Module 01 Content

For the first part of your project, you have been given a partial audit, performed by a NASA Blue Team. This audit was part of their Certification and Authorization (C&A) process to ensure Country Roads Space Systems (CRSS) has authorization to operate as a 3rd party entity to NASA and allowed to work with NASA assets. The C&A process includes a line-by-line review of all security controls identified within NIST 800-53b documentation, and their sub-sections. During the initial review process, NASA reviewed the existing security controls employed by CRSS and evaluated their compliance to the identified security controls. All items that were found to be non-compliant are documented for review, and a Plan of Action & Milestones (POAM) document was generated as a guideline to correct or evaluate any exemptions found in the initial C&A audit.
CRSS_InitialPOAM.xlsx

You will be responsible for reviewing the POAM and familiarizing yourself with the findings. However, you will only be responsible for auditing two security controls that are found to be non-compliant for the audit that you will perform during this course. Please be aware that once you choose your two specific security controls in this Module, you will continue to build on your analysis of these two controls throughout this course. Therefore, you should be take time to consider which controls you choose. In addition, for your two choices, you must choose:
- One security control from the group of IA-2, IA-3 or IA-5. (NOTE: IA-5 is a common control that often requires remediation in actual security settings. Student who choose IA-5 will be presented with a challenge, but will also find greater documentation when researching remediation.)
- One other security control from the group of AC-5, PE-13, RA-5.
- For your Module One Project, start by taking the time to familiarize yourself with the POAM and understand how various systems are evaluated against a common set of compliance frameworks. Study the controls in the POAM and review them against NIST and COBIT frameworks for similar type of controls. In addition, review these security controls against the standards in ISO 27000.Take note on how security controls can be met in diverse ways and still meet overall compliance. With your review of these controls and standards complete, you should feel confident in picking two security control identified in the POAM listed as being compliant. As part you audit, you should also review the company’s network. Please review the CRSS Network Diagram.
  CRSS Network Diagram.pptx
  
  NOTE: The various frameworks are usually very similar, though differences exist relevant to their industry focus. ISO 27000 and COBIT are meant to focus on private sector compliance, while NIST is focused on public sector.
  
  You can review each framework at:
  NIST
  COBIT
  ISO 2700
  
  For this week, you will use the IA security control you chose and in a brief report address the following:
- Explain the significance of this control and, in your own words, how it protects CRSS and NASA assets. Do you agree with the assessment of the vulnerability described in Column E “Weakness Description”?
- Next, look up your IA security control in NIST and summarize the NIST standard for one of your controls.
- Now find the similar standards in ISO27000 and COBIT. Once you find references to security controls that that are closest to the security controls you chose in ISO27000 and COBIT, write a brief explaining the similarities and/or differences between the three standards with regard to one of your security controls.
- Highlight if you think NIST is the most appropriate set of regulations for CRSS, when compared to the other standards. Which do you this is the most appropriate standard?
- Do you agree with how the control is remediated in Column K “Overall Remediation Plan”? If so, explain why. If not, please provide an alternative to the Overall Remediation Plan.
- Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.