ConvoCourses

Cyber Security Compliance and IT Jobs

Certification and Accreditation

Need Information Systems Security Officer in Herndon, VA

by Leave a Comment

Information Systems Security Officer

Location: Herndon, VA
Duration: 1 year
US Citizenship Required –  Public Trust or Secret Clearance Tier III
Summary• Advises key technical personnel of system regarding design, engineering and compliance requirements
• Advises key stakeholders of security posture and risks associated with the system
• Reviews configurations changes for the system and the impact of changes
• Creates, manages and facilitates NIST based security documentation and controls
• Identifies, manages and facilitates remediation of security weaknesses

Job Responsibilities/ Duties:
• Develop, consult, implement controls and documentation for the security of the system. This includes: outlining system operating environment, overall mission, physical diagrams, hardware and software inventories, configuration management, type of data processed, user organizations, security classifications, operating modes, interconnections to other systems/networks, security personnel, and other associated responsibilities.
• Oversee, develop, improve and maintain the overall security posture of the system; that includes: Information System Security Plans, Risk Ratings, Contingency Plans, Security Assessments, and Contingency Plan Tests and other associated documentation.
• Participate in the development or revision of security controls of the system and local operating procedures that are based upon regulatory, policy and industry requirements.
• Act as a consultant to system owners for the security of the system and system documentation. For example, security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, and contingency plans
• Provide expertise in classified and unclassified ratings to customers.
• Work closely with technical teams for successful Certification & Accreditation of the system that leads to ATO
• Attend ISSO training courses and sessions as required
• Perform interpretations of monthly vulnerability scan results of assigned systems

Required Training:
Senior Level IT Security Certifications (CCDP, CCNP Security, CISSP, CISM, etc.)
Education/Equivalent Training Required: Bachelor’s Degree or equivalent experience will be evaluated
Unique/Additional /Experience (Position Specifics):
Expert knowledge of FISMA and NIST Special Publications
Experience implementing, assessing and managing security controls for federal IT systems
Expert knowledge of IT security best practices
Expert knowledge of current IT security threats
Broad knowledge of IT technologies and operations
Ability to develop good working relationships with customers, colleagues and other stakeholders.
Excellent verbal and written communication skills
Ability to handle and prioritize multiple simultaneous systems, projects and other assignments.
Experience leading information security teams
Knowledge of HIPAA, FedRAMP, PCI, ISO and other standards
Location(s): District of Columbia (Metro Area),
Department: IT Security
Keywords: Certification and Accreditation, C&A, A&A, SA&A, FISMA, compliance, information assurance, ISSO, AISO, ISO, IASO and ISSM
Comments: US Citizen, US Government Suitability Determination and DoE Q Security Clearance is a Plus

Thanks & Regards,
Kartik Jain
Technical Recruiter

Information Systems Security Officer in Herndon, VA

by Leave a Comment

Information Systems Security Officer 

US Citizenship Required –  Public Trust or Secret Clearance Tier III

Location: Herndon, VA
Duration: 1 year
Summary• Advises key technical personnel of system regarding design, engineering and compliance requirements
• Advises key stakeholders of security posture and risks associated with the system
• Reviews configurations changes for the system and the impact of changes
• Creates, manages and facilitates NIST based security documentation and controls
• Identifies, manages and facilitates remediation of security weaknesses

Job Responsibilities/ Duties:
• Develop, consult, implement controls and documentation for the security of the system. This includes: outlining system operating environment, overall mission, physical diagrams, hardware and software inventories, configuration management, type of data processed, user organizations, security classifications, operating modes, interconnections to other systems/networks, security personnel, and other associated responsibilities.
• Oversee, develop, improve and maintain the overall security posture of the system; that includes: Information System Security Plans, Risk Ratings, Contingency Plans, Security Assessments, and Contingency Plan Tests and other associated documentation.
• Participate in the development or revision of security controls of the system and local operating procedures that are based upon regulatory, policy and industry requirements.
• Act as a consultant to system owners for the security of the system and system documentation. For example, security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, and contingency plans
• Provide expertise in classified and unclassified ratings to customers.
• Work closely with technical teams for successful Certification & Accreditation of the system that leads to ATO
• Attend ISSO training courses and sessions as required
• Perform interpretations of monthly vulnerability scan results of assigned systems

Required Training:
Senior Level IT Security Certifications (CCDP, CCNP Security, CISSP, CISM, etc.)
Education/Equivalent Training Required: Bachelor’s Degree or equivalent experience will be evaluated
Unique/Additional /Experience (Position Specifics):
Expert knowledge of FISMA and NIST Special Publications
Experience implementing, assessing and managing security controls for federal IT systems
Expert knowledge of IT security best practices
Expert knowledge of current IT security threats
Broad knowledge of IT technologies and operations
Ability to develop good working relationships with customers, colleagues and other stakeholders.
Excellent verbal and written communication skills
Ability to handle and prioritize multiple simultaneous systems, projects and other assignments.
Experience leading information security teams
Knowledge of HIPAA, FedRAMP, PCI, ISO and other standards
Location(s): District of Columbia (Metro Area),
Department: IT Security
Keywords: Certification and Accreditation, C&A, A&A, SA&A, FISMA, compliance, information assurance, ISSO, AISO, ISO, IASO and ISSM
Comments: US Citizen, US Government Suitability Determination and DoE Q Security Clearance is a Plus

Thanks & Regards,
Kartik Jain
Technical Recruiter

nist risk management framework 800-37

by Leave a Comment

NIST risk management framework 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems (revision 1) marked a change from the old NIST 800-37 that was based on Certification & Accreditation.   The adjustment stems from FISMA 2002 and includes the following changes:

  1. Revised process emphasizes
  2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
  3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
  4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems

The DoD has recently adopted the NIST risk management framework 800-37 steps (called the DIARMF process).  There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.

risk management framework steps
risk management framework steps

nist risk management framework 800-37 – Step 1. Categorize

The first risk management framework step is categorization.  This step consists of classifying the importance of the information system.   This is done by the system owner with FIPS 199 and NIST 800-60.

Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.

 

nist risk management framework 800-37 – Step 2. Select

With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization.  The selection of the controls is based on the categorization of your system.  A system security plan is created as a guide to what will be installed and/or configured on the system.

More on DIARMF – Select

nist risk management framework 800-37 – Step 3. Implement

Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3.  This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary.   Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.

More on DIARMF – Implement

nist risk management framework 800-37 – Step 4. Assess

The organization has to make sure that the security controls are implemented properly.  This is done in risk management step 4, assess.  Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations  is used to determine which controls have been fully implemented to limit the risks to the organization.

More on DIARMF – Assess

nist risk management framework 800-37 – Step 5. Authorize

Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk.  The organization must have someone who has enough authority of over the system to accept the residual risk.  This person is known as the Authorizing Official.

In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks.  The AO makes a decision on whether or not to accept the risk based on the authorization package.  The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.

 

More on DIARMF – Authorization

nist risk management framework 800-37 – Step 6. Continuous Monitoring

After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture.   They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this.

More on DIARMF – Continuous Monitoring

 

Brief History of C&A

by Leave a Comment

Over the years I have noticed that not many people in IT know what Certification & Accreditation is.  IT professionals specializing in some aspect of system, network or software security usually know of it by one of its many names.  Some call it as assessments.  A generic name would be a security check, but the new name the government will use will be Assessment & Authorization.  Those of use who have had a chance to do it call it a pain in the ass!

I cannot complain too much about it because the work has paid my bills for years.  I am doing mostly technical work right now, but I still keep a close eye on C&A.

DIACAP DIARMF Orange book
DIACAP DIARMF Orange book

For those of you who want to know more, here is a brief history of C&A:

In 1985 by the National Computer Security Center (NCSC) (now known as the National Security Agency) published the Trusted Computer Systems Evaluation Criteria (TCSEC), the “Orange Book.”  It was apart of a series of computer security standards known as the Rainbow series.  These books covered everything from cryptography, to authenticate to verification systems.

 Information Technology Security Evaluation and Certification (ITSEC) in 1991, came later from Europe.  These standards evolved into international standards known today as common criteria.

The Orange Book became DoDD 5200.28-STD, DoD Directive 5200.28, “Security Requirements for Automated Information Systems (AISs),” March 21, 1988, which is the basis of DoD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP).  In 2002, DITSCAP was replaced with  DoDD 8500.1.  8500 begat 8510, DIACAP … and Boaz begat Abraham and Abraham begat Choazz.. (ok.. a little KJV humor there).

But seriously, Department of Defense Instruction (DODI) 8510.01, DoD IA C&A Process, (DIACAP) comes from the Orange Book in the old Rainbow Series.

Now it has evolved again to become the Defense Information Assurance Risk Management Framework.

DoD Certification and Accreditation

by 1 Comment

DoD Certification and Accreditation. The standard DoD approach for identifying information security requirements, providing security solutions, and managing the security of DoD information systems.

— DoDI 8500.2, Information Assurance (IA) Implementation http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf

 

Certification and Accreditation C&A
Certification and Accreditation C&A

If you have an important system (an asset) that is producing, processing, storing or distributing important data then you need to make sure that it is protected.  You need a high level of confidence that your asset and its data is secure, not tampered with stolen or corrupted.  

If you go through IT Security training, we are talking about confidentiality, integrity, and availability (aka CIA).  You want to make sure your data has confidentiality (trade secrets are protected), available to users and that the data has integrity (not corrupted).  

The process of ensuring assets are secure is known as certification and accreditation (aka C&A).  The C&A process consists of evaluating the system for security and then having someone in charge take responsibility for the remaining risks to that system.

Certification – a comprehensive evaluation and validation of a DoD IS to establish the degree to which it complies with assigned IA controls based on standardized procedure (8510.01, E2.10)

Accreditation Decision – a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) (8510.01, E2.2).

The C&A process has been done by most major companies and organizations in the private sector and governments.  They may have different names for it and slightly different methods, but they are are essentially doing the same thing.  They have to do it because their enterprise gets so big that its impossible to stop every threat and quickly remove everyone weakness.  The best they can do is create a process to manage the risk.  That is what C&A is supposed to do.  

The problem with certification and accreditation is that it is inefficient often taking months to do thousands of hours and millions of dollars.  Since there is so much documentation involved and coordination its often ignored or not done thoroughly.  

The certification and accreditation process has been automated (somewhat) with online databases and there has been a move to do away with C&A all together and move to a risk management framework.