Note:
Based upon the Visual Comparison of the SRTM results, there is no comparative difference in security posture between RFA and RFE/RL.
Source SRTM Appendix A
MUTUAL INFORMATION SECURITY TEST AND EVALUATION
MISST&E
REPORT
Version 1.0
March 2003
by
Flint
Enterprises Incorporated
7653 North Station East, Arlington, Virginia
Prepared for
Radio Free Asia
TABLE OF CONTENTS
1 EXECUTIVE SUMMARY *
2 MISST&E PROCESS DESCRIPTION *
3 SUMMARY RESULTS *
4 CONCLUSION *
APPENDIX A Letter Agreement *
APPENDIX B Terms Of Reference / SRTM *
APPENDIX C RFA Draft Final Report *
APPENDIX D RFE/RL Final Report *
APPENDIX E SAMPLE Penetration Test Plan Document *
TABLES OF:
FIGURES
Figure 1 Distribution of SRTM Criteria *
Figure 2 Ratification Of MISST&E Process *
TABLES
Table 1 SRTM Numeric Data Summary *
Table 2 Results of the MISST&E *
In September 2002, Radio Free Asia (RFA) and Radio Free Europe / Radio Liberty (RFE/RL) agreed to participate in a Mutual Information System Security Test and Evaluation (MISST&E) process. The MISST&E involved penetration testing by information security personnel within RFE and RFE/RL. This document, which includes recommendations, outcomes and appendices, is the final report on this activity.
The MISST&E process was proposed and accepted as methodology to determine system risks and vulnerabilities with the additional goals of:
These additional benefits did not constrain the most important short-term goal, which remained the assessment of threats and vulnerabilities as risks.
The positive effect of presentation of this MISST&E testing process was the development of heightened security awareness. In development of the Agreement between the agencies, the respective staff and CIO immediately became aware of obvious needs for improvement in information security function.
Although a modicum of testing was conducted by the agencies, this testing was too elementary and superficial to and an assessment of vulnerabilities and threats cannot be the basis of analysis in a requirements driven context. There are several possible factors to be considered that may have contributed to this outcome:
The assessment team recommends that follow-up MISST&E penetration testing program be developed to complete vulnerability determinations, and with these additional terms, conditions, and mutually acceptable requirements:
The origin of the MISST&E process is based upon a proposed method first described in an article, Media Convergence Info Warfare, in the trade journal Radio World (November 2000 page 19). This article germinated discussion with David Baden and expanded into subsequent discussions at the National Association of Broadcasters Convention (NAB 2000), the Mutual Information System Security Test and Evaluation (MISST&E) methodology has thus been developed as broadcast industry based method of penetration testing where the following goals are accomplished:
Organizations, within a related field or business purpose, test each other’s data systems for security weaknesses.
RFA and RFE/RL have similar goals, objectives and security concerns. In establishing two teams from commonly structured organizations, each team is composed of information security personnel possessing similar backgrounds, experience and training. The objective of this goal is not to produce a group of random ‘hackers’; rather, to enhance the understanding of personnel in each organization relating to types, methods and possible consequences of future attacks upon their own respective systems. With this knowledge, intruder response becomes more relevant and more timely to actual or attempted attacks, thereby optimizing defensive control
Network Security and Administrative personnel in each case gain valuable experience in what tools and techniques are available to breach the prevailing Security Architecture.
Tools and techniques used to attack RFA and RFE/RL are expected to be similar because the results sought by an intruder will be similar. The valuable experience to be gained by information security personnel is the hands-on knowledge of the methodologies to be reasonably expected in the future from the perspective of both aggressor and defender.
Each organization in preparation, testing and reviews, strengthens the defensive posture of their Networked Automated Information Systems.
The acts of preparation, testing and analysis of results develop a deeper appreciation of potential vulnerabilities by information security personnel in both RFA and RFE/RL. The objective of this goal is to establish the necessary nexus between penetration events and the security guidelines of the attached SRTM, and the interrelation between them in creating the most secure information protection of confidentiality, integrity and availability.
The Assessment Team developed a Security Requirements Traceability Matrix (SRTM) against which the testing was constrained. This matrix includes all relevant federal laws, regulations and guidelines, which either mandate, direct or recommend information assurance policies and procedures to protect the confidentiality, integrity and availability of information technology (IT) resources within a federal agency system. The SRTM has been scored as completely as possible using data from observation and team experience, as well a data from the limited testing conducted by the agencies. The Scoring system is comprised of the following four categories:
The SRTM used in the risk assessment phase of this project is separated into two distinct tabular formats: Security Requirements and Security Considerations:
Requirements that are beyond the scope of this assessment, not applicable to the project, or undetermined through limited testing may be rated as N/A or UNK, with an explanation placed in the Comments and Observations column. Items that remain untested after the completion of the test period are rated Not Tested (NT) without further comment.
The Two Charts Below Summarize the SRTM results:
|
|
|
|
Note: Based upon the Visual Comparison of the SRTM results, there is no comparative difference in security posture between RFA and RFE/RL. |
|
|
Source SRTM Appendix A |
|
Figure 1 Distribution of SRTM Criteria
The Charts below quantitatively summarizes the SRTM based test data:
|
Requirements Summary |
||
|
Subject |
RFA |
RFE/RL |
|
Met |
116 |
112 |
|
Not Met |
9 |
10 |
|
Partially Met |
17 |
18 |
|
Not Applicable |
37 |
37 |
|
Not Tested |
184 |
186 |
|
TOTAL Requirements |
363 |
363 |
Table 1 SRTM Numeric Data Summary
Our initial conclusion based upon this data is that due to the large number of Non Tested (NT) requirements is to discount a numerical scoring method as inconclusive. Future testing should not be prejudiced by this result, rather re-evaluation of the requirements and scoring are a reasonable remedial action.
The positive results of this exercise are detailed in the Table below:
Table 2 Results of the MISST&E
|
Positive Result |
RFE/RL |
RFA |
Comment |
|
Was Prime Directive Followed? |
No Negative Side Effects of testing to broadcast operations |
No Negative Side Effects of testing to broadcast operations |
No operational errors or deficiencies were reported by either side during the test period. |
|
Off site attacks of external ISP maintained Web sites |
No miss targeting reported. Internal web sites probed |
No miss targeting reported. Probed Internal web sites |
Both organizations maintain web sites controlled by external ISPs and internal sites. |
|
Benefits of Preparation for Attach |
Installation of Security Monitoring Equipment |
Maintenance of Security Monitoring Equipment |
Monitoring system |
|
Created Staff Awareness of and for Information Assurance and Security |
Validation of switch design and MAC lockdown methodology |
Validation of in house monitoring operation, DMZ and Coyote LRP security method. |
|
|
Investigation of offensive tools |
TBA |
Tools exercised and studied during attack phase included: nmap, nessus, nbtscan, fragroute, brutus, nikto, vomit and queso |
|
|
FTP Vulnerability |
Discovered |
Discovered |
Acceptable Risk in both cases |
|
MISST&E Report Availability |
STATE Inspector General, and GISRA process can validate |
STATE Inspector General, and GISRA process can validate |
Report represents evaluation of security which appears to be within the IA doctrine |
In summary, the MISST&E Exercise was successful and of benefit to both organizations, although additional testing is appropriate for a complete risk and vulnerability assessment. Cost-effectiveness is evident in that two distinct systems can be assessed simultaneously with limited funding by either organization for outside information assurance testing personnel, and these expenditures are comparable with the assessment of a single information system.
Specifically, and incorporated in their final report, RFA recognizes the benefits of the MISST&E process, and acknowledges that additional testing with modifications, addressed above, would represent a valuable tool in their information assurance program.
RFA and RFE/RL were able to detect and comprehend the vulnerabilities inherent in their respective organization’s file transfer protocol (ftp). A review of each system determined that the risk attendant to the ftp was at acceptable level for certification and the operation/maintenance phase of the life cycle of each system.
The level of security for each organization was improved. RFA developed a greater appreciation for the function and security enhancement features of their Internet Threat Monitor (ITM) program, and RFE/RL purchased and installed an ITM system, which now is installed and operational.
Beyond the bilateral decision to install ThreatSmartSM Internet Threat Monitor (T-ITM) external IP monitoring, Both the RFA and RFE/RL teams reviewed, prepared and enhanced their defensive postures.
Due to the nature of this report system security details described herein shall be light on specifics. As the system architecture of both facilities is of a security nature and should not be disclosed to public sources. Should either party object to any disclosure contained in this section, such disclosure shall be excised prior to delivery and distribution.
That said, we should quickly review our general understanding of RFA and RFE/RL defensive security architecture.
Overall, note that both RFA an RFE/RL program transmission is maintained on a private network, operated by the International Broadcast Bureau (IBB) as per mission. This facility and the public destination web sites maintained on separate ISPs, were specifically excluded from the MISST&E process as part of the agreement (see APPENDIX A). Public origination access for both RFE and RFA staff is handled in a decentralized way bureau by bureau each with common security architectural features. Our exercise in both cases related to testing the Security Architecture at the central offices. RFA maintains a central bureau in Washington DC, which enjoys 9 Mbs of a Fractional T3, while RFE/RL maintains an aggregate capability of 15 Mbs in Prague Czech Republic.
Both RFE/RL and RFA bureau offices maintain bridgehead servers facilities located in a DMZ. These servers provide web, file transfer and mail to the bureau networks. External service facilities at the RFE/RL are based largely on Microsoft Products, but appear maintained well and currently patched, while the RFA DMZ facilities are Apache and Exim based with a similar level of excellent maintenance. The most remarkable contrast between these external facilities is the use of CISCO PIX firewalls at RFE/RL in contrast to the firewall at RFE. The Firewall in use at RFA is an open source software appliance which runs on commodity PC hardware, allows for extensive configuration, including sshd, dhcp, forward and reverse proxy, as well as many other features. This single floppy firewall, called Coyote Linux. Operates from a write protect the boot floppy and hacking this is considered most difficult. Many high end security firms are actively using this same single floppy firewall technique.
In the case of RFA, The inside network is a private, non routable switched fabric which makes extensive use of open source software in a most secure manner. While RFE/RL maintains a routable fabric with MAC validation for switch operation (and therefore network access). In both systems, authentication is multi-layered.
Detailed in Appendix B, the RFA Staff report developed and tested numerous offensive tools; nmap, nessus, nbtscan, fragroute, brutus, vikto, and vomit, are cited in their report. Knowledge of the sources and methods of external penetration devices is cited as valuable insight by the RFA test team. Funds constrained witnessing RFE/RL activities Outside the Continental United States (OCONUS), however expect that similar results shall be reported from the European team. A visit to the Washington DC offices of RFE/RL revealed both offensive and defensive preparations.
Through the use of the MISST&E we have been able to determine that external penetration of two of the American Government's premier Surrogate Broadcast organizations are not subject to casual attack or successful disruption of their activities through ordinary means. Can it be said that extraordinary concentration or extreme methods are vulnerability for either site? Only subsequent testing can determine an answer. The positive aspects of this test process as summarized in Table I speak to a good beginning but information security is cyclic in implementation. As new staff and threats arrive at both of these institutions, there will remain a need to train and drill them in the proper methods to maintain and enhance information security within their respective organizations and architectures. This first MISST&E has demonstrated a remarkable value in enhancing security and should be considered a success.
One of the primary objectives of the MISST&E process is education and training of all parties involved in the testing exercises. This Assessment Team also undergoes a learning process each time the MISST&E is engaged between organizations. Observations can be made concerning potential improvements to the process, both internal and external to the participating organizations.
Although MISST&E was not fully applied in this project, the project remains successful in that it met goals relating to increased security awareness, demonstrated necessity for additional security hardware and services, and initial understanding of penetration processes by the participating organizations, RFA and RFE/RL. The following considerations are recommended in future testing using this process:
APPENDIX A Letter Agreement and Photo
On 19 September the following enabling document was signed:
Figure 2 Ratification Of MISST&E Process
|
Present (Left to Right) |
19 September 2002. |
|
|
|
|
|
|
|
|
|
|
|
|
(Photo by P Flint) |
APPENDIX B Terms Of Reference / SRTM
LETTER AGREEMENT
This agreement is between the respective Chief Information Officers (CIOs) of Radio Free Asia and Radio Free Europe / Radio Liberty, expressly for the purpose of establishing a Mutual Information Security System Testing and Evaluation (MISST&E) capability. This MISST&E shall begin Friday, November the First (11/1/2002) at Midnight Greenwich Mean Time (GMT) and shall end at Midnight Wednesday, November Twenty Seventh (9/27/2002) two thousand two.
This agreement along with its attachments comprises the entire guideline for this testing and evaluation. Any modification or abrogation of this agreement shall take place upon mutual agreement of the parties undersigned below, documented by written codicil addition to this letter.
The goal of this mutual test and evaluation activity is to accomplish information assurance excellence for both agencies.
The objectives in developing this capability include:
The agreed to test constraints and methodologies are included in this agreement as three attachments:
A report of the activities of the MISST&E shall be provided to both parties of this testing upon completion of the test and evaluation.
Signed and agreed to on this twenty-third day of September, two thousand two.
DAVID BADEN KENNETH MOREHOUSE
Chief Information Officer Chief Information Officer
Radio Free Asia Radio Free Europe
________________________________ _________________________________
PRIME DIRECTIVE
Radio Free Asia and Radio Free Europe are organizations that subsist on professionally delivered programming and subsidiary services.
This test process explicitly excludes the disruption of program and supporting services of either party. This test and evaluation process will not disrupt the program and program support activities of either party in any way.
Test scenarios shall specifically exclude the following:
Testing shall be constrained to documented scenarios that evaluate the requirements as set forth in the attached Security Requirements Trace-ability Matrix (SRTM). The test methodology shall be considered as a two-part process:
With respect to the Prime Directive, when a denial of service scenario appears possible, the testers developing the scenario are actively encouraged to:
The following Security Requirements Trace-ability Matrix (STRM) has been developed from and is traceable to the following specific United Stated Government information security laws, rules, regulations, and other guidance as stated below:
Additionally, this and other reference material as documented below has been considered and may be cited within the STRM:
PUBLIC LAWS
The Computer Security Act declares that improving the security and privacy of sensitive information in Federal computer systems is in the public interest, and creates a means for establishing acceptable security practices for such systems. It assigns NIST responsibility for developing standards and guidelines to assure the cost-effective security and privacy of sensitive information in Federal computer systems. Key provisions include:
The Paperwork Reduction Act, as amended in 1995, is the principal information resources management (IRM) statute for the Federal government. It required OMB to establish government-wide IRM policies and to oversee and review agency implementation. It requires the use of Information Technology (IT) to improve service, program management, increase productivity, enhance quality of decision-making, and reduce fraud and waste. It requires agency development of 5-year plans and the appointment of a senior IRM official. The Act assigned OMB responsibility for improving efficiency through use of new technologies.
