« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »

2011.06.11

DHS - FY 2011 CIO FISMA Reporting Metrics Ver. 1.0

 こんにちは、丸山満彦です。Department of Homeland Securityが FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics Version 1.0を公表してますね。。。


・2011.06.01 FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>1. SYSTEM INVENTORY

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>1.1. For each of the FIPS 199 system categorized impact levels
in this question, provide the total number of Agency operational, FISMA
reportable, systems by Agency component (i.e. Bureau or Sub--‐ Department
Operating Element).

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>2. ASSET MANAGEMENT

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>2.1. Provide the total number of Agency Information Technology
assets (e.g. router, server, workstation, laptop, blackberry, etc.).

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>2.2. Has the Agency implemented an automated capability to
detect and block unauthorized software from executing on the network? [Please
indicate Partial or Full Coverage]

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>2.3. Has the Agency implemented an automated capability to
detect and block unauthorized hardware from connecting to the network? [Please
indicate Partial or Full Coverage]

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>2.4. For your Agency, which type(s) of assets are the most
challenging in performing automated asset management? Rank the asset types
below from 1--‐4 with 1 being the most challenging.

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>3. CONFIGURATION MANAGEMENT

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>3.1. Provide the number of Agency information technology assets
where an automated capability provides visibility at the Agency level into
system configuration information (e.g. comparison of Agency baselines to
installed configurations).

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>3.2. Provide the number of types of operating system software in
use across the Agency

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>3.3. Provide the number of enterprise--‐wide applications (e.g.,
Internet Explorer, Adobe, MS Office, Oracle, SQL, etc.) in use at the Agency.

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>4. VULNERABILITY MANAGEMENT

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>4.1. Provide the number of Agency information technology assets
where an automated capability provides visibility at the Agency level into
detailed vulnerability information ( Common Vulnerabilities and Exposures --‐
CVE).

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>5. IDENTITY AND ACCESS MANAGEMENT

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>5.1. What is the number of Agency network user accounts?
(Exclude system and application accounts utilized by processes)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>5.2 What is the number of Agency privileged network user
accounts (e.g. system administrators)?

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>6. DATA PROTECTION

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>6.1. Provide the total number of:

6.1a. Mobile computers and devices (excluding
laptops)

6.1b Laptops only

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>6.2. Provide the number of devices in 6.1 that have all user
data encrypted with FIPS 140--‐2 validated encryption.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>6.3. Provide the percentage of Agency email systems that
implement encryption technologies to protect the integrity of the contents and
sender information when sending messages to government agencies or the public
such as S/MIME, PGP, or other.

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>7. BOUNDARY PROTECTION

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.1. Provide the percentage of the required TIC 1.0 Capabilities
that are implemented. (Applies only to Federal Civilian Agency TIC Access
Providers (TICAP) only. All others should respond N/A.)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.2. Provide the percentage of TICs with operational NCPS
(Einstein 2) deployment. (Applies only to Federal Civilian Agency TIC Access
Providers (TICAP) only. All others should respond N/A.)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.3. Provide the percentage of external network capacity passing
through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should
respond N/A.)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.4. Provide the percentage of external connections passing
through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should
respond N/A.)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.5. Provide the percentage of Agency email systems that
implement sender verification (anti--‐ spoofing) technologies when sending
messages to government agencies or the public such as DKIM, SPF, or other.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.6. Provide the percentage of Agency email systems that check
sender verification (anti--‐spoofing technologies) to detect possibly forged
messages from government agencies known to send email with sender verification
such as DKIM or SPF or other.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.7. Provide the frequency with which the Agency conducts
thorough scans for unauthorized wireless access points.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>7.8. Provide the frequency in which the Agency maps their cyber
perimeter (e.g. externally visible systems and devices).

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>8. INCIDENT MANAGEMENT

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>8.1. What is the number of Agency operational networks on which
controlled network penetration testing was performed in the past year? For the
testing conducted above, provide the following information:

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>8.2. For FY11, what percentage of applicable US--‐CERT SARs
(Security Awareness Report) (or Information Assurance Vulnerability Alerts for
DOD) has been acted upon appropriately by the Agency?

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>8.3. Provide the number of times in the past year the Agency
participated in the Joint Agency Cyber Knowledge Exchange (JACKE). (These
meetings are monthly)

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>9. TRAINING AND EDUCATION

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.1. What is the average frequency with which users receive
supplemental cybersecurity awareness training content beyond the annual
training requirement (content could include a single question or tip of the
day)? (This question will be answered by subcomponent) (daily, weekly, monthly,
quarterly, annually, never)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.2. Provide the total number of Agency--‐sponsored phishing
attack exercises, if conducted.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.3. Provide the number of Agency users with network access
privileges.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.4. Provide the number of Agency network users with significant
security responsibilities.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.5. At what frequency is security awareness training content
(that is provided to users) updated by the Agency or training provider? (daily,
weekly, monthly, quarterly, annually, never)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.6. At what frequency is specialized, role based, security
training content (that is provided to users) updated by the Agency or training
provider? (daily, weekly, monthly, quarterly, annually, never)

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.7. Provide the estimated percentage of new users to
satisfactorily complete security awareness training before being granted
network access.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>9.8. Does your Agency’s annual security awareness training
include:

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>10. REMOTE ACCESS

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>10.1. Provide the number of remote access connection methods
(e.g. Dial--‐up, VPN, Clientless--‐VPN or SSL, etc.) the Agency offers to allow
users to connect remotely to full access of normal desktop Agency LAN/WAN
resources/services. Connection methods refer to options the Agency offers to
users allowing them to connect remotely.

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>10.2 List the remote access connection methods identified in
10.1

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>11. NETWORK SECURITY PROTOCOLS

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>11.1. Provide the number of:

11.1a. External facing DNS names (second- style='font-size:9.0pt;font-family:"MS 明朝","serif";mso-ascii-font-family:"Trebuchet MS";
mso-fareast-font-family:"MS 明朝";mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:"Trebuchet MS";color:#666666'>­‐ style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";color:#666666'>level,
e.g. www.dhs.gov).

11.1b. External facing DNS names (second-
­‐level) signed.

11.1c. Provide the percentage of external facing DNS hierarchies with all sub-
style='font-size:9.0pt;font-family:"MS 明朝","serif";mso-ascii-font-family:"Trebuchet MS";
mso-fareast-font-family:"MS 明朝";mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:"Trebuchet MS";color:#666666'>­‐ style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";color:#666666'>domains
(second-
­‐ level and below) entirely signed.

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>12. SOFTWARE ASSURANCE

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>12.1 Provide the number of information systems, developed
in--‐house or with commercial services, deployed in the past 12 months.

style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>13. CONTINUOUS MONITORING

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>13.1. What percentage of data from the following potential data
feeds are being monitored at appropriate frequencies and levels in the Agency:

lang=EN-US style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
color:#666666'>13.2 To what extent is the data collected, correlated, and being
used to drive action to reduce risks? Please provide a number on a scale of
1--‐5, with 1 being that “All continuous monitoring data is correlated”.


 

|

« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »

Comments

Post a comment



(Not displayed with comment.)




TrackBack


Listed below are links to weblogs that reference DHS - FY 2011 CIO FISMA Reporting Metrics Ver. 1.0:

« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »