Information Security and Privacy Policy Handbook

Transcription

1 Information Security and Privacy Policy Handbook This document implements OPM s Information Security and Privacy Policy requirements for the protection of information and information systems. Chief Information Officer March 31, 2011 March 2011

2 Table of Contents 1. INTRODUCTION Purpose Scope and Applicability Compliance, Enforcement, and Exceptions Document Organization Maintenance of the Official Version Legal Authority ROLE and RESPONSIBILITIES OPM Director Chief Information Officer (CIO) Deputy Chief Information Officer (DCIO) Chief Privacy Officer (CPO) Chief Information Security Officer (CISO) Information Systems Security Manager (ISSM) Chief of Enterprise Architecture Risk Executive (function) Information Technology Security Working Group (ITSWG) Privacy Program Manager Authorizing Official (AO) Information Owners System Owner (SO) Information System Security Officer (ISSO) Designated Security Officers (DSOs) Network Managers Data Center Managers Software Development Managers Database Managers Security Control Assessor OPM Managers and Supervisors Physical Security Manager Facility Manager OIG Role Contracting Officers and Procurement Officers Contracting Officer's Technical Representative (COTR) OPM Users (Internal and External) SECURITY PROGRAM Program Management Controls (PM) PRIVACY PROGRAM Privacy Framework PII Handling Requirements Privacy Compliance Education and Awareness Privacy Complaints Managing Privacy Incidents FOR OFFICIAL USE ONLY ii

3 5. MANAGEMENT CONTROLS Planning (PL) Security Assessment and Authorization (CA) Risk Assessment (RA) System and Services Acquisition (SA) OPERATIONAL CONTROLS Security Awareness and Training (AT) CONFIGURATION MANAGEMENT (CM) Contingency Planning (CP) Incident Response (IR) Maintenance (MA) Media protection (MP) Physical and Environmental (PE) Personnel Security (PS) System and Information Integrity (SI) TECHNICAL CONTROLS Access Controls (AC) Audit and Accountability (AU) Identification and Authentication (IA) System and Communications Protection (SC) APPENDIX A: ACRONYMS APPENDIX B: GLOSSARY APPENDIX C: REFERENCES APPENDIX D: WAIVER REQUEST FORM APPENDIX E: RISK ACCEPTANCE MEMORANDUM APPENDIX F: RULES OF BEHAVIOR APPENDIX G: SAMPLE CONTRACT CLAUSE APPENDIX H: OPM DEFINED SECURITY CONTROL PARAMETERS APPENDIX I: NIST SP , Rev. 3; Removed or Not Selected FOR OFFICIAL USE ONLY iii

4 Revision History Version Number Version Date Revision Summary 0.1 March 4, 2011 Draft ISPP - Document was revised in its entirety to clarify OPM s information security and privacy policies and roles and responsibilities, and to implement NIST SP (Rev. 3) security controls. 0.2 March 14, 2011 Internal ITSP review and revisions. Entire document. 0.3 March 31, 2011 Adjust procedure review frequency from twoyears to one-year. The version of this document that is posted to the Web is the official, authoritative version. FOR OFFICIAL USE ONLY iv

5 A Message from the Chief Information Officer (CIO) Meeting Security Requirements Information security is a critical issue for all of us at the Office of Personnel Management (OPM). We are highly dependent on information resources to store, process, and transmit information while maintaining its confidentiality, integrity, and availability. OPM is required by law to ensure the security of information assets and the technology that is used to process them. Rapid advances in information systems require an increased awareness in the selection and application of appropriate security safeguards. The OPM Information Security and Privacy Policy The Information Security and Privacy Policy (ISPP), based on federal laws, regulations, and National Institute of Standards and Technology (NIST) standards and guidance, is the foundation of the OPM IT Security and Privacy Program. It is the highest priority to assure that OPM programs are carried out in a safe, accurate, accountable, and cost-effective manner. All users of OPM information resources should utilize this ISPP as guidance for the implementation of information security. It offers safeguards to protect the resources and the information that we rely on to carry out our important work. 1

6 Office of Personnel Management (OPM) Directive OPM Directive Subject: Information Security and Privacy Number: Original Issue Date: 3/31/2011 Date Last Reviewed: 3/31/2011 Purpose This directive authorizes the IT Security and Privacy (ITSP) Office to prescribe and publish the OPM Information Security and Privacy Policy (ISPP). The ISPP is an implementation deliverable of the directive. Scope This directive applies to all organizational units within OPM and is to be applied when information systems are used to accomplish the mission of OPM. Policy It is the policy of OPM to establish and manage an Information Security and Privacy Program. This ISPP provides uniform policies to be followed by all users of OPM information resources. Authorities a. Public Law , Privacy Act of 1974, dated September 27, 1975; b. Public Law , E-Government Act of 2002, which contains the Federal Information Security Management Act (FISMA), signed by the President on December 17, References a. Office of Management and Budget (OMB) Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Systems, dated February 8, 1996; b. National Institute of Standards and Technology (NIST) Special Publication , Generally Accepted Principles and Practices for Securing Information Technology Systems, dated September 1996; c. NIST Special Publication , Information Technology Security Training Requirements, dated April 1998; Continued on next page 2

