Author name: Bruce

Information Assurance Degree Online There is no replacement for good, solid experience in Information Assurance, but an Information Assurance Degree Online is a great way to  put you ahead of the competition or even start your career in the ever expanding and never ending world of Information System Security. I have been doing this for well over a decade, and let me tell you IT IS A VERY SOLID living.  And there are two main reasons for this: Sensitive Information:  Since Information Assurance typically involves doing work for the government and working with sensitive information, you don’t have to worry about outsourcing to India or China.  You will often HAVE to be a U.S. Citizen and need a security clearance to do the work.  I am not sure how this works in other countries but I will be its the same.  If you are UK for example or India (for that matter) they will require you to be a citizen of the applicable country to work on classified projects. Security on Critical Systems:  As information systems become more critical to every aspect of our lives so does Information Assurance.  So the work because more and more are needed. There used to be some sort of stigma about online degrees because of all the scam paper degrees from fake, unaccredited companies that started cropping up with the rise of then Internet.  But now everyone has jumped on the bandwagon: Stanford, Harvard, MIT all have accelerated courses and online programs.  Few colleges take adult education serious enough to include something as specialized as “Information Assurance”.   If you have kids, or work full time, or are in the Armed services, those few colleges that are include an information assurance degree online are truly a blessing. So now that we know how great an opportunity Information Assurance is, lets talk about what information assurance degree online to get! For top Information Assurance Online Degrees, look for university programs that have been awarded National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency’s Information Assurance Courseware Evaluation program. http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml http://www.nsa.gov/IA/ACADEMIC_OUTREACH/IACE_PROGRAM/INDEX.SHTML Western Governors University Information Assurance Degree Online – I have heard GREAT things about WGU.  Their tuition cost is UNBEATABLE!  When I first heard how much it cost I thought it was a scam, but once I read more and talked to a counselor I realized they are legit.  Their Information assurance degree online program is certified by the National Security Agency’s Information Assurance Courseware Evaluation program.   The most incredible thing about WGU is that they take IT certifications as credits.  That combined with the VERY affordable cost will force you to get off your ass and get a Information Assurance degree! Here are some of the IT Certs they will take toward your degree: Cisco Certified Entry Network Technician (CCENT) EC-Council Ethical Hacking and Countermeasures (EC0-350) EC-Council Computer Hacking Forensic Investigator (EC0-349) http://www.wgu.edu/online_it_degrees/information_security_assurance_degree   Capella University Information Assurance Degree Online – Capella is on of the top degree programs for Information Assurance degrees online.  Its is consistently picked as a National Center of Academic Excellence in Information Assurance Education (CAE/IAE) by the National Security Agency and the U.S. Department of Homeland Security each year.  If you already have a Certified Information System Security Professional (CISSP) certification and have been doing Information Assurance work, they will legitimately knock off the amount of credits you have to do. http://www.capella.edu/online-degrees/masters-information-assurance-security/ For more top Information Assurance Online Degrees, look for university programs that have been awarded National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency’s Information Assurance Courseware Evaluation program. http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml http://www.nsa.gov/IA/ACADEMIC_OUTREACH/IACE_PROGRAM/INDEX.SHTML   Other notable universities with Information Assurance Degrees Online: Regis IA Degree Online 

Over the years I have noticed that not many people in IT know what Certification & Accreditation is.  IT professionals specializing in some aspect of system, network or software security usually know of it by one of its many names.  Some call it as assessments.  A generic name would be a security check, but the new name the government will use will be Assessment & Authorization.  Those of use who have had a chance to do it call it a pain in the ass! I cannot complain too much about it because the work has paid my bills for years.  I am doing mostly technical work right now, but I still keep a close eye on C&A. For those of you who want to know more, here is a brief history of C&A: In 1985 by the National Computer Security Center (NCSC) (now known as the National Security Agency) published the Trusted Computer Systems Evaluation Criteria (TCSEC), the “Orange Book.”  It was apart of a series of computer security standards known as the Rainbow series.  These books covered everything from cryptography, to authenticate to verification systems.  Information Technology Security Evaluation and Certification (ITSEC) in 1991, came later from Europe.  These standards evolved into international standards known today as common criteria. The Orange Book became DoDD 5200.28-STD, DoD Directive 5200.28, “Security Requirements for Automated Information Systems (AISs),” March 21, 1988, which is the basis of DoD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP).  In 2002, DITSCAP was replaced with  DoDD 8500.1.  8500 begat 8510, DIACAP … and Boaz begat Abraham and Abraham begat Choazz.. (ok.. a little KJV humor there). But seriously, Department of Defense Instruction (DODI) 8510.01, DoD IA C&A Process, (DIACAP) comes from the Orange Book in the old Rainbow Series. Now it has evolved again to become the Defense Information Assurance Risk Management Framework.

DIARMF A&A – Assessment Authorization Defense Information Assurance Risk Management Framework Assessment & Authorization is similar to what certification and accreditation (C&A).   With DIACAP transition comes some new terms but essentially the same kinds of work.  Risk management framework still does the comprehensive evaluation of security features but calls it assessment instead of ceritification.  Where DIACAP had the Designating Authorizing Authority (DAA) to formally accredit a system, DIARMF has an Authorizing Official (AO) to authorize a system.   So essentially, the terms “C&A” certification and accreditation is superseded by “A&A” assessment and authorization.  Another term that has changed with the transition from DIACAP to DIARMF is “information assurance (IA) controls” which is now called “security controls”.  The security controls mark one of the biggest differences between DIACAP and DIARMF since there are so many more security controls in NIST SP 800-53 than there are in DIACAP’s DOD 8500.2. Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system. “The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” – NIST SP 800-37 rev 1  

DoD Certification and Accreditation. The standard DoD approach for identifying information security requirements, providing security solutions, and managing the security of DoD information systems. — DoDI 8500.2, Information Assurance (IA) Implementation http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf   If you have an important system (an asset) that is producing, processing, storing or distributing important data then you need to make sure that it is protected.  You need a high level of confidence that your asset and its data is secure, not tampered with stolen or corrupted.   If you go through IT Security training, we are talking about confidentiality, integrity, and availability (aka CIA).  You want to make sure your data has confidentiality (trade secrets are protected), available to users and that the data has integrity (not corrupted).   The process of ensuring assets are secure is known as certification and accreditation (aka C&A).  The C&A process consists of evaluating the system for security and then having someone in charge take responsibility for the remaining risks to that system. Certification – a comprehensive evaluation and validation of a DoD IS to establish the degree to which it complies with assigned IA controls based on standardized procedure (8510.01, E2.10) Accreditation Decision – a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) (8510.01, E2.2). The C&A process has been done by most major companies and organizations in the private sector and governments.  They may have different names for it and slightly different methods, but they are are essentially doing the same thing.  They have to do it because their enterprise gets so big that its impossible to stop every threat and quickly remove everyone weakness.  The best they can do is create a process to manage the risk.  That is what C&A is supposed to do.   The problem with certification and accreditation is that it is inefficient often taking months to do thousands of hours and millions of dollars.  Since there is so much documentation involved and coordination its often ignored or not done thoroughly.   The certification and accreditation process has been automated (somewhat) with online databases and there has been a move to do away with C&A all together and move to a risk management framework.    

