DHS - FY 2011 CIO FISMA Reporting Metrics Ver. 1.0
こんにちは、丸山満彦です。Department of Homeland Securityが FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics Version 1.0を公表してますね。。。
■
・2011.06.01 FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>1. SYSTEM INVENTORY
color:#666666'>1.1. For each of the FIPS 199 system categorized impact levels
in this question, provide the total number of Agency operational, FISMA
reportable, systems by Agency component (i.e. Bureau or Sub--‐ Department
Operating Element).
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>2. ASSET MANAGEMENT
color:#666666'>2.1. Provide the total number of Agency Information Technology
assets (e.g. router, server, workstation, laptop, blackberry, etc.).
color:#666666'>2.2. Has the Agency implemented an automated capability to
detect and block unauthorized software from executing on the network? [Please
indicate Partial or Full Coverage]
color:#666666'>2.3. Has the Agency implemented an automated capability to
detect and block unauthorized hardware from connecting to the network? [Please
indicate Partial or Full Coverage]
color:#666666'>2.4. For your Agency, which type(s) of assets are the most
challenging in performing automated asset management? Rank the asset types
below from 1--‐4 with 1 being the most challenging.
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>3. CONFIGURATION MANAGEMENT
color:#666666'>3.1. Provide the number of Agency information technology assets
where an automated capability provides visibility at the Agency level into
system configuration information (e.g. comparison of Agency baselines to
installed configurations).
color:#666666'>3.2. Provide the number of types of operating system software in
use across the Agency
color:#666666'>3.3. Provide the number of enterprise--‐wide applications (e.g.,
Internet Explorer, Adobe, MS Office, Oracle, SQL, etc.) in use at the Agency.
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>4. VULNERABILITY MANAGEMENT
color:#666666'>4.1. Provide the number of Agency information technology assets
where an automated capability provides visibility at the Agency level into
detailed vulnerability information ( Common Vulnerabilities and Exposures --‐
CVE).
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>5. IDENTITY AND ACCESS MANAGEMENT
color:#666666'>5.1. What is the number of Agency network user accounts?
(Exclude system and application accounts utilized by processes)
color:#666666'>5.2 What is the number of Agency privileged network user
accounts (e.g. system administrators)?
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>6. DATA PROTECTION
color:#666666'>6.1. Provide the total number of:
6.1a. Mobile computers and devices (excluding
laptops)
6.1b Laptops only
color:#666666'>6.2. Provide the number of devices in 6.1 that have all user
data encrypted with FIPS 140--‐2 validated encryption.
color:#666666'>6.3. Provide the percentage of Agency email systems that
implement encryption technologies to protect the integrity of the contents and
sender information when sending messages to government agencies or the public
such as S/MIME, PGP, or other.
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>7. BOUNDARY PROTECTION
color:#666666'>7.1. Provide the percentage of the required TIC 1.0 Capabilities
that are implemented. (Applies only to Federal Civilian Agency TIC Access
Providers (TICAP) only. All others should respond N/A.)
color:#666666'>7.2. Provide the percentage of TICs with operational NCPS
(Einstein 2) deployment. (Applies only to Federal Civilian Agency TIC Access
Providers (TICAP) only. All others should respond N/A.)
color:#666666'>7.3. Provide the percentage of external network capacity passing
through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should
respond N/A.)
color:#666666'>7.4. Provide the percentage of external connections passing
through a TIC/MTIPS. (Applies to all Federal Civilian Agencies. DOD should
respond N/A.)
color:#666666'>7.5. Provide the percentage of Agency email systems that
implement sender verification (anti--‐ spoofing) technologies when sending
messages to government agencies or the public such as DKIM, SPF, or other.
color:#666666'>7.6. Provide the percentage of Agency email systems that check
sender verification (anti--‐spoofing technologies) to detect possibly forged
messages from government agencies known to send email with sender verification
such as DKIM or SPF or other.
color:#666666'>7.7. Provide the frequency with which the Agency conducts
thorough scans for unauthorized wireless access points.
color:#666666'>7.8. Provide the frequency in which the Agency maps their cyber
perimeter (e.g. externally visible systems and devices).
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>8. INCIDENT MANAGEMENT
color:#666666'>8.1. What is the number of Agency operational networks on which
controlled network penetration testing was performed in the past year? For the
testing conducted above, provide the following information:
color:#666666'>8.2. For FY11, what percentage of applicable US--‐CERT SARs
(Security Awareness Report) (or Information Assurance Vulnerability Alerts for
DOD) has been acted upon appropriately by the Agency?
color:#666666'>8.3. Provide the number of times in the past year the Agency
participated in the Joint Agency Cyber Knowledge Exchange (JACKE). (These
meetings are monthly)
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>9. TRAINING AND EDUCATION
color:#666666'>9.1. What is the average frequency with which users receive
supplemental cybersecurity awareness training content beyond the annual
training requirement (content could include a single question or tip of the
day)? (This question will be answered by subcomponent) (daily, weekly, monthly,
quarterly, annually, never)
color:#666666'>9.2. Provide the total number of Agency--‐sponsored phishing
attack exercises, if conducted.
color:#666666'>9.3. Provide the number of Agency users with network access
privileges.
color:#666666'>9.4. Provide the number of Agency network users with significant
security responsibilities.
color:#666666'>9.5. At what frequency is security awareness training content
(that is provided to users) updated by the Agency or training provider? (daily,
weekly, monthly, quarterly, annually, never)
color:#666666'>9.6. At what frequency is specialized, role based, security
training content (that is provided to users) updated by the Agency or training
provider? (daily, weekly, monthly, quarterly, annually, never)
color:#666666'>9.7. Provide the estimated percentage of new users to
satisfactorily complete security awareness training before being granted
network access.
color:#666666'>9.8. Does your Agency’s annual security awareness training
include:
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>10. REMOTE ACCESS
color:#666666'>10.1. Provide the number of remote access connection methods
(e.g. Dial--‐up, VPN, Clientless--‐VPN or SSL, etc.) the Agency offers to allow
users to connect remotely to full access of normal desktop Agency LAN/WAN
resources/services. Connection methods refer to options the Agency offers to
users allowing them to connect remotely.
color:#666666'>10.2 List the remote access connection methods identified in
10.1
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>11. NETWORK SECURITY PROTOCOLS
color:#666666'>11.1. Provide the number of:
11.1a. External facing DNS names (second-
mso-fareast-font-family:"MS 明朝";mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:"Trebuchet MS";color:#666666'>‐
style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";color:#666666'>level,
e.g. www.dhs.gov).
11.1b. External facing DNS names (second-‐level) signed.
11.1c. Provide the percentage of external facing DNS hierarchies with all sub-
mso-fareast-font-family:"MS 明朝";mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:"Trebuchet MS";color:#666666'>‐
style='font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";color:#666666'>domains
(second-‐ level and below) entirely signed.
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>12. SOFTWARE ASSURANCE
color:#666666'>12.1 Provide the number of information systems, developed
in--‐house or with commercial services, deployed in the past 12 months.
style='mso-bidi-font-size:9.0pt;font-family:"Trebuchet MS","sans-serif";
mso-bidi-font-family:"Times New Roman";mso-bidi-theme-font:minor-bidi;
color:#00A1DE;mso-themecolor:accent3'>13. CONTINUOUS MONITORING
color:#666666'>13.1. What percentage of data from the following potential data
feeds are being monitored at appropriate frequencies and levels in the Agency:
color:#666666'>13.2 To what extent is the data collected, correlated, and being
used to drive action to reduce risks? Please provide a number on a scale of
1--‐5, with 1 being that “All continuous monitoring data is correlated”.
Comments