7 References, Continued d. NIST Special Publication , Rev. 1, Guide For Developing Security Plans For Information Technology Systems, dated February 2006; e. NIST Special Publication , Building an Information Technology Security Awareness and Training Program, dated October 2003; f. NIST Special Publication , Rev.3, Recommended Security Controls for Federal Information Systems, dated August 2009; g. NIST Special Publication , Computer Security Incident Handling Guide, dated January 2004, and h. NIST Federal Information Processing Standards (FIPS). Responsible Offlces a. The OPM ChiefInformation Officer (CIa) shah designate an employee to serve as the ChiefInformation Security Officer (CISO). The CISO is responsible for formulating and directing the IT Security and Privacy Program for OPM, and subsequently, the creation ofthe ISPP. b. The CIa, CISO, System Owners (SO), Information System Security Officers (ISSO), and Designated Security Officers (DSO) ofthe various OPM Offices shall: (1) Implement the policies and procedures set forth in the ISPP, and; (2) Submit any new or revised regulations, forms, handbooks, or other publications, which are pertinent to or impact the Information Security and Privacy Program, to the CISO or the CIa for review and approval prior to publication. Offlce of Primary Interest Chief Information Officer e E. Perry Chief Information Offic

8 1. INTRODUCTION Efficient and effective security requires roles, policies, and processes to be clearly defined and understood by everyone. An information security policy is the primary building block for every information security effort. Policies establish both direction and management support. The security and policy programs support the Office of Personnel Management's (OPM) mission by protecting its employees, reputation, legal position, and physical and financial resources through the selection and application of appropriate requirements and policies. The OPM Information Technology (IT) Security Program is charged with ensuring three core principles: Confidentiality ensures OPM information is protected from unauthorized disclosure. Integrity ensures OPM information is protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to: Authenticity The verification of the identity of a user, user device, or the data being stored, transmitted, or otherwise exposed to possible unauthorized modification in an information system, or the establishment of the validity of a transmitted message. Non-repudiation Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender s identity, so neither can deny processing the data. Accountability Property that enables the tracing of system activities to their sources who may then be held responsible for such activities. Auditing is a primary means of establishing accountability. Availability ensures OPM information resources (system or data) are accessible on a timely basis to meet mission requirements or to avoid substantial losses. Availability also includes ensuring resources are used only for intended purposes. The OPM Security and Privacy Policy contains the OPM IT Security Program, Privacy Program, and includes chapters that address Management, Operational, and Technical controls which are enforced for the security of all OPM information systems. 1.1 Purpose The purpose of the OPM Security and Privacy Policy is to define the requirements necessary to meet the fundamental security and privacy objectives of confidentiality, integrity, and availability. This policy supersedes the previously issued IT Security & Procedure Handbook volumes 1 and 2 and applies to all OPM personnel and support contractors. 1.2 Scope and Applicability The policies in this document, and its references and attachments, apply to all OPM information resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or digital form. OPM information resources include OPM hardware, software, media, and facilities. 4

9 Everyone who uses, manages, operates, maintains, or develops OPM applications or data wherever the applications or data reside must comply with the Information Security and Privacy Policy, unless a specific waiver is obtained from the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO). The Information Security and Privacy Policy is also relevant to all contractors acting on behalf of OPM and to non-opm organizations or their representatives who are granted authorized access to OPM information and information systems. Finally, this policy applies to other agencies systems as delineated in Memorandums of Understanding (MOU) and Interconnection Security Agreements (ISA) with OPM. This Information Security and Privacy Policy (ISPP) does not include specific procedures to implement these policies. Procedures will be developed separately and maintained by the CISO. 1.3 Compliance, Enforcement, and Exceptions Compliance: OPM Information Security and Privacy Policy is mandatory for all employees and contractors. Enforcement: The CIO is responsible for continually reviewing the status of OPM's Information Security and Privacy Programs by monitoring: The effectiveness of security and privacy control measures; Compliance with existing policies, procedures, standards, and guidelines; and User awareness of information security and privacy. Violations of the policy contained in the ISPP may result in the loss or limitation of access to OPM information systems and information. Anyone who violates the policy may face administrative action ranging from counseling to removal from the OPM, as well as, criminal penalties or financial liability, depending on the severity of the misuse. OPM employees and contractors are subject to penalties established by the Privacy Act of Certain penalties apply to the misuse or unauthorized disclosure of personally identifiable information. The Act (5 U.S.C. 552a (g)) provides for civil remedies for injured parties, including actual damages, attorney fees, and litigation costs. A policy violation is an infringement or nonobservance of OPM policy. If policy violation is suspected, OPM employees shall report it to their OPM supervisor, manager, associate director, or office director, as appropriate. Contractors shall report suspected violations to their contracting officer s technical representative and the System Owner. The following preemptive actions must be taken to isolate the suspected violators and systems to prevent additional risk to OPM: The suspected violator s group lead shall notify the OPM (Department) for additional guidance; Management shall be responsible for any disciplinary actions The CIO shall be responsible for any technical actions; and 5