The Act directs OMB to develop guidance on information security and to oversee agency practices. It directs agencies to establish computer security programs, and tasks OMB to develop and oversee the implementation of policies, principles, standards and guidelines on security. The act further directs Federal Agencies to apply a risk management process for information collected or maintained. Each agency must implement and enforce applicable policies, procedures, standards and guidelines on privacy, confidentiality, security, disclosures and information sharing.
Consistent with the Computer Security Act of 1987, agencies must identify and afford security protections commensurate with risk and magnitude of harm resulting from loss, misuse, unauthorized access to or modification of information collected or maintained.
The Information Technology Management Reform Act (ITMRA) relieved GSA of responsibility for procurement of automated systems and charged OMB with providing guidance, policy and control of information technology procurement. The ITMRA also requires the appointment of a Chief Information Officer (CIO) and mandates use of business process reengineering and performance measures to ensure effective IT procurement and implementation. The ITMRA also reaffirmed OMB, NIST and agency responsibilities regarding information security
This act addresses protection of the confidentiality, integrity and availability of data and systems and revises the Computer Fraud and Abuse Act. Unauthorized use of a computer to obtain information that could be used to injure the United States is a felony offense, as is intentional damage to computer. Reckless damage to a computer is a felony if committed by unauthorized individuals; but a misdemeanor offense if the damage were negligent, and not reckless. For authorized personnel, reckless or negligent damage is a misdemeanor offense with understanding that there is a range of additional administrative sanctions that may also be applied.
This Act requires the Director of OMB to provide direction and oversight in the acquisition of information technologies that provide for electronic submission, maintenance or disclosure of information as a substitute for paper. This Act also directs the acceptance of electronic signatures by executive agencies.
The Security Act (GISRA) amends the Paperwork Reduction Act by enacting new subchapters on information security, and primarily addresses the program management and evaluation aspects of security. Issues addressed include Life Cycle, incident response, agency performance plans, annual agency program reviews, annual Inspector General security evaluations, and required reports to OMB. The OMB is also required to report annually to congress.
The objective of the Privacy Act of 1974 is to protect personal privacy from invasions by Federal agencies. This law allows individuals to specify what information about them may be held by government agencies and gives individuals the right to obtain information held on them. The Act establishes civil and criminal penalties for violations. The act requires agency implementation fo physical security practices, information management practices, and computer and network controls necessary to ensure individual privacy.
This Act provides for fines and imprisonment for individuals who intentionally access a computer without authorization or exceeds authorized access and, by such means, obtains information deemed to require protection against unauthorized disclosure. Criminal and civil sanctions also apply to any individual who accesses a federal interest computer without authorization and alters, damages or destroys information, prevents authorized use of the computer, or traffics any password or similar information.
EXECUTIVE ORDERS
The purpose of this Order is to develop a strategy for protecting and assuring the continued operation of critical infrastructure, including the continuity of government. It established the Infrastructure Protection Task Force (IPTF) within the Department of Justice and the President’s Commission on Critical Infrastructure Protection. The Order requires all agencies to cooperate with the Commission and the IPTF, provide assistance, information and advice, and share information about threats and warning of attacks and information about actual attacks to the extent permitted by law.
This Order requires agencies to improve IT acquisition and management by implementing the relevant provisions of the Paperwork Reduction Act (PRA) and the Information Technology Management Reform Act (ITMRA). Agencies are instructed to refocus IT planning to more directly support their strategic mission, implement budget linked capital planning and investment process. Agencies must establish clear accountability for IT management by appointing a Chief Information Officer (CIO). Under this Order, agencies must:
This Order is established to protect against disruption of the operation of the information systems for critical infrastructure. It established the President’s Critical Infrastructure Protection Board, which is charged with recommending policies and coordinating programs for protecting information systems for critical infrastructure.
OTHER NATIONAL POLICY
PDD-63 focuses specifically on protecting critical infrastructures from both physical and "cyber" attack from sources within or without the United States. The lead Federal agency for the Public Health Services Infrastructure Sector is the Department of Health and Human Services (DHHS). This directive established the Critical Infrastructure Assurance Office (CIAO).
OMB A-123 implements the Federal Managers’ Financial Integrity Act and provides guidance to Federal managers on improving accountability and effectiveness of programs and operations by establishing, assessing, correcting and reporting on management controls. This Circular requires a review of security controls for each system whenever significant changes are made to a system, but at least every three years.
This Memorandum requires that every Federal web site must include a privacy policy statement, even it the site does not collect any information that results in the collection of a Privacy Act record. This statement must tell site visitors how any information from their site visit is handled by the agency. Privacy policies for agencies may be diverse and may be designed to the information practices of each individual site.
The purpose of this Memorandum is to reaffirm that, consistent with OMB A-130, agencies must continually assess risk to their computer systems and maintain adequate security commensurate with that risk.
Appendix III of this Circular establishes policy for the security of Federal automated information resources and incorporates requirements of the Computer Security Act of 1987 (P.L. 100-235) as well as responsibilities assigned in applicable security directives. A minimum set of security controls is established including development of a security plan, screening and training of individual users, risk assessments, disaster and contingency plans, and review of security safeguards at least every three years. Appendix III also incorporates provisions for automated information security programs and management control systems established in OMB Circular A-123. Specific requirements of Circular A-130 include:
This Memorandum provides guidance to agencies on carrying out the provisions of GISRA and focuses only upon areas of GISRA that introduce new or modified requirements. The Act requires annual Inspector General (IG) evaluations, agency reporting to OMB of the IG evaluations, and the required OMB annual report to congress.
This Memorandum establishes guidance for implementation of OMB M-01-24, directing agencies to submit to OMB plans of action and milestones (POA&M), with quarterly updates thereafter, to address all weaknesses identified by program reviews and IG evaluations required by GISRA and other previous OMB guidance.
Additionally, the following guidelines and publications of the National Institute of Standards and Technology (NIST) were drawn upon, utilized and referenced in the development of the SAMHSA AISSP.
The NIST Handbook is referenced frequently in OMB A-130, Appendix III and provides a broad overview for development of a sound approach to security controls. The handbook illustrates the benefits of security controls, major techniques for each control and addresses important related considerations.
This document provides a baseline to be used to establish and review Information Technology (IT) security programs. The security principles are to be applied in the use, protection, and design of government information systems.
LOCAL RULES
Local rules and regulations as presented to the reporting agency shall also be considered as requirements for this testing and evaluation process.
