« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »

2011.06.11

DHS - FY 2011 CIO FISMA Reporting Metrics Ver. 1.0

 こんにちは、丸山満彦です。Department of Homeland Securityが FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics Version 1.0を公表してますね。。。


・2011.06.01 FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics

1. SYSTEM INVENTORY

1.1. For each of the FIPS 199 system categorized impact levels in this question, provide the total number of Agency operational, FISMA reportable, systems by Agency component (i.e. Bureau or Sub--‐ Department Operating Element).

2. ASSET MANAGEMENT

2.1. Provide the total number of Agency Information Technology assets (e.g. router, server, workstation, laptop, blackberry, etc.).

2.2. Has the Agency implemented an automated capability to detect and block unauthorized software from executing on the network? [Please indicate Partial or Full Coverage]

2.3. Has the Agency implemented an automated capability to detect and block unauthorized hardware from connecting to the network? [Please indicate Partial or Full Coverage]

2.4. For your Agency, which type(s) of assets are the most challenging in performing automated asset management? Rank the asset types below from 1--‐4 with 1 being the most challenging.

3. CONFIGURATION MANAGEMENT

3.1. Provide the number of Agency information technology assets where an automated capability provides visibility at the Agency level into system configuration information (e.g. comparison of Agency baselines to installed configurations).

3.2. Provide the number of types of operating system software in use across the Agency

3.3. Provide the number of enterprise--‐wide applications (e.g., Internet Explorer, Adobe, MS Office, Oracle, SQL, etc.) in use at the Agency.

4. VULNERABILITY MANAGEMENT

4.1. Provide the number of Agency information technology assets where an automated capability provides visibility at the Agency level into detailed vulnerability information ( Common Vulnerabilities and Exposures --‐ CVE).

5. IDENTITY AND ACCESS MANAGEMENT

5.1. What is the number of Agency network user accounts? (Exclude system and application accounts utilized by processes)

5.2 What is the number of Agency privileged network user accounts (e.g. system administrators)?

6. DATA PROTECTION

6.1. Provide the total number of:

6.1a. Mobile computers and devices (excluding laptops)
6.1b Laptops only

6.2. Provide the number of devices in 6.1 that have all user data encrypted with FIPS 140--‐2 validated encryption.

6.3. Provide the percentage of Agency email systems that implement encryption technologies to protect the integrity of the contents and sender information when sending messages to government agencies or the public such as S/MIME, PGP, or other.

7. BOUNDARY PROTECTION

7.1. Provide the percentage of the required TIC 1.0 Capabilities that are implemented. (Applies only to Federal Civilian Agency TIC Access Providers (TICAP) only. All others should respond N/A.)

7.2. Provide the percentage of TICs with operational NCPS (Einstein 2) deployment. (Applies only to Federal Civilian Agency TIC Access Providers (TICAP) only. All others should respond N/A.)

7.3. Provide the percentage of external network capacity passing through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should respond N/A.)

7.4. Provide the percentage of external connections passing through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should respond N/A.)

7.5. Provide the percentage of Agency email systems that implement sender verification (anti--‐ spoofing) technologies when sending messages to government agencies or the public such as DKIM, SPF, or other.

7.6. Provide the percentage of Agency email systems that check sender verification (anti--‐spoofing technologies) to detect possibly forged messages from government agencies known to send email with sender verification such as DKIM or SPF or other.

7.7. Provide the frequency with which the Agency conducts thorough scans for unauthorized wireless access points.

7.8. Provide the frequency in which the Agency maps their cyber perimeter (e.g. externally visible systems and devices).

8. INCIDENT MANAGEMENT

8.1. What is the number of Agency operational networks on which controlled network penetration testing was performed in the past year? For the testing conducted above, provide the following information:

8.2. For FY11, what percentage of applicable US--‐CERT SARs (Security Awareness Report) (or Information Assurance Vulnerability Alerts for DOD) has been acted upon appropriately by the Agency?

8.3. Provide the number of times in the past year the Agency participated in the Joint Agency Cyber Knowledge Exchange (JACKE). (These meetings are monthly)

9. TRAINING AND EDUCATION

9.1. What is the average frequency with which users receive supplemental cybersecurity awareness training content beyond the annual training requirement (content could include a single question or tip of the day)? (This question will be answered by subcomponent) (daily, weekly, monthly, quarterly, annually, never)

9.2. Provide the total number of Agency--‐sponsored phishing attack exercises, if conducted.

9.3. Provide the number of Agency users with network access privileges.

9.4. Provide the number of Agency network users with significant security responsibilities.

9.5. At what frequency is security awareness training content (that is provided to users) updated by the Agency or training provider? (daily, weekly, monthly, quarterly, annually, never)

9.6. At what frequency is specialized, role based, security training content (that is provided to users) updated by the Agency or training provider? (daily, weekly, monthly, quarterly, annually, never)

9.7. Provide the estimated percentage of new users to satisfactorily complete security awareness training before being granted network access.

9.8. Does your Agency’s annual security awareness training include:

10. REMOTE ACCESS

10.1. Provide the number of remote access connection methods (e.g. Dial--‐up, VPN, Clientless--‐VPN or SSL, etc.) the Agency offers to allow users to connect remotely to full access of normal desktop Agency LAN/WAN resources/services. Connection methods refer to options the Agency offers to users allowing them to connect remotely.

10.2 List the remote access connection methods identified in 10.1

11. NETWORK SECURITY PROTOCOLS

11.1. Provide the number of:

11.1a. External facing DNS names (second-­‐level, e.g. www.dhs.gov).
11.1b. External facing DNS names (second-
­‐level) signed.
11.1c. Provide the percentage of external facing DNS hierarchies with all sub-
­‐domains (second-­‐ level and below) entirely signed.

12. SOFTWARE ASSURANCE

12.1 Provide the number of information systems, developed in--‐house or with commercial services, deployed in the past 12 months.

13. CONTINUOUS MONITORING

13.1. What percentage of data from the following potential data feeds are being monitored at appropriate frequencies and levels in the Agency:

13.2 To what extent is the data collected, correlated, and being used to drive action to reduce risks? Please provide a number on a scale of 1--‐5, with 1 being that “All continuous monitoring data is correlated”.

 

|

« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »

Comments

Post a comment



(Not displayed with comment.)




TrackBack

TrackBack URL for this entry:
http://app.cocolog-nifty.com/t/trackback/64462/51910159

Listed below are links to weblogs that reference DHS - FY 2011 CIO FISMA Reporting Metrics Ver. 1.0:

« 内閣官房 パブコメ 「情報セキュリティ2011」(案) | Main | 米国商務省 Cybersecurity, Innovation and the Internet Economy »