NIST SP 800-137

From: Digital Government Institute

August 28 – August 29, 2012

Office of Management and Budget (OMB), Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) are placing increased emphasis on implementing an effective “information security continuous monitoring (ISCM) program” for all government and contractor run IT systems. This will be accomplished by DHS and OMB increasing the annual FISMA reporting requirements and NIST issuing NIST Special Publications (SP):

• Information Security Continuous Monitoring Guideline (SP 800-137) – Final
• Security-Focused Configuration Management Guideline (SP 800-128) – Final
• Update Risk Assessment Guideline (SP 800-30 Rev 1)
• Update Security Control Catalog (SP 800-53 Rev 4)
• Update Assessment Guideline (800-53A Rev 1)

This seminar is about getting onboard with these requirements and meeting the ISCM challenges for your systems.   This will be accomplished by real-case studies from government and commercial sectors, using strategies that are successfully used in all security sectors, including:  healthcare, energy, military, manufacturing, distribution and even entertainment.  Learn where proven Casino security techniques can improve the security of government systems.

What are the most effective and efficient ways to meet these new ISCM requirements? What strategies and tools are available to support a seamless implementation of these requirements into your IT systems, which will be most effective for your system and organizational culture?  All of these questions will be answered during this workshop by experts who have supported the implementation of security in over 200 government and contractor run IT systems.  After the course attendees will:

• Make decisions based on the Rules, Reality and the Risk;
• Understand the new FISMA requirements for ISCM;
• Know how to define “Near-Real-Time” monitoring and meet FISMA reporting requirements;
• Learn the various strategies and tools available to support this requirement;
• Create a tailored continuous monitoring program in to their organization;
• Know the difference between SCAP and SEIM and their uses;
• Determine “How much security is enough?”;
• Integrate seamlessly continuous monitoring efforts into their existing operations and organizational culture; and
• Influence IT funding using continuous monitoring results.

Attendees will be provided three example ISCM plans and approaches to review for developing their system specific ISCM plans.

View the Seminar Agenda.

Read NISTS’s Frequently Asked Questions on Continuous Monitoring

Featured Speakers

Kelley Dempsey, CISSP, Senior Information Security Specialist, National Institute of Standards and Technology will provide a NIST strategy and objectives overview for the New NIST Standards.

John Streufert, Director of the National Cyber Security Division, Department of Homeland Security (DHS), will provide the NIST FISMA ISCM reporting metrics and examples of actual successful implementations.

 Who Should Attend

The intended audience for the course is for chief information security officers (CISOs), IT system owners, project managers, information system security officers (ISSOs), and system administrators and their staffs and any individuals seeking to better understand how to maintain and monitor their IT security within the US Government.

• Configuration management and control processes;
• Security impact analyses on actual or proposed changes to information systems and environments of operation;
• Assessment of selected security controls in information systems and controls inherited by those systems (i.e., common controls); and
• Security status reporting to appropriate organizational officials.

Learning Objectives

The learning objectives for this 2-day, Manager and Operations Level course, are broad ranging and include a number of concepts including understanding the:

• New FISMA and NIST continuous monitoring requirements;
• Updated DHS reporting requirements and the relationship to ISCM;
• Components of an effective information security continuous monitoring program;
• Rules, Reality, Myths, and Risks;
• How to make risk decisions on how much and how frequent to monitor;
• SCAP GOTs and COTs solutions (like security information and event management (SIEM)) available to support an information security continuous monitoring program;
• Strategies for creating and implementing an effective program; and
• Way to use the results of their information security continuous monitoring to influence fund and resources.

Earn PDUs / CPEs

• PMI^® PMPs will earn 11 PDUs for attending this Training Seminar (approval pending)
• SSCP, CISSP, ISSEP, ISSMP, ISSAP, CSSLP or CAP credential holders from (ISC)2 can receive 11 Continuing Professional Education (CPE) credits. Credential holders must enter their CPE credits in the usual manner on the (ISC)² website.
• CISA, CISM, CRISC and CGEIT credential holders from ISACA can earn 11 CPE credits.  (Any course that pertains to at least one of the job practice areas of the certification will qualify for CPEs. It is up to the certified person to determine if the course or activity qualifies for CPE.)

Attendees will receive a Certificate of Completion as a result of their seminar participation.

What Attendees will Receive

• Course Notebook / Training Materials
• A copy of the book Know Cyber Risk by Jim Litchko and Al Payne
• A copy of the current Office of Management and Budget FISMA guidance
• Continental Breakfast and Lunch
• Certificate of Completion

Why Attend?

Explore in a vendor-neutral, interactive academic setting how to effectively meet the new OMB and NIST requirements for information security continuous monitoring, use automated tools in your organization, and increase the security of your IT systems.

For more information

For more information on attending this hands-on seminar, email us:  info@digitalgovernment.com.