Areas of BSA Assistance
- Oregon cyber security framework - Statewide Information and Cyber Security Standards (NIST 800-53 r5, pdf and excel doc), Statewide Information Security Plan, and Statewide Policies.
- Third-party contract review - CSS reviews Requests for Proposal (RFPs) and Requests for Quote (RFQs), new contracts/amendments/renewals – Security Language, IT Rider (for vendor contracts only), security requirements, and other vendor documentation.
- IT Rider for vendor contracts - The IT Rider incorporates State of Oregon security requirements into a pre-existing vendor contract (e.g., standard SaaS offering). Already vetted and approved by DAS-PS, CSS and DOJ.
- Information requests - CSS will verify that vendors are using sound security practice by requesting: certifications of hosting environments and applications (e.g., FedRAMP, GovRAMP, ISO, etc.), third-party audits SOC 2 Type-2 reports, hosting solution information, System Security Plan, DR and vendors logging and retention.
- SOC 2 Type 2 reports - These reports will typically be requested when the system falls into the Moderate and Moderate Plus systems categories
BSA System Categories
BSA system categories fall into three groups: low, moderate, and moderate plus. These categories are based on factors such as state data classification and data/system need.
- A low system category includes level 1 or level 2 classified data or systems, and is usually published data.
- A moderate system category includes level 3 classified data or systems, can be mission-critical systems at lower data classification levels, and is typically restricted or regulated data.
- A moderate plus system category encompasses level 4 classified data or systems, and is typically considered critical.
BSAs and Regulated Data
- Our state agencies have a lot of regulated data (e.g. HIPAA, FTI, FERPA, CJIS, etc.). BSA’s assist in determining appropriate security controls are in place to protect the data.
- When regulated data is not involved, determining appropriate data levels can often be ambiguous to state agencies. BSA’s assist in determining the appropriate data level and security controls. For more information, see the Statewide Information Asset Classification policy.
GovRAMP
Oregon is looking to adopt the GovRAMP (formerly StateRAMP) vendor authorization process.
- GovRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. GovRAMP works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity.
- GovRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 5 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, GovRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
- For updates about Oregon's implementation of GovRAMP, current trainings, and material, please visit the State of Oregon GovRAMP Program Page. Additionally, see the GovRAMP Frequently Asked Questions page for more general information.
What does GovRAMP in Oregon mean for agencies?
- Streamlined RFP’s/RFQ’s and contracting for procurement and identifying a safe and secure vendor.
- Oregon’s current Statewide Information and Cyber Security Standards are modeled after NIST 800-53 r5 already, but there’s no real security audit or assessment done prior to procuring. GovRAMP would provide that assurance and on going monitoring.
Takeaways
- Communicate with CSS early and often
- Make sure all appropriate agency personnel (business, IT, etc.) are involved
- Be aware there are important cyber security elements for IT investments (third party audits, etc.)
- For general security questions, please email eso.info@das.oregon.gov