Security Requirements Trace-ability Matrix
The following Security Requirements Trace-ability Matrix (STRM) shall be the basis for all test scenarios developed by both parties for the duration of the test period. The supplied matrix can be used to support activity reporting in the columns provided.
|
Rating Key: |
|||||
|
M=Met PM=Partially Met NM=Not Met NA=Not Applicable NT=Not Tested |
|||||
|
Reference |
Requirement |
RFA Rating |
RFE/RL Rating |
Comments and Observations |
|
|
Administrative |
|||||
|
GISRA 3531(B)(3) GISRA 3533(a)(2)(B) GISRA 3534(a)(1) |
All United States Government agencies entities shall organize, implement, and maintain an information systems security program that ensures adequate security of all Government agencies information. It applies to all Government agencies bureaus, programs, teams, organizations, contractors, consultants, appointees, employees of Government agencies funded councils, associations, State, local as well as other government bureaus, and committees that use, process, manage Government agency information or meet the requirements of Federal computer system (defined in the Computer Security Act of 1987) |
M |
M |
|
|
|
GISRA 3534(A)(3)(A) GISRA 3524(a)(5)(A) |
The office of Chief Information Officer (CIO) and the designated department SA shall assure the objectives of OMB CircularA-130 (Appendix III) are being met by establishing the minimum security requirements and guidelines to appropriately implement personnel security, physical security, industrial security, automated information system security, telecommunications security, operations security, and compliance. |
M |
M |
|
|
|
NIST SP 800-18 |
The CIO and departmental SA’S shall maintain inventories of sensitive applications and facilities (operational and under development) by name and brief description. |
M |
M |
|
|
|
375 DM 19. |
All existing Government agencies systems shall be in compliance with the Government agencies Information Technology Security Policy (ITSP) |
PM |
PM |
Needs to be Assessed |
|
|
Local Rule |
Requests for exceptions to Government agencies security requirements must include sufficient information to allow for a reasoned decision |
M |
M |
|
|
|
Local Rule |
Permanent exemptions from the requirement to clear residual data will be based on a risk analysis to determine what damage, if any, is caused by the potential disclosure of sensitive information to a user who does not have the same authorization to use some or all of the sensitive information on the IT system. |
NT |
NT |
|
|
|
Local Rule |
No exemption to object reuse is required for stand-alone IT systems when all users are authorized access to all sensitive information on the IT system |
M |
M |
|
|
|
Local Rule |
A completed risk analysis shall accompany all requests for exemptions on existing dial-up circuits accessing sensitive IT systems. Time schedules will be included indicating when access control protection will be implemented on the dial-up circuits. |
M |
M |
|
|
|
Local Rule |
A written exception to the Office of Information Resource Management (PIR) shall be submitted for all facilities that cannot meet the baseline physical security requirements. |
NA |
NA |
|
|
|
GISRA 3534(A)(3)(A) |
A full –time Government agencies Department CIO with appropriate authority and responsibility to manage the sensitive IT system security program for the Government agencies shall be designated. |
M |
M |
|
|
|
NIST SP 800-18 |
The Department CIO shall establish a formal memorandum of understanding (MOU) among external agencies’ accrediting authorities preceding telecommunication interconnections of accredited IT systems |
M |
M |
Documents And Agreement |
|
|
ITMRA Sec. 5125 OMB 90-08 Sec. 6.a. CSA Sec. 2.B.3. CSA Sec. 6 |
The Department CIO shall establish departmental information security programs to ensure compliance with the objectives of OMB Circular – 130 (Appendix III) and the Government agencies Information Technology Security Policy (ITSP)
|
NT |
NT |
|
|
|
OMB 90-08 App |
The departmental CIOs shall determine the sensitivity of their information |
M |
M |
|
|
|
GISRA 3533(a)(2)(A |
The departmental CIO will decide the minimum safeguards prescribed for an IT system or network |
M |
M |
|
|
|
375 DM 19.9.A (6) NIST SP 800-18 OMB A-130 App. III |
The departmental CIO will execute a statement that an IT system or network is accredited |
NM |
NM |
|
|
|
375 DM 19.8.I (7) 375 DM 19.9.A. (3) 375 DM 19.9.C (4) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 GISRA 3533(a)(2)(A) GISRA 3534(b)(2) OMB 90-08 App. A OMB A-130 A.3.b.4 |
The departmental CIO will ensure that risk analysis responsibilities are accomplished in accordance with requirements |
M |
M |
|
|
|
GISRA 3534(b)(3) OMB 90-08 App. A 375 DM 19.9.A (4) OMB A-130 A.3.b.3 NIST SP 800-18 FISCAM SP 5.1 |
Management control systems must be established to document the requirements for each major information system and allow for periodic review of those requirements over the system’s life cycle. |
M |
M |
|
|
|
375 DM 19.9.A (7)&(5) GISRA 3533(b)(3) FISCAM AC-1.1 FISCAM AC-1.2 NIST SP 800-18 |
Management control processes shall be established to assure that appropriate administrative, physical, and technical safeguards are incorporated into new applications, and into significant modifications to existing applications |
M |
M |
|
|
|
FISCAM CC-2.1 NIST SP 800-18 |
The management control process for applications considered sensitive shall include security specifications, design reviews and system tests. |
M |
M |
|
|
|
FISCAM CC-2.1 NIST SP 800-18 GISRA 3534 (A)(2(C) GISRA 3534 (b)(3) |
Procedures shall be established for periodically reviewing the acquiring and operating information technology |
M |
M |
|
|
|
OMB A-130 A.3.b.2 NIST SP 800-18
|
Multi-year strategic planning processes shall be established for acquiring and operating information technology |
NM |
NM |
Suggested as a Recommendation |
|
|
OMB A-130 A.3.b.2 |
Responsibility for the security of each installation operated by or on behalf of the Federal Government shall be assigned to a management official knowledgeable in information technology and security matters. |
M |
M |
|
|
|
OMB A-130 A.3.b.1 FISCAM AC-2.1 |
The official whose program an information system supports shall be responsible and accountable for the products of that system. |
M |
M |
|
|
|
GISRA 3533(b)(3) GISRA 3534(A)(3)(A) GISRA 3524(a)(5)(A) GISRA 3534 (b)(2)(A) OMB 90-08 App A. |
An IT security program shall be implemented and maintained |
M |
M |
|
|
|
NIST SP 800-18 |
A level of security shall be established for all agency information systems commensurate with the sensitivity of the information and the risk and magnitude of loss or harm that could result from improper operation of the information system |
M |
M |
|
|
|
NIST SP 800-18 |
All IT system facilities shall ensure that legal agreements with vendors include provisions for security (security clearances, where necessary, conflict if interest agreements, bonding of employees, nondisclosure agreements personnel security screening, agreements establishing liability.) |
M |
M |
|
|
|
ITMRA Sec. 5125 OMB 90-08 App. A OMB-130 A.3.b.1 |
A Management Control Plan, which identifies: component inventory risk ratings (high, medium, low) material weaknesses, and other areas of management concern must be developed and updated annually. |
NT |
NT |
|
|
|
GISRA 3531 (B)(3) GISRA 3532 (b)(2) |
Each IT system or network being developed for operation beyond the year 2001 must be designed to meet the appropriate level of trust at which it is to be accredited. |
M |
M |
|
|
|
NIST SP 80-18 |