Diarmf diacap We’ve gone from DoD Information Technology Security Certification and Accreditation Process (DITSCAP) to DoD Information Assurance Certification And Accreditation Process (DIACAP) to DoD Information Assurance Risk Management Framework (DIARMF).   DIACAP transition is mainly about going from certification and accreditation (C&A) to a Risk Management Framework process. The DIARMF is a Risk Manager Framework that comes from National Institute of Standards and Technology (NIST) NIST Special Publication 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems”.   The NIST standards have transitioned from certification and accreditation to risk management framework.  The NIST has replaced its C&A documents, NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, and  NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.    The current NIST SP 800-37, Rev 1 includes a risk management process.  Risk management is more in line with international standards, ISO 31000:2009, Risk management & ISO/IEC 31010:2009, Risk management Some of the differences I have noticed have been: More Flexible & Tailorable Boundaries.  Risk management framework is more flexible & tailorable on security boundaries.  RMF includes things like “dynamic subsystems” which allow you to do things like create a temporary subsystem and attach it to an existing system in the middle of its system life-cycle.  I have seen that done with DIACAP but typically organizations had to make up a their own detailed process to manage the risk.  Since DIACAP did not have that kind of flexibility so you ended up with 100’s of variations of DIACAP.  The NAVY, Army, Air Force each had their own version of DIACAP and then even units within those branches had their own.  For example, Space Command might have a different process than Euro Command and they could be in the same branch. Focus of Security Factors.  Risk management framework looks at risk according to the system’s confidentiality, integrity and availability separately and as a whole. More Quantitative.  With more controls and a focus on risk, risk management framework can be more quantitative as well as qualitative. Tailorable Controls.  risk management framework is built to make the controls fit the actual system.  This probably one of DIACAPs biggest draw backs.  It has a generic set of controls that are not applicable in some cases and lacking areas of security. DIARMF is based on NIST standards (NIST 800-37, rev 1) DIACAP is based on DoD 8500/8510

What is Step 5 – Authorization? DIARMF Step 5 is similar to Phase 4 of DIACAP, Make Certification Determination & Authorization Decision.  In fact, the major difference between the two system in this part of the process are the names. DIARMF Step 5 Authorization is where the Authorizing Official Accept the residual risks of the systems.  The residual risks are the remaining risks that could not be fixed with security controls for one reason or another.  Perhaps the organization did not have enough money to implement a specific kind of web proxy or the physical location of a base at the foot of key terrain owned by a private civilian has made it so the vulnerability to the asset cannot be fully mitigated at this time.  The residual risks are addressed in the findings and recommendation are addressed in a Security Assessment Report (SAR).  The SAR highlights the residual risks and what can be done about them.  It is meant to give the decision makers some idea where the biggest risks are to the Asset.  In DIACAP, the equivalent would be the DIACAP Scorecard, similarly the SAR is supposed to give a quick assessment that will help decision maker and/or the Authorizing Official know what kind of risk he or she is expected to accept.   How the findings and recommendations will be handled and when are addressed in the Plan of Action and Milestone (POA&M).  These documents (SAR and POA&M) are the primary responsibility of Information System Owner or Common Control Provider, but supported by Information Owner/Steward and Information System Security Officer, meaning its DONE by the ISSO and delegated by the Information system Owner.   The POA&M addressed the problem, what tasks are needed get to a solution (if any), a date of completion with milestones on the way to accomplishing the solution and resources required.   References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-53A, 800-37. Authorization Decision and Authorization Package The Authorization Decision is based on supporting evidence that comes from content of the authorization package.  The Authorization package consists of the following: • System Security plan – Provides a comprehensive view of all security controls and the overall security posture of the system (see NIST SP 800-18) • Security Assessment Report – a report and addresses the residual risk, remaining weakness of the system. • Plan of action and milestones – a breakdown of how and when the remaining vulnerabilities will be addressed. Once the AO is ready to accept the risk, he or she must formally accept the risks of the system and grant it an Authorization to Operate in writing.

