Security Compliance Posture Monitoring and Reporting at the IRS
Security Compliance Posture Monitoring and Reporting (SCPMaR) The Department of Treasury, Internal Revenue Service (IRS) required an integrated security compliance posture monitoring and reporting solution that will provide the IRS with the ability to monitor, measure, and manage the Federal Information Security Management Act (FISMA) compliance of its implemented technical security controls, enterprise-wide. The scope of SCPMaR Project is aligned with IRS Strategic Goals of Modernize the IRS Through Its People, Process, and Technology. The Associated Objectives of: Modernize information system to improve service and enforcement and Ensure the safety and security of people, facilities and information systems.
1. The solution shall monitor and measure the effectiveness of IRS implementation of mandated security controls (i.e. security configuration benchmarks) on computing assets, enterprise-wide, and in a timely manner.
2. Manage security configurations throughout the system life cycle by assessing and reporting the level of compliance with IRS and US Government standard technical security controls.
3. Use NIST-defined Security Content Automation Protocol (SCAP). Operational capabilities:
4. Automate the security compliance assessment and reporting processes to reduce the level of effort in coordination and execution, across the enterprise.
5. Facilitate the risk management process by verifying that computing assets operate within the established security configuration baselines and identify risks at the appropriate level of abstraction.
6. Support IRS change control processes by assisting the authorized organizations to define and maintain baseline security configurations with risk commensurate deviations throughout the system life cycle. Import/Integration capabilities:
7. Integrate with IRS’s existing IT computing infrastructure which operates in a geographically diverse environment and consists of approximately:
- 120,000+ Windows desktop workstations and laptops
- 1,000+ Windows-based servers running Windows 2000 Server
- 3,000+ Windows-based servers running Windows 2003 (x-32 and x-64 bit platforms)
- 1,000+ Unix-based servers running Solaris 8, 9, and 10
- 300+ UNIX-based servers running Red Hat Enterprise Linux 4 and 5
- 100+ UNIX-based servers running HP-UX 11 and IBM AIX 5.2
Most of the servers are located in 3 geographically diverse enterprise computing centers (ECC) and 10 campuses. The desktop workstations and laptops are located in across 600 post-of-duty stations (PODs) throughout the U.S. and overseas.
8. Import or integrate data from existing IRS platforms, systems and tools including but not limited to:
- Import a list of identified vulnerabilities generated from ISS Internet Scanner (Version 7.x or most current release) and Nessus (Version 3.x or most current release).
- Import a list of required security patches specified by IRS or US-CERT.
- Integrate with IRS Directory Service (DS) (i.e., Microsoft Active Directory Service) and IRS Employee User Portal (EUP) (i.e., SiteMinder) for user authentication.
- Integrate with NetIQ Group Policy Administrator.
- Integrate with Altiris Patch Manager and Sun N1 Patch Manager.
9. Provide FISMA compliance reports in accordance with OMB M-07-19 and Federal Desktop Core Configuration (FDCC) compliance report as defined in OMB-M-07-11 using NIST-defined FDCC reporting format.
Our Support included the following activities:
- End-to-end technical and business integration expertise
- PMO Support
- SA&A support
- Project Interfaces
- Documentation Support (FISMA, ELC, SA&A)
- Leadership, guidance, and direction of project team activities
- Coordination and execution of meetings and conference calls with project team and/or stakeholders
- Project Management Plan
- Master Schedule / WBS maintenance and tracking
- Timely delivery of services and documents
- Provide Reports, Facilitate Meetings and Prepare Presentations
- Communications Planning and Support
- Concept of Operations (CONOPS), Disaster Recovery, Contingency Planning