Departmental Security Analysis’s are required to thoroughly review all vendor recommendations and requirements for the configuration of security controls and formally document compliance or non-compliance of such requirements |
M |
M |
|
|
|
OMB 90-08 App A. 375 DM 19.7.A. 375 DM 19.9.B (2) FISCAM SP-1 FISCAM AC-1.1 FISCAM AC-1.2 NIST SP 800-18 FISCAM SD 1.2 |
Sensitive information shall be protected at a level commensurate with the threat. The level of protection will be determined by the criticality and sensitivity of the information and the mission supported by the system and in compliance with national policy and standards |
M |
M |
|
|
|
FIPS 140-2 FISCAM AC-3.2 |
Telecommunications and information systems transmitting sensitive information should incorporate approved protection techniques consistent with applicable ITSP policies in the most cost-effective manner. |
M |
M |
|
|
|
FIPS 140-2 |
The minimum systems security standards for telecommunications and computer systems which process, store, transfer, or communicate sensitive information with an identified threat other than foreign. E.g., criminal, shall be in compliance with the Federal Information Processing Standards (FIPS) |
M |
M |
|
|
|
375 DM 19.10 |
An annual internal control report shall be provided to the President and Congress that shall describe any security or other control weaknesses identified and provide assurance that there is adequate security of IT systems. |
NT |
NT |
|
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A program should be established to conduct periodic risk analyses on IT systems to determine if security baselines are met and to ensure that appropriate, cost effective safeguards are incorporated on all new and existing IT systems and facilities. |
PM |
PM |
|
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
Threat assessments shall be conducted at least every three years to ensure appropriate protection is implemented on critical and sensitive Government agencies IT systems |
M |
NT |
First time testing RFE/RL |
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A risk analysis shall be performed prior to the approval of design specifications for new installations |
NT |
NT |
|
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A risk analysis must be performed to determine the need and type of approved protection techniques for critical or sensitive systems |
NT |
NT |
|
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A risk analysis must be performed at periodic intervals established by the agency commensurate with the sensitivity of the data processed, but not to exceed every three years if no risk analysis has been performed during that period. |
NA |
NA |
|
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A risk analysis shall be performed whenever there is significant change to the installation. A significant modification made to sensitive or critical IT system or network requires a review to determine the impact on the security of the processed sensitive information |
NM |
NM |
Configuration Management concerns. |
|
|
GISRA 3534(b)(2)(A) GISRA 3534 (b)(2)(B) OMB 90-08 App. A 375 DM 19.8 I (7) 375 DM 19.9 A (3) FISCAM SP-1 NIST SP 800-30 NIST SP 800-18 |
A risk analysis shall be performed for all critical IT systems or IT systems processing sensitive information |
NA |
NA |
|
|
|
Same As Above |
Risk assessments of Government agency’s telecommunications switch facilities shall be conducted to determine the types of threat and the appropriate physical protection measures. |
NT |
NT |
Critical to test |
|
|
375 DM 19.7.E NIST SP 800-18 OMB 90-08 App A |
Upon completion of system tests, a Certifying Official (Departmental CIO, and SAs) shall certify that the system meets all applicable Federal policies, regulations, and standards, and that the results of the tests demonstrate that the installed security safeguards are adequate for the application |
PM |
PM |
|
|
|
375 DM 19.9.A (4) 375 DM 19.9.A (7) 375 DM 19.9.B (4) NIST SP 800-18 FISCAM SP-1 FISCAM SP-5.1 |
All new or major upgrades of existing critical, sensitive, or foreign intelligence IT systems shall be formally certified through a comprehensive evaluation of the technical and non-technical security features |
PM |
PM |
|
|
|
OMB 90-08 App A 375 DM 19.7.E 375 DM 19.9.A (6) NIST SP 800-18 |
The certification, made as part of and in support of the accreditation process, shall determine the extent to which a particular design and implementation meets a specified set of security requirements. |
PM |
PM
|
||
|
Same As Above |
An official written declaration by an agency SA shall be issued for all certified IT systems and networks to operate with specified security safeguards. |
NT |
NT
|
|
|
|
375 DM 19.9.A (6) OMB A-130 A.3.b.4 NIST SP 800-18. |
Government agencies information systems that process critical, sensitive or foreign intelligence information will be certified and accredited by officially designated Agency CIO |
NA |
NA |
|
|
|
NIST SP 80-18 |
Security testing shall be accomplished for certification purposes after installation of a product. |
NT |
NT |
|
|
|
OMB 90-08 App A NIST SP 800-18 |
Pending accreditation, an interim approval to operate is permitted only if a security survey has been completed; a security plan has been developed to prevent unauthorized disclosure of data; a schedule describing advancement to the final accreditation must be established; and for systems processing TOP SECRET and foreign intelligence information, appropriate components must be located in properly secured facilities. |
NA |
NA |
|
|
|
NIST SP 800-18 |
Interim approval to operate must be employed when a new IT system is in an advanced test phase and must use some actual operational data for final design and test before initial operational capability. |
NA |
NA |
Cots Systems? |
|
|
NIST SP 800-18 |
Evaluation of the technical and non-technical security features of the IT systems and other safeguards shall be performed in support of the accreditation process. |
M |
M |
|
|
|
OMB 90-08 App A FISCAM CC-2.1 |
Appropriate technical, administrative, physical, and personnel security requirements must be included in specifications for the acquisition or operation of information technology installations, equipment, software, and related services and shall be reviewed and approved by the departmental ITSM or ADP Facility SM. |
NT |
NT |
Beyond the scope of this Assessment. |
|
|
NIST SP 800-18 FISCAM AC-1.1 FISCAM AC-1.2 |
Departmental SAs shall ensure that all new information systems that store, process, or communicate sensitive information have security features incorporated during the conceptual design phase. |
NT |
NT |
|
|
|
FISCAM AC-1.1 FISCAM AC-1.2 FISCAM CC-2.1 NIST SP 800-18 375 DM 19.8 B (8) 375 DM 19.9 A (7) |
Departmental IT SAs shall ensure that all new IT systems that are intended to process, store, or communicate sensitive information incorporate the provisions of Government agencies IT Security Policy during conceptual design phase |
NT |
NT |
|
|
|
FISCAM AC-1.1 FISCAM AC-1.2 FISCAM CC-2.1 NIST SP 800-18 375 DM 19.8 B (8) 375 DM 19.9 A (7) |
All new IT systems that store, process, transfer or communicate critical, sensitive or foreign intelligence information shall have systems security features incorporated during the conceptual design phase. |
NT |
NT |
|
|
|
FISCAM AC-1.1 FISCAM AC-1.2 FISCAM CC-2.1 NIST SP 800-18 375 DM 19.8 B (8) 375 DM 19.9 A (7) GISRA 3534(b)(3) 375 DM 19.9.A (4) OMB A-130 A.3.b.4 FISCAM SP-2.1 FISCAM SP 5.1 NIST SP 800-18 |