10 The CIO shall restrict access to OPM information systems until the violator proves, to the satisfaction of the CIO, that the issue is resolved and there is no future risk. Exceptions: Policy waivers are approved deviations from a policy requirement that are only allowed when adherence to the policy is not feasible. Only the CIO or the CISO may approve a waiver to the ISPP. Waivers will be reviewed on a case-by-case basis. Attachment D contains a formal three-page waiver request form, which must be submitted by the System Owner (SO), Information System Security Officer (ISSO), Designated Security Officer (DSO), or OPM user for consideration and approval by the CISO or CIO. Each waiver must be submitted with a compelling business case justification and risk assessment. Adoption of the Information Security and Privacy Policy Requirements OPM users are responsible for using the current official version of the ISPP posted on the OPM Intranet. OPM leadership will hold users responsible for adhering to the policies and standards in the current official version. 1.4 Document Organization Office of Personnel Management has organized this policy to address information security and privacy as follows: Chapter 1. Contains OPM s overarching policy statement on information security and privacy. The scope and applicability is outlined revealing who the policy applies to and what resources the policy encompasses. Compliance, enforcement and exceptions of the policy are discussed, including OPM expectations regarding these issues. Chapter 2. Provides a general overview of security and privacy responsibilities for everyone (referred to as OPM users ) who uses, manages, operates, maintains, or develops OPM applications or data, based on specific job functions. Refer to Chapter 2 for details regarding specific roles and responsibilities. Some OPM users may have additional security and privacy responsibilities based on their job function. Chapter 3. Provides OPM Information Security Program policy. The program provides enterprise-wide checks and balances to ensure information security efforts are maximized, and the three core principals of Confidentiality, Integrity, and Availability are sufficiently addressed for OPM. Chapter 4. Provides OPM Privacy Program policy. The program provides direction for handling and protection of information subject to the Privacy Act. Chapter 5. Provides OPM Management Controls policy. Management controls are security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. Chapter 6. Provides OPM Operational Controls policy. Operational controls are the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems). 6

11 Chapter 7. Provides OPM Technical Controls policy. Technical controls are security controls (i.e., safeguards or countermeasures) that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Appendices. Contain applicable acronyms; glossary of key terms; references to applicable laws, guidance, etc.; standard forms and templates; OPM defined National Institute of Standards and Technology (NIST) control parameters; etc. 1.5 Maintenance of the Official Version The CIO will review the implementation of this policy at least every three (3) years from its initial distribution, and will review and update it based on emerging information security and privacy policy requirements. When document revisions are formally approved, the IT Security and Privacy Group (ITSP) will issue a new version or an amendment to the ISPP and post it to the OPM Intranet. If a change is not substantive but minor, policy can be changed by the CISO with approval from the CIO, without going through the standard approval process. Contact the Office of Personnel Management, Chief Information Security Officer, 1900 E St. NW, Washington, DC or send an to [email protected] if you have questions concerning information in the Information Security and Privacy Policy. 1.6 Legal Authority OPM developed ISPP to comply with applicable laws and directives related to information security and privacy. This policy document acquires its legal authority from the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the E-Government Act of 2002, the Paperwork Reduction Act, the Clinger-Cohen Act of 1996, and all relevant National Institute of Standards and Technology (NIST) standards, regulations in the Code of Federal Regulations (CFR), and Office of Management and Budget (OMB) memorandums, circulars, and directives. 7

12 2. ROLE AND RESPONSIBILITIES All Office of Personnel Management (OPM) users have information security and privacy responsibilities. The key roles and responsibilities for carrying out this policy are outlined below. 2.1 OPM Director The Clinger-Cohen Act assigns to the agency head the responsibility for ensuring the information security policies, procedures, and practices of the executive agency are adequate. The OPM Director shall: Provide information security protections commensurate with the risk and magnitude of the harm that would result from the misuse of the agency s information resources, whether intentional or unintentional; Ensure that an information security and privacy program shall be developed, documented, and implemented; Ensure that information security and privacy policy shall be integrated with strategic and operational planning policy; Ensure that senior OPM officials within the organization shall be given the necessary authority to secure the operations and assets under their control and meet their responsibilities under security and privacy statutes and regulations; Designate a Chief Information Officer (CIO) and delegate authority to that individual to ensure compliance with applicable information security and privacy requirements; Ensure that the CIO, in coordination with other OPM officials, shall report as required by law and regulation on the effectiveness of OPM s information security and privacy program, including progress on remedial actions; Designate a Chief Privacy Officer (CPO) to ensure compliance with applicable privacy requirements; and Ensure that OPM shall train personnel to support compliance with information security and privacy policies, processes, standards, and guidelines. 2.2 Chief Information Officer (CIO) The OPM CIO shall lead the development, management, operations, and support of the information technology (IT) infrastructure, with the assistance of the managers and staff in the Office of Chief Information Officer (OCIO). The CIO shall be responsible for establishing and maintaining the information security and privacy program at OPM and serves as the Chief Privacy Officer (also known as the OPM Senior Agency Official for Privacy). The CIO shall: Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required; Report as required by law and regulation to the OPM Director on the effectiveness of OPM s information security and privacy program, including progress on remedial actions; Ensure compliance with information security- and privacy-related federal laws and regulations, as well as other Government-wide policies, mandates, and directives; 8

