Areas of BSA Assistance
- Oregon cyber security framework - Statewide Information and Cyber Security Standards (NIST 800-53 r5, pdf and excel doc), Statewide Information Security Plan, and Statewide Policies.
- Third-party contract review - CSS reviews Requests for Proposal (RFPs) and Requests for Quote (RFQs), new contracts/amendments/renewals – Security Language, IT Rider (for vendor contracts only), security requirements, and other vendor documentation.
- IT Rider for vendor contracts - The IT Rider incorporates State of Oregon security requirements into a pre-existing vendor contract (e.g., standard SaaS offering). Already vetted and approved by DAS-PS, CSS and DOJ.
- Information requests - CSS will verify that vendors are using sound security practice by requesting: certifications of hosting environments and applications (e.g., FedRAMP, StateRAMP, ISO, etc.), third-party audits SOC 2 Type-2 reports, hosting solution information, System Security Plan, DR and vendors logging and retention.
- SOC 2 Type 2 reports - These reports will typically be requested when the system falls into the Moderate and Moderate Plus systems categories
BSA System Categories
BSA system categories fall into three groups: low, moderate, and moderate plus. These categories are based on factors such as state data classification and data/system need.
- A low system category includes level 1 or level 2 classified data or systems, and is usually published data.
- A moderate system category includes level 3 classified data or systems, can be mission-critical systems at lower data classification levels, and is typically restricted or regulated data.
- A moderate plus system category encompasses level 4 classified data or systems, and is typically considered critical.
BSAs and Regulated Data
- Our state agencies have a lot of regulated data (e.g. HIPAA, FTI, FERPA, CJIS, etc.). BSA’s assist in determining appropriate security controls are in place to protect the data.
- When regulated data is not involved, determining appropriate data levels can often be ambiguous to state agencies. BSA’s assist in determining the appropriate data level and security controls. For more information, see the Statewide Information Asset Classification policy.
StateRAMP
Oregon is looking to adopt the StateRAMP vendor authorization process.
- StateRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. StateRAMP works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity.
- StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 5 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
- Please visit the StateRAMP Frequently Asked Questions page for more information.
What does StateRAMP in Oregon mean for agencies?
- Streamlined RFP’s/RFQ’s and contracting for procurement and identifying a safe and secure vendor.
- Oregon’s current Statewide Information and Cyber Security Standards are modeled after NIST 800-53 r5 already, but there’s no real security audit or assessment done prior to procuring...StateRAMP would provide that assurance and on going monitoring.
Takeaways
- Communicate with CSS early and often
- Make sure all appropriate agency personnel (business, IT, etc.) are involved
- Be aware there are important cyber security elements for IT investments (third party audits, etc.)
- For general security questions, please email eso.info@das.oregon.gov