All new IT systems, which communicate critical or sensitive information, shall incorporate approved protection techniques during the planning stages and identify requirements the five-year information system plans. The Departmental SA shall periodically review all Government agencies information technology systems under their controls to ensure that provisions of the Government agencies IT SP are accomplished and provide a consolidated report to the DAA. |
NT |
NT |
||
|
FISCAM AC-1.1 FISCAM AC-1.2 FISCAM CC-2.1 NIST SP 800-18 375 DM 19.8 B (8) 375 DM 19.9 A (7) |
The designated system owner or departmental SA shall define and approve security requirements and specifications prior to acquiring or starting formal development of an IT system |
M |
M |
This document is the Security Requirements Traceability Matrix (SRTM) |
|
|
NIST SP 800-18 FISCAM CC-2.1 |
Design reviews and system tests shall be conducted and approved prior to placing the sensitive or critical application into operation. |
NT |
NT |
|
|
|
OMB 90-08 App A NIST SP 800-18 375 DM 19.9. B (9) |
Results of design reviews and system tests for sensitive or critical IT systems shall be fully documented and maintained in the official agency records. |
M |
NT |
|
|
|
NIST SP 800-18 FISCAM CC-2.1 |
Acquisition specialists shall conduct and approve system design reviews for critical or sensitive It systems prior to placing the system into operation to ensure the proposed design meets the approved security specifications. |
NA |
NA |
|
|
|
OMB 90-08 App A 375 DM 19.9.B (6) 375 DM 19.7.F NIST SP 800-18 OMB A-130 A.3.b.2.d FISCAM SC-3.1 FISCAM SC-2.3 FISCAM SC-2.1 |
Policies must be established and responsibilities assigned to assure that appropriate contingency plans are developed and maintained by the end users of sensitive and critical IT systems |
NM |
NM |
|
|
|
OMB 90-08 App A 375 DM 19.9.B (6) 375 DM 19.7.F NIST SP 800-18 OMB A-130 A.3.b.2.d FISCAM SC-3.1 FISCAM SC-2.3 FISCAM SC-2.1 |
Disaster recovery and continuity of operation plans for all Government agencies information technology installations that process critical or sensitive information shall be maintained |
PM |
M |
||
|
OMB 90-08 App A 375 DM 19.9.B (6) 375 DM 19.7.F NIST SP 800-18 OMB A-130 A.3.b.2.d FISCAM SC-3.1 FISCAM SC-2.3 FISCAM SC-2.1 |
Essential emergency functions shall be performed at the headquarters and regional levels to maintain continuity of government during the national security emergencies. |
NA |
NA |
|
|
|
NIST SP 800-18 FISCAM SC-2.1 |
The emergency operation records at storage locations for which the Vital Records Officer is accountable will be periodically inspected and certified for the currency and adequacy of the inventory following each inspection. |
NA |
NA |
|
|
|
FISCAM AC-3.1 FISCAM AC-4 FISCAM AC-4.1 FISCAM SC-2.1 NIST SP 800-18 |
Assembling, packing and arranging for shipment of the vital records to appropriate storage locations shall be assured. |
NA |
NA |
|
|
|
OMB 90-08 App A 375 DM 19.9.B (6) 375 DM 19.7.F NIST SP 800-18 OMB A-130 A.3.b.2.d FISCAM SC-3.1 FISCAM SC-2.3 FISCAM SC-2.1 |
OMB Circular A-130 requires appropriate contingency, disaster, and continuity planning for the IT systems applications and their implementation (facilities). The plan shall be tested periodically for their adequacy and effectiveness. |
NT |
NT |
Disaster Plans should be tested. |
|
|
OMB 90-08 App A 375 DM 19.9.B (6) 375 DM 19.7.F NIST SP 800-18 OMB A-130 A.3.b.2.d FISCAM SC-3.1 FISCAM SC-2.3 FISCAM SC-2.1 |
A disaster recovery and contingency plans shall be developed for IT systems processing sensitive or critical information. |
M |
NT |
|
|
|
375 DM 19.9.B (10) GISRA 3534(b)(2)(C) OMB 90-08 App A CSA Sec. 2.b.4 CSA Sec. 5 |
A security awareness and training program shall be established. |
PM |
PM |
|
|
|
GISRA 3534 (A)(3)(A) GISRA 3534 (b)(2)(C) OMB 90-08, App. A CSA 2.b.4. Sect. 5 OMB A-130 A.3.a.2.B 375 DM 19.7.F 375 DM 19.8.J (5) 375 DM 19.9.B (10) FISCAM SP-4.2
|
Training and awareness plans shall be developed, maintained, and updated annually by Government agencies bureaus. Plans must contain, at a minimum, the following information: (a) training content or subject matter: (b) target audience, including bureau and contractor personnel for each of the training content areas: and (c) level of training to be provided for each specific subject matter area and target audience category |
M |
M |
This |
|
|
Same As Above |
Government agencies personnel, including contractors, who are involved with the management, use or operation of any IT system handling sensitive or critical information within or under the supervision of the Department, shall receive periodic training in security awareness and accepted security practices |
PM |
PM |
|
|
|
Same As Above |
All personnel shall receive an annual threat briefing. |
NT |
NT |
|
|
|
GISRA 3533 (a)(2)(C) GISRA 3533 (a)(2)(C) NIST SP 800-18 |
Current IT system threat and vulnerability briefings shall be provided to Government agencies bureaus and business offices. |
NT |
NT |
|
|
|
GISRA 3534 (A)(3)(A) GISRA 3534 (b)(2)(C) OMB 90-08, App. A CSA 2.b.4. Sect. 5 OMB A-130 A.3.a.2.B 375 DM 19.7.F 375 DM 19.8.J (5) 375 DM 19.9.B (10) FISCAM SP-4.2 |
For users of IT systems which process, store or communicate critical or sensitive information, initial training shall be provided as soon as possible and within a minimum of 60 days of appointment for new personnel who are managers, users, or operators of sensitive information systems. |
NT |
NT |
|
|
|
Same As Above. |
For users of IT systems which process, store or communicate critical or sensitive information, continuing training shall be provided whenever there is significant change in the It system environment or procedures |
NT |
NT |
|
|
|
Same As Above. |
For users of IT systems which process, store or communicate critical or sensitive information, refresher training shall be provided on an annual basis for all personnel responsible for the management, use or operation of the IT system. |
NT |
NT |
|
|
|
Same As Above. |
All personnel who install, operate, maintain, or use critical or sensitive IT systems, shall be familiar with documented security practices before gaining access to the It system, and be acknowledged in writing applicable system security requirements and responsibilities. |
NT |
NT |
|
|
|
Privacy Act 522A(e)(10) |
Appropriate administrative, technical, and physical safeguards shall be established to ensure the security and confidentiality of records containing Privacy Act Information. |
NT |
NT |
|
|
|
Privacy Act 522A(e)(4)(E) |
Policies and practices regarding the storage, retrievability, access controls, retention, and disposal of Privacy Act Information shall be established. |
NT |
NT |
|
|
|
Same As Above |
Each agency that maintains a system of records shall promulgate rules, which establish procedures for the disclosure to an individual upon his request of his record. |
NT |
NT |
|
|
|
Privacy Act 522A(d)(1) (d)(2) (d)(3) (d)(4) |
Individuals shall be provided with access to, and the ability to amend errors in, systems of records consistent with the Privacy Act, Section 552 a.d. |
NT |
NT |
|
|
|
Privacy Act 522A(e)(5) |
Data shall be recorded and reported to provide users of the data with complete information about the subject of the report per OMB, Government agencies, and Privacy Act Standards. |
NT |
NT |
|
|
|
|
A five-year plan for a single integrated, efficient agency financial management system shall be developed. |
NT |
NT |
|
|
|
Local Rule |
Financial management data (for financial management systems) shall be gathered and processed only where necessary to meet specific internal management needs or external requirements. |
NT |
NT |
|
|
|
Local Rule |