13 Oversee the security of OPM s information resources, which shall include the security authorization of general support systems such as the network and mainframe platforms; Ensure the continuity of support to mission-critical systems and operations; Ensure the timely review and resolution of information security and privacy issues; Ensure implementation of the management, operational, and technical information security controls assigned to the CIO; Designate a Chief Information Security Officer (CISO) and a Privacy Program Manager; Review and sign Privacy Impact Assessments (PIA) which shall be in accordance with the OPM PIA Guide; Promote and support information security and privacy training for general users and those with significant information security or privacy responsibilities; and Monitor the activities of the OPM-wide Information Technology Security Working Group (ITSWG). 2.3 Deputy Chief Information Officer (DCIO) The Deputy Chief Information Officer (DCIO) shall provide assistance and support in fulfilling the duties of the CIO. The DCIO shall: Assist the CIO in ensuring the timely review and resolution of information security and privacy issues; Assist the CIO in ensuring implementation of the management, operational, and technical information security controls assigned to the CIO; and Ensure the continuity of support to mission-critical systems and operations. 2.4 Chief Privacy Officer (CPO) (OPM Chief Privacy Officer (CPO) shall be responsible for privacy compliance across the agency, including privacy compliance measures that apply to information security assets and activities. The CPO shall: Develop, promote, and support OPM s privacy program; Review and implement new and modified privacy policies; Represent OPM on interagency workgroups and initiatives involving privacy issues; and Review and evaluate OPM s PIA. The OPM Privacy Impact Assessment Guide provides additional information on conducting and completing a PIA. 2.5 Chief Information Security Officer (CISO) The Chief Information Security Officer (CISO) is designated by the CIO. The CISO serves as the CIO s primary information security adviser, and guides the information security activities of OPM s Authorizing Officials (AO), SOs, and Designated Security Officers (DSO). The CISO shall: Perform information security duties as the primary duty; 9

14 Head the Information Technology Security and Privacy office with the mission and resources to assist in ensuring agency compliance with information security requirements; Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements; Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; Ensure that agency personnel, including contractors, receive appropriate information security awareness training; Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities; Periodically test and evaluate the effectiveness of information security policies, procedures, and practices; Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; Develop and implement procedures for detecting, reporting, and responding to security incidents; Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Support the agency CIO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; Conduct/coordinate information security audits at OPM and contractor facilities; and Chair OPM s IT Security Working Group (ITSWG) and serve as secretariat. 2.6 Information Systems Security Manager (ISSM) The Information Systems Security Manager (ISSM) is responsible for providing assistance and support to the CISO in managing the OPM information security program, with a strong focus on 10

15 supporting the implementation of appropriate security controls spelled out in the provisions of applicable information security statutes and regulations. The ISSM shall: Assist the CISO in the implementation and enforcement of OPM s information security and privacy policies and procedures; Coordinate the development of Security Assessment and Authorization documentation. Additional information shall be found in OPM s Security Assessment and Authorization Procedure; Coordinate a standard Security Assessment and Authorization process that shall be used throughout the agency, shall provide internal Security Assessment and Authorization guidance or policy; and shall review security authorization packages prior to CIO review; Coordinate the preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support OPM s operations and assets; Coordinate the development, update, and release of appropriate information security awareness training; and Coordinate necessary information requested for internal and external reviews and inspections to ensure compliance with established policies and procedures. 2.7 Chief of Enterprise Architecture The Chief of Enterprise Architecture is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. Enterprise Architecture is the description of an enterprise s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise s overall security posture. 2.8 Risk Executive (function) The Risk Executive (function) is performed by a team which is comprised of the CISO, Deputy CIO, Chief of Enterprise Architecture, and Chief of Quality Assurance. The Risk Executive (function) has inherent U.S. Government authority and is assigned to government personnel only. The Risk Executive (function) shall: Provide a comprehensive, holistic approach for addressing risk throughout OPM; an approach that provides a greater understanding of the integrated operations of OPM; Provide an OPM forum to consider all sources of risk (including aggregated risk) to OPM operations and assets, individuals, other organizations, and the Nation; and Ensure that the shared responsibility for supporting OPM mission/business functions using external providers of information and services receives the needed visibility and is elevated to the appropriate decision-making authorities. 11