What is a DIARMF assessment? diarmf-assess After DIARMF Step 3, Implement, the security controls must be assessed.  Assess a security control means to check it to see if it has been implemented to protect the system as it is suspected.   To minimize risk that comes with vulnerabilities being exploited the organization cannot just assume that someone has implemented the security controls.  The organization cannot take an engineers or technicians or administrators or ANYONEs word for it that the security controls are implemented correctly.   If you are familiar with DIACAP, Phase 3, Implement and Validate Controls then DIARMF Step 4 should be familiar because validating controls is the same as assessing controls. Types of Assessments Taken from Public Page DoD Compliance Inspections (MORE HERE): There are actually several types of compliance inspections (assessments) your organization can be subject to.   Command Cyber Readiness Inspection (CCRI) – A formal inspection conducted under the direction of USCYBERCOM’s Enhanced Inspection Program. Security Assistance Visits (SAVs) – A process by which DISA FSO personnel will conduct an on-site assessment and validation of compliance with mandated IA, CND, certification and accreditation (C&A), or other focus areas either as a standalone effort or in preparation for a scheduled inspection or evaluation. CNDSP Level II Inspections – CNDSP evaluations are an on-site evaluation and validation of compliance with mandated CND Service requirements as outlined in DoD O-8530.1 and DoDI O-8530.2. CNDSP Level II Designation Assessments – CNDSP validations are a review and validation of alignment to an accredited CNDSP. A formal recommendation is provided upon completion of the on-site evaluation. IA Readiness Reviews (IARRs) – A formal review in 12 IA areas to determine a site’s current IA program status and provide formal recommendations for improvements in areas where deficiencies or non-compliance are discovered. Enclave and System Certification – Can provide on-site technical assessments and certifications recommendations to a Designated Approving Authority (DAA) in support of enclave accreditation, coalition enclave or systems. Combatant Command (COCOM) exercise support – DISA provides critical exercise support for the COCOMs in various theater and global exercises. This support can come from a variety of areas and include CND technology Subject Matter Experts (SMEs), CND Integrators, and CND analysts. FUCK The CCRI? I used to teach the DIACAP and DIARMF and everyone I met was stressed out about CCRI.. listen.. Fuck the CCRI!  AND here is why: the DoD and other federal organizations are constantly coming up with new names and new types of audits.  But the concept remains the same.  Risk = Threat * Vulnerability * Asset. I am NOT SAYING don’t do your job.  I am saying do your job to the greatest of your ability.  And I am saying it will not help to stress about stuff you cannot change.  Do what is within your power to do. Auditors are assessing controls to see if they have been implemented to their standard.  If your organization is informed of the risks and willing to document, take responsibility and take action then any new audit by new organizations will find you knowledge and prepared like Spartans.  Know their rules well enough that you can answer all questions and set their standard by knowing your systems risks intimately.  How can you be stressed if you have done all you can do?  What good will it do to stress out about stuff you cannot control?  You cannot control how the auditor will perceive your security.  But you can control how prepared you are and how informed your organization is of all risks that have been found. Usually if you are straight up with the Assessors, they will give lots of leeway.  If you start lying and try to sweep known risks under the rug then they may find it and offer 0 leniency and go straight to your commander to humiliate you and question your integrity and skills.  You can lose your job and/or respec. Who is involved with the DIARMF Assessment? Assessment of the security controls involves all interested parties, all stakeholders:  Information system security officer & administrators who may have applied the security controls, the Information system owners who put forth the orders to conduct the security controls, the system engineers who want to make sure the system still works while security controls are implemented, and of course those conducting the security control assessments.    All of these entities have a singular goal of security the system to minimize the risk while maintaining functionality.  The DIARMF assessment step is where this is to occur. Ultimately its the responsibility of the Information System Owner.  It is his or her responsibility to know is supposed to be done, delegate someone or some group to get the system prepared, fund the outside organization to do it and see the process through.  Usually, they hire a Information Security professional or have some sort of system security officer that runs the operations of planning, implementation, assessment, getting the system authorized and continuous monitoring.   