Management, cont.
Does the D/A’s remote access policy require two-factor authentication for remote access (including VPN, dial-up, and other forms)?If the agency does not have a remote access policy, what are the plans to develop and implement one and by when, respectively?
What number of users have remote access to the D/A networks?What number of those use two-factor authentication for remote access?
What number of those use HSPD-12 cards?
What percentage of connections prohibit split tunneling (as defined by NIST)?
Is D/A information permitted to be stored on the local device?
What percentage of remote access solutions (e.g., the cryptographic portions, if any) use FIPS 140-2 validated cryptographic modules?
Does your D/A use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity?
13 Incident Management
During the D/A’s controlled network penetration testing, what percentage of incidents were detected by NOC/SOC? For detected incidents, what is the mean-time to incident recovery?
What tools, techniques, technologies, does the Agency use for incident detection?
How many systems (or networks of systems) are protected using the tools, techniques, and technologies listed above?
If the agency has not performed controlled network penetration testing, when will it have the capability to do so?
14 Incident Management cont.
Does your D/A have an Incident Response Capability (whether in-house or as part of managed security services contract)?If not, does the D/A have a Security Operations Center operating as the incident response center?
Does your D/A participate in US-CERT threat briefings? (E.g., JACKE)If not, why and what are the D/A’s plans to participate?
Does your D/A have access to GFIRST information?If not, why and what are the D/A’s plans to obtain access?
Does your D/A have access to US-CERT publications? (E.g., SARS)If not, why and what are the D/A’s plans to obtain access?
15 Training
# of employees and contractors with log-in privileges
#of employees and contractors given annual security awareness training
# of employees and contractors with significant security responsibilities
# of employeeswith significant security responsibilities provided specialized security training
Cost of providingsecurity awareness training
Cost of providing specialized security training
=====
Comments