16 2.9 Information Technology Security Working Group (ITSWG) The Information Technology Security Working Group (ITSWG) oversees OPM compliance with information security mandates and OPM information security-related policies. It provides input to program office and OPM-wide planning efforts and approaches in response to emerging information security and privacy issues. Responsibilities of the ITSWG are described in the ITSWG Charter Privacy Program Manager The Privacy Program Manager is responsible for overseeing the OPM privacy program, with a strong focus on protecting Personally Identifiable Information (PII) and implementing the provisions of privacy statutes and regulations. The Privacy Program Manager shall: Develop program plans for addressing privacy-related laws and regulations at OPM and manage implementation of the plans; Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required; Evolve the privacy program and address new and changing privacy policies and standards; Identify trends and recommend to the CISO actions to address organizational, privacyrelated weaknesses identified through privacy audits and privacy-related assessments such as PIAs; Advise the CIO, CISO and OPM program offices on the implications and requirements of privacy-related statutes and regulations; Review PIA and recommend action to the CIO; (See OPM s PIA Guide for more information.); Develop OPM-wide related communications and training, and coordinate their delivery; Serve as secretariat to OPM s privacy-related action teams; and Track actual or suspected losses of or unauthorized access to PII, and follow up on remediation efforts, and prepare reports as requested Authorizing Official (AO) The Authorizing Official (AO) is an executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation. The role of an AO has inherent U.S. Government authority and is assigned to government personnel only. Only an executive can accept risk. Risk justification must be supported with a compelling business case. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple AOs. The AO shall: Have budgetary oversight for an information system or be responsible for the mission and/or business operations supported by the system; Be accountable for the security risks associated with information system operations; 12

17 Review Security Assessment and Authorization documentation and discuss concerns with the CISO as necessary; Deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist; Coordinate their activities with the CISO, System Owner (SO), Information System Security Officers (ISSO), Security Control Assessors, and other interested parties during the security authorization process; Establish agreements among AOs, if multiple AOs, and document in the SSP; and Be responsible for ensuring all activities and functions delegated to an Authorizing Official Designated Representatives are carried out Information Owners Information Owners are responsible for the security of the information they own that resides within an OPM system. Information owners are responsible for coordinating with the SO to establish controls regarding the generation, collection, processing, dissemination, and disposal of information residing on an OPM system. Information Owners shall: Establish rules for appropriate use and protection of OPM information; Safeguard all PII that OPM owns, sends, receives, or processes; Provide input to SOs regarding security requirements for the information systems where the information resides; and Determine who should have access, what privileges, and the level of access to the information System Owner (SO) The System Owner is the official responsible for the overall security, procurement, development, integration, modification, or operation and maintenance of an information system. The SO shall: Categorize the information system according to the potential impact to OPM of a breach of confidentiality, integrity, or availability; Ensure the implementation of the security controls appropriate to the risk rating established through the categorization process for the system; Identify and evaluate security risks and vulnerabilities and establish risk mitigation plans; Approve System Security Plans (SSPs), and review Memorandums of Agreement or Understanding (MOA/U), and Plans of Action and Milestones (POA&Ms) and determine whether significant changes in the information systems or environments of operation require reauthorization; Ensure the Information Security and Privacy Policy (ISPP) is followed by all users accessing the information system; Ensure the management, operational and technical information security controls are implemented and operating as intended for all of their information systems; 13

18 Ensure system users and support personnel receive the requisite security and privacy training; Ensure that DSOs are identified and provide security-related support; Ensure that program office senior management is aware of the resources required to assess and authorize information systems allowing appropriate work plans and budgets to be developed; Ensure appropriate staff (system administrators, technical developers, and other staff) are assigned to coordinate with the DSO in developing Security Assessment and Authorization documentation (See OPM s Security Assessment and Authorization Procedure for more information); Provide necessary system-related documentation to the CISO; Take appropriate steps to reduce or eliminate system vulnerabilities identified in the Security Assessment and Authorization process; Ensure PIAs are conducted on all systems before implementation or enhancement, in accordance with OPM s Privacy Impact Assessment Guide; Review acquisition documentation to ensure adequate and cost-effective security measures and safeguards are included; and Ensure all contracts for IT services, both software and hardware, include clauses incorporating OPM s System Security Plan (SSP) and related references Information System Security Officer (ISSO) The Information System Security Officer has the detailed knowledge and expertise required to manage the security aspects of an information system and is assigned responsibility for the dayto-day security operations of a system. The ISSO shall: Ensure that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the SO; Serve as a principal advisor on all matters, technical and otherwise, involving the security of an information system; Ensure physical and environmental protection, personnel security, incident handling, and security training and awareness; and Assist in the development of the security policies and procedures and to ensure compliance with those policies and procedures; and Monitor a system and its environment of operation, in close coordination with the SO. This includes developing and updating the SSP, managing and controlling changes to the system, and assessing the security impact of those changes Designated Security Officers (DSOs) The Designated Security Officer (DSO) is appointed by an OPM Program Office or Department to represent the interests of the program office or department in carrying out the security functions of the organization. The DSO shall: 14

