March 8, 2022 virtual chapter meeting
Agenda
6:00PM – 6:15PM: Chapter Updates
6:15PM – 7:30PM: speaker - Please, Just Tell Me What to Do: Building Cloud Products for Federal Agencies – Using NIST to Shift Compliance Left, by Robin Basham
7:30PM - 8:00PM: Member Round Table - Start with introductions. What is everyone up to? How is everyone doing?
Speaker: Please, Just Tell Me What to Do: Building Cloud Products for Federal Agencies – Using NIST to Shift Compliance Left, by Robin Basham
Abstract: Vendors and Consultants working with Federal Agencies are required to establish secure products and services as tagged to their associated commonly defined security controls (outcomes) and do so using a Cybersecurity Framework mapped to address common cybersecurity-related responsibilities. The most common set of categorized outcomes (a.k.a. Control Families or Control Objectives) is the security controls in NIST SP 800-53 Rev. 5[i], Security and Privacy Controls for Federal Information Systems and Organizations.
People often confuse the NIST RMF requirement with the implementation of the SP 800-53 security and privacy controls catalog. This discussion reinforces what “NIST Compliance”, the RMF, is all about.
NIST guidance offers protection measures that address threats to US critical infrastructure and the continuity of our government.
If you want to build cloud products for Federal Agencies, you better be prepared to understand what the NIST RMF is all about.
About the speaker: Owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC NA), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization (CRP, VRP), with industry experience in the management of systems, Controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance Software companies, past Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Recently full time at Cisco, Sr. Unified Compliance and ISMS Program Manager, Robin currently provides research and training content to major cybersecurity vendors, leads LSHC in support of three MDM clients as well as donates substantial time to supporting social platform security to further social democracy. Robin contributed a mapping refresh for NIST 171/172 to Dr. Ron Ross and Victoria Yan Pillitteri FISMA team and lead the CCM v4.2 to NIST 800-53r5 working group. She is also a past board member of the ISACA SV Chapter. As a lifetime achievement, Robin has convinced over 500 people to stand up and speak on topics involving security and technology.
Pre-registration required
Where: online Zoom webinar
When: March 8, 2022 06:00 PM Pacific Time
Pre-registration: https://us06web.zoom.us/webinar/register/WN_WXxkaD9SRXOgZzp66YcqcA
Calendar: iCal download, Google Calendar or scan QR code image
Pre-registration is required. Registration ends automatically at the scheduled start time.
After registering, you will receive a confirmation email containing information about joining the meeting.
In order to process CPEs (Continuing Professional Education points) for members, please double check your (ISC)² member number is entered correctly.
We will use Zoom's webinar attendance report to compute attendees' CPEs. To get the full 2 CPEs for the meeting requires attendance from the scheduled start time to the end of the meeting. Late arrivals and/or early departures will receive CPEs based on minutes attended, rounded down to 0.25 CPE increments.
If you need to self-submit your CPEs for any reason (such as not entering an (ISC)² member number), use 1 CPE per hour in 0.25 CPE increments for the portion of the 2 hours you attended. If the meeting ends before 2 hours, full attendance still counts for 2 CPEs.
Resources provided by the speaker
Content referenced this evening is further expanded at
https://www.enterprisegrc.com/grc-blog/nist-171-compliance-the-nist-special-publication
Quick Start Guides (QSG) for the RMF Steps
Download RMF QSG: Prepare Step FAQ (.pdf)
Download RMF QSG: Categorize Step FAQ (.pdf)
Download RMF QSG: Select Step FAQ (.pdf)
Download RMF QSG: Implement Step FAQ (.pdf)
Download RMF QSG: Assess Step FAQ (.pdf)
Download RMF QSG: Authorize Step FAQ (.pdf)
Download RMF QSG: Monitor Step FAQ (.pdf)
Download RMF QSG: ALL FAQs (.zip)
Download RMF QSG: Roles and Responsibilities (.pdf)
FIPS Publication 140-2 Security Requirements for Cryptographic Modules [FIPS 140-2]
NISTIR 8212 ISCMA: An Information Security Continuous Monitoring Program Assessment
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems [SP 800-18]
NIST SP 800-30 Risk Management Guide for Information Technology Systems [NIST SP 800-30]
NIST SP 800-34 Contingency Planning Guide for Federal Information Systems [SP 800-34]
NIST SP 800-53r5 Recommended Security Controls for Federal Information Systems [SP-800-53] ALSO: GET THE OSCAL for 800-53 Rev 5 and 800-53B - don't do this stuff by hand. OSCAL from GitHub
NIST SP 800-61 Rev 2 Computer Security Incident Handling Guide [SP 800-61]
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment [NIST SP 800-115]
NIST SP 800-145 A NIST Definition of Cloud Computing [SP 800-145]