Everything I think I understand about IT compliance

Transcript

1. Everything I think I understand about IT compliance Aidan Feldman

2. 1 2 3 The Who’s The What’s What’s Happening

3. I might have a lot of this wrong *

4. The Who’s

5. CIO Chief Information Officer

6. David Shive GSA CTO

7. OCIO Office of the Chief Information Officer

8. OCIO GSA IT Office of the Chief Information Officer http://www.gsa.gov/ocio

9. CISO Chief Information Security Officer

10. OCISO Office of the Chief Information Security Officer

11. AO Authorizing Official

12. 18F ATO chain of command 1. Denise Turner Roth (GSA

    Administrator) 2. ??? 3. Phaedra Chrousos (head of TTS) 4. Aaron Snow (head of 18F) 5. Noah Kunin (18F Director of Infrastructure)

13. The What’s

14. FISMA Federal Information Security Management Act of 2002

15. FISMA requires each federal agency to develop, document, and implement

    an agency-wide program to provide information security for the information and information systems...of the agency http://csrc.nist.gov/groups/SMA/fisma/faqs.html

16. • Are any NIST standards forced on all agencies? Unknowns

17. Security controls

18. None
19. None
20. None
21. None

22. ATO Authority to Operate

23. Unknowns • Where did “authority to operate” come from? •

    Is there anything stopping the Authorizing Official from saying yes to everything?

24. FedRAMP Federal Risk and Authorization Management Program

25. SSP System Security Plan

26. Technical controls

27. Operational controls

28. Categorization

29. http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf#page=27

30. Why should you care?

31. The Good News

32. What’s Happening

33. https://pages.18f.gov/before-you-ship/ato/

34. https://compliance-viewer.18f.gov

35. FedRAMP LISaaS FedRAMP Low-Impact SaaS

36. CM Compliance Masonry

37. https://github.com/18F/cg-compliance/blob/master/opencontrol.yaml

38. (ok, you can breathe now)

39. Questions? #compliance