Financial management data (for financial management systems) shall be recorded as soon as practicable after the occurrence of the event. |
NT |
NT |
|
|
|
Local Rule |
Financial management data (for financial management systems) shall be recorded and reported in the same manner throughout the agency, using uniform definitions. |
NT |
NT |
|
|
|
OMB A-130 A.3.a.2.f. GISRA 3534 (b)(2)(f) |
Financial management systems shall be designed and operated with reasonable total costs and transaction costs, in accordance with OMB guidelines. |
NT |
NT |
|
|
|
GISRA 3531 (B)(3) GISRA 3534 (a)(1) CSA Sec. 2.B.3. CSA Sec. 6. |
A plan for the security and privacy of each Federal computer system identified by that agency shall be established that is commensurate with the risk and magnitude or the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. |
NM |
NM |
FTP |
|
|
GISRA 3534 (b)(3) |
Security plans shall be reviewed annually. |
NT |
NT |
|
|
|
Local Rule |
The departmental Information Resource Management Officer shall appoint in writing a SA for IT systems under their control. |
NT |
NT |
Not authorized for |
|
|
Local Rule |
A memorandum with the appointed SA name, work address, telephone number, and security clearance (if applicable)_ shall be developed. |
NT |
NT |
|
|
|
GISRA 3534 (b)(2)(F) OMB A-130 A.3.a.2.d. FISCAM SP-3.4 NIST SP 800-18 |
The bureau IRM Coordinators will document the duties required to secure the IT system facility and the Bureau facility IRM will acknowledge these duties. |
NT |
NT |
|
|
|
CSA Sec. 2B.3. & Sec.6 GISRA 3534 (a)(1) GISRA 3534 (A)(3)(A) OMB 90-08 Sec. 6.a. OMB 90-08 App. A |
All Government agencies bureaus shall establish a network security program ensuring all IT systems and their supporting telecommunications are authorized, authenticated, protected, and accounted. |
PM |
PM |
|
|
|
NIST SP 80-18 |
All bureaus shall implement a program designed to minimize the risk of introducing viruses and other malicious software into Government agencies IT systems. |
M |
M |
|
|
|
NIST SP 80-18 |
PC systems to which access is somewhat open (i.e., training rooms, etc.) should never be used as a source of software or files to be transmitted and/or copied for distribution without first taking steps to ensure that the system is free from viruses or other malicious software. |
M |
M |
|
|
|
NIST SP 80-18 |
A virus or other malicious software program shall be immediately reported to agency supervisory personnel and the departmental ITTSM prior to being fixed. |
NT |
NT |
|
|
|
OMB A-130 A.3.b.2.a. NIST SP 80-18 |
An individual at any level of employment, who is determined to have been responsible for the unauthorized release or disclosure, or potential release or disclosure, of classified information, knowingly, willfully, or through negligence, shall be notified that the action is in violation of applicable Government agencies ITSP. |
NT |
NT |
|
|
|
OMB A-130 A.3.b.2.a. NIST SP 800-18 |
Any security violation possibly involving an infraction of Federal criminal laws shall be forwarded by the designated department ISSPM and concurrently to the Inspector General. |
NT |
NT |
|
|
|
Local Rule |
Government agencies bureaus shall submit annual "Agency Information Security Program Status" reports. |
M |
M |
|
|
|
FISCAM SS-3.1 NIST SP 800-18 |
The Office of Managing Risk and Public Safety shall maintain a record for not less than 12 months of all personnel requiring escorted access to computer equipment rooms, telecommunication facilities, and remote terminal areas, which has the visitor’s name, organization, reason for the visit, date and time of arrival and departure, and the escort’s name and signature |
NA |
NA |
|
|
|
FISCAM AC-3.1 NIST 800-18 |
The Office of Managing Risk and Public Safety shall maintain a current access roster containing the name, organization, and access authorization of each individual requiring routine unescorted access to computer equipment rooms, telecommunications facilities, and remote terminal areas. |
NA |
NA |
|
|
|
PERSCOM |
|||||
|
NIST SP 800-18 OMB A-130A.3.b.2.c. |
Personnel security policies and procedures shall be established and managed to assure an adequate level of security for Federal IT systems |
NT |
NT |
||
|
NIST SP 800-18 |
The coding of position sensitivity is required on Optional Form 8, Position Description (or equivalent agency form). Bureaus must use the following codes when coding position sensitivity: Special Sensitive – 4, Critical Sensitive – 3, Non-critical Sensitive –2, No sensitive –1. The letter "C" will also identify computer and ADP positions after the above code. |
NT |
NT |
|
|
|
OMB A-130 A.3.b.2.c |
Position sensitivity criteria, similar to what is applied to Federal personnel, must be applied to contractor relationships. |
NT |
NT |
|
|
|
OMB A-130 A.3.b.2.c |
All positions that have national security duties must be designated at national security sensitivity levels. Levels include Special Sensitive, Critical Sensitive, and Non-Sensitive. |
NA |
NA |
|
|
|
Local Rule |
The individuals designated as representatives to the Government agencies Telecommunications and Information Systems Security Working Group should have or should be eligible for a SECRET clearance. |
NT |
NT |
|
|
|
OMB A-130 A.3.b.2.c |
Required background investigations are required for placement at each of the sensitivity levels: Special Sensitive: Special Background Investigation; Critical Sensitive: Background Investigation (BI); Non-critical Sensitive: Limited BI or Minimum BI; Non-sensitive: National Agency Check and Inquiry (NAC&I). |
NA |
NA |
|
|
|
OMB A-130 A.3.b.2.C. |
The incumbent of each position designated Special Sensitive or Critical Sensitive shall be subject to periodic reinvestigation five years after placement, and at least once each succeeding five years. |
NA |
NA |
|
|
|
OMB A-130 A.3.b.2.c |
Personnel applying for critical sensitive positions must undergo a pre-placement background investigation. |
NA |
NA |
|
|
|
OMB 90-08 App A |
Only authorized personnel shall have access to information systems. |
M |
M |
|
|
|
OMB 90-08 App A NIST SP 800-18 FISCAM AC-2 FISCAM AC-2.1 FISCAM AC-3.2 |
Granting access to any classification level must be made on a need-to-know basis, and when that need no longer exists, access must be canceled. |
M |
M |
||
|
GISRA 3534 (b)(2)(C) OMB 90-08 App A OMB A-130 A.3.a.2.b. |
On-site personnel who operate ADP equipment shall be approved for access to all types of restricted access data contained in the system and instructed on appropriate security procedures before being granted unescorted system access. |
M |
M |
|
|
|
OMB A-130 A.3.b.2.b. |
Appropriate supervisors and security professionals shall be approved for access to all types of restricted access data contained in the IT system and instructed on appropriate security procedures before being granted unescorted system access. |
M |
M |
|
|
|
OMB A-130 A.3.b.2.b |
Personnel who design, develop, install, modify, service, or maintain the operating system software shall be approved for access to all types of restricted-access data contained in the system and instructed on appropriate security procedures before being granted unescorted access. |
M |
M |
|
|
|
OMB A-130 A.3.b.2.b |
Communication specialists who are responsible for maintenance of the communications hardware and software among ADP facility and its remote terminal users and have the capacity to monitor unencrypted communications shall be approved for access to all types of restricted access data contained in the system and instructed on appropriate security procedures before being granted unescorted system access. |
NT |
NT |
|
|
|
Local Rule |