19 Work closely with the CISO, ISSO, and appropriate staff in the program offices to protect information resources from misuse, whether intentional or unintentional. This effort will involve reviewing, evaluating, and recommending appropriate information security and privacy measures along with safeguards; Conduct periodic security reviews of system facilities to ensure safeguards are commensurate with the system information being stored, processed, or transmitted; Update system security documentation and work with the SO and ISSO to assess the security impact of any information system changes; Coordinate with the Software Development Managers and ensure security requirements and issues are addressed consistent with this policy; Assist the CISO, Information Systems Security Manager, and ISSO in the identification, implementation, and assessment of common security controls; Ensure the implementation of any modifications necessary and correct security control deficiencies found during security assessment testing; Advise users of the security features and procedures to be used for information systems; Establish access control criteria and administrative procedures consistent with OPM policy; Review and approve new user accounts for system and network access after obtaining supervisor or management approval; Ensure the development and timely completion of reports to security and privacy including those related to POA&Ms, system inventory, security controls testing and monitoring, contingency plan testing etc.; Ensure all actual and suspected security incidents and breaches of PII are reported to the OPM Situation Room (SitRoom); Assist in the investigation of actual or suspected security incidents and breaches of PII as appropriate; Participate in internal/external reviews, inspections, and audits to ensure compliance with federal laws and OPM policy; Coordinate with the CISO to advise contracting officers developing or administering contracts on behalf of OPM regarding the content and implementation of contract clauses related to OPM s information security and privacy policy; Review acquisition documentation to ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement; Develop and maintain (with the assistance of the CISO) an annually verified list of systems requiring security authorization; Coordinate the Security Assessment and Authorization process for program office systems (See OPM s Security Assessment and Authorization Procedure for more information.); and Attend monthly ITSWG meetings and participate in ITSWG activities. 15

20 2.16 Network Managers The Network Manager of any network that handles OPM applications or data, wherever the network resides, provides in-depth technical information security support for OPM s infrastructure. The Network Manager shall: Manage and implement appropriate server, desktop, and network information security practices in accordance with OPM s Information Security and Privacy Policy (ISPP); Plan and manage day-to-day security-related activities and install and operate appropriate hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional; Work closely with the CISO, Information Systems Security Manager, Privacy Program Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Manage or oversee incident reporting activities relevant to OPM information as appropriate, which may include service as the point of contact for the United States Computer Emergency Readiness Team (US-CERT). This responsibility is shared with the CISO; and Assist in the investigation of actual and suspected security incidents and breaches of PII as appropriate Data Center Managers The Data Center Manager of any facility that handles OPM applications or data, wherever the data center resides, provides information security protection for OPM s data. The Data Center Manager shall: Plan and manage day-to-day security-related activities and install and operate the appropriate hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional; Formulate, test, and maintain contingency and Disaster Recovery Procedures and Plans; Work closely with the CISO, Information Systems Security Manager, Privacy Program Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Coordinate with the CISO to advise contracting officers developing or administering contracts on behalf of OPM regarding the content and implementation of contract clauses related to OPM s information security and privacy policy; Review other acquisition documentation and shall ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement; Ensure regular backups of data, software, applications, and information; and Report any actual or suspected breaches of PII to the OPM Situation Room (SitRoom), in accordance with the reporting procedures on the Privacy Web pages on the OPM Intranet. 16

21 2.18 Software Development Managers The Software Development Manager provides software development security support for OPM users, contractors, and non-opm organizations or their representatives who are granted authorized access to OPM s development environment. The Software Development Manager shall: Plan, direct, and coordinate all activities associated with the development of software policies and procedures, software certification processes, and resolution of technical issues; Collaborate with the database, network, and data center managers to manage audit records showing the addition, modification, or deletion of information from an information system; Assess all security controls in an information system during the initial security authorization; Develop, document, and maintain a current OPM baseline guidance configuration of the information system and an inventory of the system s constituent components; and Enforce access restrictions associated with changes to the information system and maintain records associated with changes to system accesses Database Managers The Database Manager provides in-depth technical information security support for OPM users, contractors, and non-opm organizations or their representatives who are granted authorized access to OPM s database infrastructure. The Database Manager shall: Formulate, test, and maintain disaster recovery and contingency plans and procedures; Work closely with appropriate personnel (i.e., CISO, Information Systems Security Manager, Privacy Program Manager, and DSO) to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional; Ensure the integration of security and privacy policies into database design and maintenance for those databases that process OPM information; Coordinate with the CISO to advise contracting officers developing or administering contracts regarding the content and implementing contract clauses related to OPM s Information Security and Privacy Policy (ISPP); and Review other acquisition documentation to ensure the inclusion of appropriate information security-related clauses is consistent with this policy and the Policy on IT Procurement Security Control Assessor The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as 17

22 intended, and producing the desired outcome with respect to meeting the security requirements for the system). The Security Control Assessor shall: Assess the management, operational, and security controls detailed in the System Security Plan of an information system in support of security authorization; Provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation; Recommend corrective actions to address identified vulnerabilities; Prepare the final security assessment report containing the results and findings from the assessment; Provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities; and Prepare a recommendation for security authorization of the system for the CISO and AO review and approval per OPM Security Assessment and Authorization Procedure OPM Managers and Supervisors All OPM Managers and Supervisors are responsible for carrying out the applicable provisions of this policy and for supervising or directing the users who work for them to ensure their compliance with this policy. OPM Managers and Supervisors shall: Implement and enforce this policy; Instruct their employees and contractors on the importance of following OPM s Security and Privacy Policy and Procedures; Ensure employees and contractors have appropriate background investigations; Ensure employees and contractors are appropriately trained for their information securityand privacy-related job activities; Determine appropriate access requirements for employees and contractors; Work with the office of the CIO to limit access for OPM users only to information resources needed to complete assigned job activities; and Review and approve new user accounts for system and network access Physical Security Manager The OPM Physical Security Manager (PSM), located at the OPM Headquarters Office in Washington, DC, shall establish security standards/guidelines and monitor implementation at the Headquarters Office. The same standards apply at other OPM facilities; however, the Facility Managers are responsible for implementing associated controls within those locations. The PSM shall monitor the implementation of OPM physical standards to ensure compliance at all OPM facilities. The PSM reviews facilities physical access authorizations before access is granted, and reviews authorizations when individuals are reassigned or transferred to other positions within the organization. The PSM shall ensure: 18

