Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everything I think I understand about IT compliance

Everything I think I understand about IT compliance

A talk about the Authority to Operate process and general IT compliance at 18F. Video: https://www.youtube.com/watch?v=-Nc4GXPxpQg&index=1&list=PLd9b-GuOJ3nG5zDAg7exOHusZKVVrkhjO


Aidan Feldman

July 26, 2016

More Decks by Aidan Feldman

Other Decks in Technology


  1. Everything I think I understand about IT compliance Aidan Feldman

  2. 1 2 3 The Who’s The What’s What’s Happening

  3. I might have a lot of this wrong *

  4. The Who’s

  5. CIO Chief Information Officer

  6. David Shive GSA CTO

  7. OCIO Office of the Chief Information Officer

  8. OCIO GSA IT Office of the Chief Information Officer http://www.gsa.gov/ocio

  9. CISO Chief Information Security Officer

  10. OCISO Office of the Chief Information Security Officer

  11. AO Authorizing Official

  12. 18F ATO chain of command 1. Denise Turner Roth (GSA

    Administrator) 2. ??? 3. Phaedra Chrousos (head of TTS) 4. Aaron Snow (head of 18F) 5. Noah Kunin (18F Director of Infrastructure)
  13. The What’s

  14. FISMA Federal Information Security Management Act of 2002

  15. FISMA requires each federal agency to develop, document, and implement

    an agency-wide program to provide information security for the information and information systems...of the agency http://csrc.nist.gov/groups/SMA/fisma/faqs.html
  16. • Are any NIST standards forced on all agencies? Unknowns

  17. Security controls

  18. None
  19. None
  20. None
  21. None
  22. ATO Authority to Operate

  23. Unknowns • Where did “authority to operate” come from? •

    Is there anything stopping the Authorizing Official from saying yes to everything?
  24. FedRAMP Federal Risk and Authorization Management Program

  25. SSP System Security Plan

  26. Technical controls

  27. Operational controls

  28. Categorization

  29. http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf#page=27

  30. Why should you care?

  31. The Good News

  32. What’s Happening

  33. https://pages.18f.gov/before-you-ship/ato/

  34. https://compliance-viewer.18f.gov

  35. FedRAMP LISaaS FedRAMP Low-Impact SaaS

  36. CM Compliance Masonry

  37. https://github.com/18F/cg-compliance/blob/master/opencontrol.yaml

  38. (ok, you can breathe now)

  39. Questions? #compliance