Assessment Readiness Inspection A very prepared and successful unit will do their OWN internal assessments and know all the systems shortcoming more intimately than any hacker or outside organization.  to be prepared they should do pentesting, continuous scans of the network and a robust change management program. The organization that wants to prepare will have a budget and schedule and a plan for the assessments (internal and external).  They will do the following to make sure the system is ready: Make sure security policies are in place.  The policies should be approved by the system owner in writing or signed and address the security controls. Choose an approved Security Control Assessor.  In the DoD they are called Auditors.  You should establish communication with them.  Be honest, upfront, and professional.  Give them as much information as they need to make their visit smooth with ZERO surprises Establish who, what, when, where and how of their visit Provide them with all policies, SSP, POA&M, SAR Know the scope of the assessment (are

DIARMF Implement What you will learn: Overview of Step 3, Implementation Where to go for technical help on implementation In Step 3 of the DIARMF, the organization implements the security controls specified in the security plan.  Implementation relies heavily on the Security Plan documented Step 2, Selecting the security controls.   Who Does the DIARMF Implementation?   Although the primary responsibility of implementation is in the hands of the Information System Owner or Common Control Provider it is delegated to a system administrator, information system security officer and/or system engineer. Whatever their title, the most important thing is that they know HOW to do it and perhaps have experience doing it.  The organization usually is bound by regulations to only select qualified technicians to do the work.  US Department of Defense (DoD) Directive 8570.1-M, Information Assurance Training, Certification, and Workforce Management, is the policy that the DoD uses to determine what is “qualified”.  This policy identifies specific certification & training that IT professionals need to be considered to do certain work.   Realistically, a certification is a poor substitute for real world experience, but most seasoned employers that know about their companies needs recognize this.   How is DIARMF Implementation done and When? The Managers (information assurance managers, systems/program managers) are the key to getting things done.  And for managers, the most important parts of implementation are planning and resources.  An organization needs these managed well to be successful. Resources:  resources are qualified personal to do the work, funding to keep the work going, material/software/hardware to get the job done.  These resources need to be managed appropriately.  One of the hardest parts of a managers job is making sure there are enough resources to get the work done.   Timeframe & Planning:  planning and planning of limited resources is a must!  Assuming there is a requirement for the work to be done, not much can be done efficiently without a plan.  Managers (information assurance managers, systems/program managers) main job is to get the most effective use out of resources provided. Managers are the center piece to getting the job done.  Without good management, its very hard for the system administrators, information system security officers, technicians and engineers to do their jobs.  Because they must either take the time to manage themselves which takes away from doing the work by attending back to back meetings with higher ups, completed documentation that has nothing to do with the project and make critical decisions that are outside the scope of their job.  All of this puts them and the project itself at risk. A good manager runs interference for his team, provides the team with all the tools they need to be successful and make realistic milestones that are tracked diligently from start to finish of the project. A bad manager is self-serving, lazy and goes out of their way to sabotage the project by being an asshole.  They so mistrust by absorbing all the credit for good work and deflect all the blame for bad work.  They are mostly ignorant of what is going on.  They make everyones life harder by breathing. DIARMF Documentation & Implementation Its important to document what security controls are implemented.  This helps continuity especially since some security controls break functionality but also it helps with DIARMF Assessment since part of DIARMF Assessment. DOD Resources for DIARMF Implementation Where you will have to go for guidance on certain technical security controls are actual vendor documentation, online knowledge databases, technical manuals, and even actual support technicians on specific products if necessary.  Other places that are helpful are: NSA.gov/ia iase.disa.gov