23 Physical security-related incidents are remediated, involving loss of or damage to OPM issued property, threats, assaults, or other criminal activity involving OPM; Review, coordination of, and the writing of physical security plans, directives, checklists, procedures, policies, assessments, and surveys; Establishment and implementation of physical security access control measures, procedures, and guidelines; Screening of individuals (i.e., conducting background investigations) requiring access to OPM facilities, information, and information systems is completed before authorizing access; and Access is terminated, exit interviews are conducted, all OPM information system-related property (e.g., keys, identification cards, building passes) are returned, and appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems Facility Manager OPM Facility Managers are primarily responsible for building maintenance (e.g., HVAC, lighting, power, fire suppression, etc.). However, Facility Managers located at non-headquarter facilities are responsible for implementing physical security controls following standards and guidelines established by the Physical Security Manager (PSM). The Facility Manager shall ensure implementation of the following at OPM facilities: Physical security controls at non-headquarter facilities; Redundant and parallel power cabling paths; Automatic voltage controls; Long-term alternate power supply for the information system and it is capable of maintaining minimally required operational capability in the event of extended loss of primary power source; Long-term alternate power supply that is not reliant on external power generation; Emergency lighting for all areas within the facility supporting essential missions and business functions; Fire detection devices/systems for the information system activate automatically and notify the organization and emergency responders in the event of a fire; Temperature and humidity controls to maintain conditions that are conducive for maintaining information system longevity and functionality; and Mechanisms that protect the information system from water damage OIG Role The Office of Inspectors General (OIG) is to ensure Federal Information Security Management Act (FISMA) compliance. The OIG evaluates how National Institute of Standards and Technology (NIST) guidance is applied in the context of its mission/business responsibilities, operational environment, and unique organizational conditions. The OIG performs a yearly assessment on agency information systems assessing OPM compliance with FISMA and NIST 19

24 Special Publications to assure the security posture is valid and sound, according to NIST standards and guidelines Contracting Officers and Procurement Officers Office of Personnel Management contracting officers are responsible for dealing with contractors and have sole authority to solicit proposals and negotiate, award, and modify contracts on behalf of OPM. Contracting Officers and Procurement Officers shall: Ensure all contracts for IT hardware, software, and services include clauses incorporating OPM s Information Security and Privacy Policy and related references; and Ensure all contracts entailing the use of PII in paper or electronic form include clauses incorporating OPM s Information Security and Privacy Policy (ISPP) and related references Contracting Officer's Technical Representative (COTR) OPM Contracting Officer's Technical Representatives (COTR) are responsible for ensuring OPM-IT contractor business relationships are mutually beneficial and provide those products and services OPM needs. The COTR is a technical information conduit, business partner and a contracting and regulatory liaison between OPM and the IT contractor. The COTR shall: Ensure that a security clause for Federal Information Security Management Act (FISMA) compliance is added to all IT contracts. Notify the help desk and physical security of all departing contractors so associated accounts can be disables to prevent system access. Ensure that contractors complete annual security awareness training. Recommend with full justification, whether to provide government IT property to a Contractor for a proposed procurement; Maintain appropriate files to support the awarded IT contract thru the completed task; Assist and participate in the post-award orientation apprising the IT contractor of all postaward rights, duties and milestones of both parties affecting substantial performance; Monitor the acquisition, control, and disposition of OPM IT property by OPM personnel and by the IT contractor; Assess IT contractors for any loss, damage, or destruction of property; and Document IT contractor performance OPM Users (Internal and External) An OPM user is anyone who uses, manages, operates, maintains, or develops OPM applications or data. OPM users are responsible for complying with this policy and protecting information resources from loss, theft, misuse, unauthorized access, destruction, unauthorized modification, disclosure, or duplication (intentional or unintentional). The term information resources includes both Government information and information technology. 20