Bureaus shall provide written identification of the definition of any respective legend(s) and establish protective requirements, as applicable, which shall be made known to all authorized recipients. |
NT |
NT |
|
|
|
Local Rule |
The legend "Limited Official Use" (LOU), shall be marked, stamped, pr permanently affixed to the top and bottom of the outside of the front and back covers, on the title page, on the first and last pages and on all pages of documents or information. |
NA |
NA |
|
|
|
Local Rule |
The identity of the official authorizing the use of the legend and the date of such authorization shall appear on the first and last pages of all LOU documents or information. |
NA |
NA |
|
|
|
Local Rule |
Legends should be removed as soon as they are no longer needed. |
NA |
NA |
|
|
|
Local Rule |
The identity of the official authorizing the "de-control" of a document or information, as well as the date of such authorization, shall appear on the first and last pages of all decontrolled documents. |
NA |
NA |
|
|
|
Local Rule |
Cover sheets must be used to protect the LOU information while in use. |
NA |
NA |
|
|
|
Local Rule |
File folders containing LOU information shall be marked (e.g., at the top and bottom of the front and back covers). |
NA |
NA |
|
|
|
Local Rule |
A warning label shall be affixed to diskettes or floppy disks that contain LOU. |
NA |
NA |
|
|
|
Local Rule |
Officials authorized to control and /or decontrol LOU information shall be listed by name and position title. |
NA |
NA |
|
|
|
Local Rule |
Government agencies officials responsible for responding to the request for release of LOU shall determine, under FOIA/Privacy Act criteria or the appropriate regulations of the Government agencies agency concerned, whether the information should be made available to the requestor. |
NA |
NA |
|
|
|
Local Rule |
Security Standards equivalent to national security CONFIDENTIAL are required for information marked for LOU when the information is electronically processed, stored, transferred, or communicated. |
NA |
NA |
|
|
|
Local Rule |
Safeguard LOU information in the same manner as national security information classified CONFIDENTIAL. |
NT |
NT |
|
|
|
Local Rule |
LOU information shall be made available only to those persons having a need-to-know. |
NT |
NT |
|
|
|
Local Rule |
LOU information or material shall NOT be hand-carried aboard commercial passenger aircraft by employees or agency officials unless the security representatives authorized to direct official travel within their office or agency has made a prior written determination that an emergency situation exists. |
NT |
NT |
|
|
|
Local Rule |
LOU information or material shall normally be transmitted by one of the means established for higher classifications or by the U.S. Postal Service Express Mail or U.S. Postal Service registered first class mail. |
NT |
NT |
|
|
|
Local Rule |
Personnel designated as couriers shall have in their possession an employee ID card or credential with a photograph, description data and bearer’s signature. |
NT |
NT |
|
|
|
Local Rule |
Travelers shall NOT authorize the opening of carry-on items under any circumstance. |
NA |
NA |
Local Policy |
|
|
Local Rule |
LOU documents being carried shall be in the form of paper documents with no metal bindings and contained in sealed opaque inner and outer envelopes. |
NA |
NA |
|
|
|
Local Rule |
Officials who authorize transportation of classified and LOU information material shall notify an official of the appropriate air carrier in advance. |
NA |
NA |
|
|
|
Local Rule |
Couriers shall have an original of a letter authorizing them to carry classified or LOU information or material. |
NA |
NA |
|
|
|
Local Rule |
All pages of a LOU transmittal document shall show the control designation of the information being transmitted. |
NA |
NA |
|
|
|
|
The Department SM shall ensure the procedures are developed to protect sensitive reports during preparation, transmittal, receipt and storage. |
NT |
NT |
|
|
|
Local Rule |
Copies of risk analysis shall be available to risk analysis teams, internal control personnel and the agency ISSPM on a need-to-know basis. Reports shall be kept in a secure area commensurate with the sensitivity of information contained in the report. |
NT |
NT |
|
|
|
Local Rule |
A copy of all documentation relating to security violations shall be filed in the security violations indexes of the Government agencies Office of the Inspector General, or the department ISSPM, and also in the individual’s personnel security file. |
NT |
NT |
|
|
|
NIST SP 800-18 |
Procedures will be in place to ensure the secure destruction of discarded computer material to preclude unauthorized disclosure. |
NT |
NT |
|
|
|
NIST SP 800-18 |
Personally-owned computers or software will be not be used to process, access, or store sensitive information without the approval of the department Heads of Bureaus. |
NT |
NT |
|
|
|
NIST SP 800-18 |
Configuration controls plans shall be prepared and configuration management shall be implemented in all critical, sensitive and foreign intelligence IT systems. |
M |
M |
|
|
|
NIST SP 800-18 |
Configuration control should begin in the earliest stages of the design and development of the IT systems and extend over the full life of the configuration items included in the design and development stages. |
M |
M |
|
|
|
OMB 90-08 App A NIST SP 800-18 FISCAM CC-2.1 FISCAM CC-3.1 FISCAM SS-3.2 |
For every change that is made to an IT system, the design and requirements of the changed version of the IT system should be identified. |
NA |
NA |
||
|
Same As Above |
Every change that is made to documentation, hardware, and software/firmware should be reviewed and approved by the department Heads of Bureaus, Network Security Officer, or the available security staff. |
NT |
NT |
|
|
|
Same As Above |
Configuration status accounting is responsible for recording and reporting on the configuration of the project throughout the change. |
NT |
NT |
|
|
|
Same As Above |
Through the process of a configuration audit, the completed change can be verified to be functionally correct, and for trusted systems and networks, consistent with the security policy of the system or network. |
NT |
NT |
|
|
|
Same As Above |
In the case of a change to hardware or software/firmware that will be used at multiple sites, configuration control is also responsible for ensuring that each site receives the appropriate version of the IT system. |
NT |
NT |
|
|
|
OMB 90-08 App A 375 DM 19.7.D. 375 DM 19.9.C (2) FISCAM AC-2 NIST SP 800-18 FISCAM AC-3.2 FISCAM AC-4 |
The IT system will assure that users without authorization are not allowed access to the data. |
M |
M |
|
|
|
Same As Above |
System owners shall be provided the capability to specify, at their discretion, who ) by individual user, groups, etc.,) may have access to their data. |
M |
M |
|
|
|
375 DM 19.9.C (1) NIST SP 800-18 |
The IT system shall require users to identify themselves and provide some proof that they are who they say they are (e.g., user ID and password). |
M |
M |
||
|
NIST SP 800-18 375 DM 19.8.N |
A password should not be shared by multiple users. |
PM |
PM |
FTP Site |
|
|
NIST SP 800-18 |
The IT should prevent a user from choosing a password that is already associated with another user ID. |
NT |
NT |
|
|
|
375 DM 19.9.C (2) |
The IT system should store passwords in a one-way encrypted form. |
M |
M |
|
|
|
FISCAM AC-3.2 NIST SP 800-18 OMB 90-08 App A |
The IT system should automatically suppress or fully blot out the clear-text representation of the password on the data entry device. |
M |
| ||