Training and Continuing Education at ACSAC
ACSAC offers several opportunities to help you maintain your professional certification: Technology tutorials, the ACSAC technical program, and our FISMA training track. For all of these, ACSAC provides sufficient evidence to support Continuing Professional Education (CPE) credit claims:
- For formal ACSAC tutorials and training with pre-registration, ACSAC will provide printed certificates of completion indicating the number of hours of training.
- For the ACSAC technical program, a copy of the final program, the attendance roster, and the registration receipt are your evidence.*
Notes will be printed for people that have registered a week or more before the conference. PDF file(s) of notes will be mailed (on request) to people who did not register a week or more before the conference.
ACSAC technology tutorials and the ACSAC technical program (including the ACSAC FISMA training track) are a great way to meet CPE requirements!
ACSAC 2010 FISMA Training Track
The Joint Task Force Transformation Initiative Interagency Working Group with representatives from the Civil, Defense, and Intelligence Communities is an ongoing effort to produce a unified information security framework for the U.S. Federal government including a consistent process for selecting and specifying safeguards and countermeasures (i.e., security controls) for federal information systems. The Initiative has addressed the transition from periodic Certification & Authorization to continuous risk management, and Integrated Enterprise-Wide Risk Management. ACSAC is very pleased to host training by the authors of several related foundational NIST guidance publications.
| ID | Title | Instructor | Scheduled |
|---|---|---|---|
| TR1 | Cyber Security Controls: NIST SP 800-53 rev 3 & CNSS 1253 | Kelley Dempsey | Wed, 10:30-12:00 & 13:30-15:00 |
| TR2 | Near Real-Time Risk Management Process: NIST SP 800-37 | Pat Toth | Wed 15:30-17:00 & Thu 10:30-12:00 |
| TR3 | Integrated Enterprise-Wide Risk Management: NIST SP 800-39 | Marshall Abrams | Thu, 13:30-15:00 & 15:30-17:00 |
| TR4 | Risk Assessments for Information Technology Systems: NIST SP 800-30 | Pete Gouldmann | Fri, 8:30-10:00 & 10:30-12:00 |
In addition to the Training Track that is scheduled as part of ACSAC, the technology Tutorials are offered on Monday and Tuesday before ACSAC.
Training TR1 – Cyber Security Controls: NIST SP 800-53 Rev3 & CNSSI 1253
Kelley Dempsey, National Institute of Standards and Technology
Wednesday, December 8th, 10:30-12:00 & 13:30-15:00
The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), recently updated Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations. This historic publication, for the first time, contains a unified set of security controls for both non national security and national security systems. This session provides an overview of the unified security control catalog and the security control selection process described in NIST SP 800-53, Revision 3, as well as an introduction to CNSS Instruction 1253, the publication that provides implementation guidance for the national security community using SP 800-53.
Prerequisites
None
About the Instructor
Kelley Dempsey began her career in information technology in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management throughout the 1990s. While employed by the Department of the Navy in 1999, she began focusing on information system security by training for and conducting large scale DITSCAP system accreditations from start to finish. Kelley and her husband moved to the DC area from California in the spring of 2001 and Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008. Kelley joined the NIST Computer Security Division FISMA team in October 2008 and is a co-author of NIST SP 800-128 Security Configuration Management (draft) and the upcoming NIST SP 800-137 Continuous Monitoring Guidance (working title only). Kelley has also been a major contributor to NIST SPs 800-53 Rev 3, 800-37 Rev 1, and 800-53A Rev 1. Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and maintains a CISSP certification earned in June 2004.
Training TR2 – Near Real-Time Risk Management Process: NIST SP 800-37
Patricia Toth, National Institute of Standards and Technology
Wednesday, December 8th, 15:30-17:00 & Thursday, December 9th, 10:30-12:00
The National Institute of Standards and Technology (NIST), in collaboration with the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems (CNSS), recently updated Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, (formerly the security certification and accreditation guideline). The revised publication transforms the traditional static, stovepiped certification and accreditation process into a process that supports near real-time risk management. This session describes how the process of certification and accreditation is integrated into the Risk Management Framework, and focuses on the continuous monitoring of security controls to determine the security state of organizational information systems and environments of operation.