DIARMF Select DIARMF – FIPS 200, CNSSI-1253 & NIST SP 800-53 The documents for putting DIARMF Categorization and Selection of security controls together are FIPS 200, CNSSI-1253 and NIST SP 800-53.  DoD 8510 is based on these documents. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems is a bridge between the FIPS 199 and the security controls documented in NIST SP 800-53.  It sets forth the initial set of baseline security controls for your system based on the system impact level and minimum security requirements FIPS 200 is a very short document that explains the levels of impact that your system has based on your systems security categorization and how the security controls will be selected.     FIPS 200 mentions seventeen security-related areas (more current revisions of SP 800-53 have more security areas) with regard to protecting the confidentiality, integrity, and availability of data processed, transmitted and stored on government systems.  The security-related areas include: access control awareness and training audit and accountability certification, accreditation security assessments configuration management contingency planning identification and authentication incident response maintenance media protection physical and environmental protection planning personnel security risk assessment systems and services acquisition system and communications protection system and information integrity Addressing each of the 17 DIARMF areas will give the organization a comprehensive selection of security controls.  These controls address technical, operational and management aspects of security and risk management. The DIARMF Selected security controls come from NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.  Recommended Security controls are prescribe to the security categorization of your system.   Initial Set of Baseline Security Controls The 17 DIARMF areas are broken out in NIST SP 800-53 Appendix D.  Appendix D is the DIARMF Initial Set Baseline Security Controls.  CNSSI 1253, Security Categorization and control Selection for National Security Systems is specifically for National Security systems and offers a few alternatives to normal federals systems. What are National Security Systems? (OMB Circular A-130, FIPS 200, NIST 137) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). The differences are based on specific challenges of national security systems (aka mission systems) that set them apart from normal federals systems.  The following adjustments are mentioned in CNSSI to deal with NSS systems: NO “High Water Mark” – normally federal systems are take on impact level of their most important security factor.  NSS systems don’t apply HWM.  Instead, confidentiality, integrity and availability retain their impact levels. Confidentiality is treated different – Other factors affect confidentiality: aggregation of information on the system, system environment, and attributes of users.  For example, and IP address by itself is not classified, but an IP and a vulnerability and the system description and location is probably classified.   Appendix K, Overlay – NSS have to use security overlays in addition to the initial security baseline.  See CNSSI for more details. Reciprocity – One of the biggest problems with the old C&A was that when one military unit would have a need to connect to a military or intel unit from a different branch, they would end up having to do two or three different C&A processes.  This was VERY costly.. and stupid.  So the new DIARMF is pushing away from that with Reciprocity.  Its something they started during DIACAP with different degrees of success. http://www.sandia.gov/FSO/PDF/flowdown/Final_CNSSI_1253.pdf Tailoring Controls Tailoring means aligning the selected security controls to your system.  For example, if you have a bunch of security controls that apply to Internet browsers.  And the controls are designed to minimize the possibility of your browser being hacked from the Internet.  But your system HAS NO INTERNET CONNECTION and only uses browsers for reading HTML based manuals on your Internal network.  If you are tailoring, you could cut all those security controls out because they are not applicable to your network. You are applying ONLY security baseline controls that fit within the SCOPE of your systems capabilities.  And you are applying the MOST critical controls over more expensive security controls that have little or no impact to minimizing the risk.  So scoping and tailoring is something that requires a security professional and someone that knows the system well enough to know what controls are really needed and which one are not. DIARMF-Select Documentation During the selection process your Information System Security Officer should be working on the System Security Plan.  The details of what the SSP looks like is in NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems.  The SSP is like your play book on what will be implemented and why. It should be robust enough to guide the implementation of the security controls but flexible enough so that you can continue to add to it during the implementation process.   After the implementation of the security controls, the SSP will be needed for the Assessment of the security controls.

