US Department of State

Jay Coplon

My Commitment

• You will get a sense for how we do C&A• You will find value in being here• All of your questions will be answered

Key Points

• Quantitative Metrics• Toolkits, Tools and Templates• Continuous Monitoring• Questions and Answers

Decision Memo Authorization to Operate• When the Control Limits have not been exceeded.

Decision Memo Authorization to Operate• When the Control Limits have been exceeded.

Risk Score in iPost

Fully Reporting in iPost

System Owner will maintain a high level of hosts fully reporting (to iPost) within the accreditation boundary. Fully means current reporting on hardware, software, patch, vulnerability, and compliance

Low or No Medium Traditional Risk

The System Owner will maintain a level or state of low or no Medium business risk as determined by traditional C&A.

Notification of Change Metrics

• Exceeding the Specification Limits• Exceeding the Control Limits

C&A – How we communicate with our customers.

• SharePoint Website Policy, Procedure, Standard

• Document Center Organized by categories

• Alert Notifications Page and/or Document

• WorkshopsTools

SharePoint

SharePoint

Get Ready Get Set STOP!• Exceed any specification limit• Readiness to Start C&A Checklist

FIPS 199 and OMB M-04-04

• Categorize your System• Determine the Assurance Level

Control Selection Tool

• Identify which controls have been implemented• How each control has been implemented• C&A and Annual Security Control Assessments• Manage controls over the systems lifecycle

POA&M Tester Database Tool

• Linked to the system FIPS 199 categorization • Import Open Findings from previous assessments• Finding and Recommended remediation• Failed Controls are identified• Standardizes the risk is calculated for each finding• Risk Scoping

iPost Continuous Monitoring

IPost Continuous Monitoring

Questions and Answers