Prerequisites
None
About the Instructor
Patricia Toth is a Computer Scientist in the Computer Security Division at the National Institute of Standards and Technology. She graduated from the State University of New York Maritime College with a bachelor.s degree in Computer Science and Math. Pat served on active duty with the U.S. Navy at the Naval Security Group Activity, Fort Meade, Maryland. Pat has worked numerous documents and projects during her 18 years at NIST including the Common Criteria, Common Criteria Evaluation Program and serving as Program Chair for the National Computer Security Conference. Most recently she has worked with the FISMA team to produce the family of FISMA documents and has produced a series of Quick Start Guides covering the Risk Management Framework.
Training TR3 – Integrated Enterprise-Wide Risk Management Organization, Mission, and Information System View: NIST SP 800-39
Dr. Marshall D. Abrams, The MITRE Corporation
Thursday, December 9th, 13:30-15:00 & 15:30-17:00
Information technology is widely recognized as the engine that drives the U.S. economy, giving industry a competitive advantage in global markets, enabling the federal government to provide better services to its citizens, and facilitating greater productivity as a nation. Risk related to the operation and use of information systems is one of many components of organizational risk that senior leaders address as a routine part of their ongoing risk management responsibilities. Effective risk management requires that organizations operate in a highly complex and interconnected world using state-of-the-art and legacy information systems systems that organizations depend upon to accomplish critical missions and to conduct important business-related functions. Special Publication 800-39 is the flagship document in the series of FISMA publications and provides a structured, yet flexible approach for managing that portion of risk resulting from the operation and use of information systems to support the missions and mission/business processes of organizations. This session will examine Special Publication 800-39 guidelines for an integrated, enterprise-wide approach to managing risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems.
Prerequisites
None - Open to anyone interested in increasing their understanding of Risk Management.
About the Instructor
Dr. Marshall D. Abrams is a Principal Scientist at the MITRE Corporation in McLean, Virginia. He holds two patents and has authored many documents addressing cyber security. He has taught cyber security courses on six continents. He received the BSEE from Carnegie Institute of Technology and the MSEE and Ph.D. from the University of Pittsburgh. While at the National Bureau of Standards he received the Department of Commerce Silver Metal Award. Two awards were received from the Federal Aviation Administration for contributions to the Information Systems Security Program. He is a Senior Life Member of the IEEE and has been honored with the IEEE Computer Society Golden Core award. He is also a Senior Fellow of the Applied Computer Security Associates. Marshall has been involved with the NIST FISMA Implementation Project since its inception.
Training TR4 – Risk Assessments for Information Technology Systems: NIST SP 800-30
Pete Gouldmann, U.S. Department of State
Friday, December 10th, 8:30-10:00 & 10:30-12:00
Prerequisites
None - Open to anyone interested in increasing their understanding of Risk Assessment.
About the Instructor
Mr. Peter Gouldmann is the Department of State Liaison to the National Institute of Standards and Technology (NIST) and Co-Chair of the Permanent Subcommittee to the Committee for National Security Systems (CNSS). As a Supervisory Information Technology Specialist in the Office of Information Assurance, Mr. Gouldmann has served as Risk Officer, Chief of Systems Authorization, and Security Architect. Over the past 32 years, Mr. Gouldmann has held IT and IT security-leadership positions within the Department of State, the private sector and the United States Air Force. He holds a Masters Degree in Information Management from Syracuse University, and is a distinguished graduate of the National Defense University's Advanced Management Program. Mr. Gouldmann has been awarded the CIO certificate in Federal Executive Competencies from the CIO University, and holds the Certified Information Systems Security Professional (CISSP) credential.