What is DIARMF continuous monitoring? Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.  It is described in NIST SP 800-137.  Continuous monitoring is the last and very important ON-GOING 6th step in the DIARMF Security life cycle.  The DoD’s current method of continuous monitoring (2014) is use of Continuous Monitoring and Risk Scoring (CMRS).  Its is a web based visual method of watched DoD Enterprise security controls that cover software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), (IAVM) vulnerability and patch compliance.  CMRS displays risk dashboards based on published HBSS and ACAS (more info at DISA). HBSS (host based system security) is a DoD implemented suite of applications: (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred Asset Configuration Compliance Module (ACCM) – version 2, but 2.0.0.1129 is preferred McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred Antivirus (AV) – McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9 Operational Attribute Module (OAM) – version 2.0.1, but 2.0.5.1 is preferred Asset Publishing Service (APS) – version 2.0.1 or 2.0.0.6, but 2.0.3 is preferred – configured to publish to CMRS ACAS (Assured Compliance Assessment Solution) is Tenable Nessus an enterprise level vulnerability scanner. These systems are implemented in accordance with United States Strategic Command (USSTRATCOM) Communications Tasking Order (CTO) 05-19 & 07-12 (Deployment of Host Based Security System (HBSS)).  The products and tools need for continuous monitoring change constantly but what is important is the concept.  Within a month of publishing this, the products listed will be different and new CTOs will be released, but the need for Continuous monitoring will remain.  KNOW the CONCEPT. If you know DIACAP, then this Step is similar to Phase 5, Maintain Authorization to Operate except there is a HUGE focus on automation in real-time.  Automation is done with tools like security information & event management systems (SIEM) and security dashboards. If the other steps of DIARMF are planning and building and checking the engine than continuous monitoring is keeping it running.  Continuous monitoring is part of the day to day tasks of security professionals. Continuous monitoring has everything to do with the visibility of your network: Configuration Management – track and manage changes with a configuration management or assets.  The organization monitors the security baseline my managing its inventory and only allowing approved major changes to the network. Vulnerability monitoring – awareness vulnerabilities and response with a patch management program. Network monitoring – incident handling & response of advanced persistent threat & active research of ongoing threats Key Component of DIARMF Continuous Monitoring Security Content Automation Protocol (SCAP)  According to Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, March 2013, “A key component to this work is the NIST Security Content Automation Protocol (SCAP) and related programs, which are developed through close collaboration between government and industry partners”.  SCAP is a common protocol that vulnerability, scanning and patching software can use to communicate vulnerability & technical controls information to each other quickly.  This protocol is used internationally, federally and commercially.  Continuous Monitoring as a Service (CMaaS) The Department of Homeland Security is coordinating a continuous monitoring service.  They want to create a Continuous Diagnostics and Mitigation (CDM) program for providing continuous monitoring sensors, diagnosis, mitigation tools, and Continuous Monitoring as a Service (CMaaS).  With dashboards and automated crystal reports the data is visualized and in real-time to allow information security professionals to respond quickly to the highest priority incidents. Continuous Monitoring Products Federal law encourages the use of tools like security information & event managers (SIEM) that brings all the security information to one place into a security dashboard that allows graphs and visual imagery to quickly detect patterns across lots of data in real-time.  See the new FISMA and NIST SP 800-137 for more information.  Tools like SIEMs, IPSs, IDSs, APT systems are what are used in the industry.  DoD units create partnerships with security companies like HP, McAfee, Symantec, Tenable, Ready7, Metasploit, Mandiant and others to create continuous monitoring solutions for their organizations.  HP Enterprise Security Products HP Enterprise Security address the following categories when looking at continuous monitoring: Manage Assets Manage Accounts Manage Events Security Lifecycle Management The HP products covering this Items include, but are not limited to: ArcSight Enterprise Security Manager ArcSight Logger HP Tipping Point McAfee McAfee has a suite of products to address continuous monitoring McAfee Vulnerability Manager  McAfee Enterprise Security Manager McAfee Enterprise Log Manager McAfee Global Threat Intelligence McAfee ePO Symantec Symantec Control Compliance Suite Symantec Control Compliance Suite Virtualization Security Manager Continuous monitoring controls Realistically, all implemented and assessed controls are important to continuous monitoring since it is the process of actively checking all security controls.  But, there are some security controls families that are notable when it comes to continuous monitoring implementation.  These include “Security Assessment and Authorization”, “Configuration Management”, “Risk Assessment” and “Incident Response”.  CA-7 Specifically mentions continuous monitoring:  CA-7 CONTINUOUS MONITORING Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: a. A configuration management process for the information system and its constituent components; b. A determination of the security impact of changes to the information system and environment of operation; An organization-wide approach to continuous monitoring of information and information system security supports risk-related decision making at the organization level (Tier 1), the mission/business processes level (Tier 2), and the information systems level (Tier 3). Why is DIARMF Information Security Continuous Monitoring (ISCM) important? For federal systems, continuous monitoring is not