25 OPM users shall complete IT security awareness training prior to gaining access to OPM systems and repeat this training annually. OPM users shall comply with the OPM IT Rules Of Behavior at all times and locations. This includes compliance with all Office of Management and Budget (OMB), NIST, and OPM guidance as announced and/or published on the OPM Intranet. All individuals considered external to OPM using an OPM IT system shall comply with all Federal Government and OPM IT Security Policies, laws, and regulations, Inter-agency Memorandum of Understandings/Agreements (MOU/A), or other formal agreements with OPM. OPM users shall: Safeguard user identification, logon identification, and other credentials and passwords from unauthorized access, use, and disclosure; Comply with 5 CFR , Privacy Act Rules of Conduct; Complete IT security awareness training prior to gaining access to OPM systems and complete this training annually. Complete any special security training required for the position they hold; Comply with OPM Computer User Responsibilities and OPM s Policy on Personal Use of Government Office Equipment; Secure and log off from any computing environment when processing is complete; Report any observed or suspected security incidents to the OPM Situation Room (SitRoom), in accordance with OPM s Incident Response and Reporting Guide; Report any actual or suspected breaches of PII to the OPM Situation Room, in accordance with the reporting procedures on the Privacy (PII) Web pages on the OPM Intranet; and Report any observed or suspected violations of this policy according to instructions provided in Chapter 3 of this policy. OPM employees must report violations to their OPM Supervisor or Manager. Contractors must report violations to their Contracting Officer s Technical Representative (COTR). 21

26 3. SECURITY PROGRAM The mission of the Office of Personnel Management (OPM) IT Security and Privacy (ITSP) Office is to implement and maintain an OPM wide information security and privacy program that safeguards information assets against unauthorized use, disclosure, modification, damage or loss. This is done by providing oversight over the implementation of management, operational and technical security controls to protect agency resources. ITSP also manages security and privacy risks by educating the OPM user community about related issues, assessing current policies, developing new policies and establishing mechanisms to respond to incidents and events that endanger information assets. The ITSP administrative responsibilities include establishing and maintaining an information (IT) security and privacy program that is compliant with OPM's strategic goals and priorities, the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the Clinger- Cohen Act of 1996 and other applicable federal IT security and privacy laws and directives. The organizational structure below provides a high-level representation of the ITSP security program areas. Figure 1 ITSP Program Areas This chapter contains the National Institute of Standards and Technology (NIST) SP Program Management (PM) security control requirements as they relate to OPM's information 22

27 security program. The remaining 17 NIST SP security control families are covered in Chapters 5-7. Chapter 4 includes the elements of OPM's Privacy Program. 3.1 Program Management Controls (PM) National Institute of Standards and Technology (NIST) Program Management (PM) family of security controls focuses on information security requirements that are independent of any particular information system and are essential for managing information security programs. Organizations specify the individuals within the organization responsible for the development, implementation, assessment, authorization, and monitoring of the information security program management controls. Organizations document program management controls in the information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization. Policy: OPM shall establish and maintain a robust, cost-effective security program that incorporates the security controls specified herein, and shall develop OPM-wide security controls to enhance both the Federal and OPM-specific security controls to ensure the confidentiality, integrity, and availability of the OPM information systems, network and data, and in accordance with federal policies, standards, procedures, and guidance. The OPM Information Security and Privacy Policy (ISPP) shall serve as the foundation for the OPM security program. Policy shall be adjusted (at least every two years) and shall be related to the risk of the agency and/or business units not being able to perform their functions. OPM shall develop an organization-wide information security program plan to supplement individual security plans developed for each information system Information Security Program Plan (PM-1) The information security program plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the organization-wide program management controls and organization-defined common controls. The security plans for individual information systems and the organization-wide information security program plan together, provide a complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls. The policies under this family are implemented with the OPM-wide Program Management Procedure. Program management procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Senior Information Security Officer (PM-2) 23

28 The Chief Information Security Officer (CISO) is the information security official for a federal agency, as defined in applicable federal laws, Executive Orders, directives, policies or regulations. Organizations often refer to this organizational official as the Senior Information Security Officer or Senior Agency Information Security Officer (SAISO). OPM shall appoint a CISO with the mission and resources to coordinate, develop, implement, and maintain an OPM-wide information security program. The Chief of IT Security and Privacy (ITSP) shall assume the role and responsibilities of OPM's CISO Information Security Resources (PM-3) Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. OPM shall: Ensure all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; Consider a business case/exhibit 300/Exhibit 53 to record the resources required (to include information technology and security); and Ensure information security resources are available for expenditure as planned. In coordination with the Office of the Chief Information Officer, System Owners (SO) shall integrate and explicitly identify funding for information security technologies and programs into IT investment and budgeting plans. OPM General Support Systems (GSS) and Major Applications (MA) shall be mapped to an Exhibit 300 and/or Exhibit 53, and shall have appropriate security budgeting and justification. National Institute of Standards and Technology (NIST) Special Publication , Integrating IT Security into the Capital Planning and Investment Control Process, provides a systematic approach to selecting, managing, and evaluating IT security investments Plan of Action and Milestones Process (PM-4) The Plan of Action and Milestones (POA&Ms) is a key document in the information security program and is subject to federal reporting requirements established by the Office of Management and Budget (OMB). The POA&Ms updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB Federal Information Security Management Act (FISMA) reporting guidance contains instructions regarding organizational POA&Ms. OPM shall implement a process for ensuring that POA&Ms for the security program and the associated organizational information systems are maintained and that OPM is documenting the remedial information security actions to mitigate risk to OPM operations and assets, individuals, other organizations, and the Nation. 24

29 Remedial information security actions (i.e., corrective actions) shall include: All recommendations from external audits, reviews, or evaluations (e.g., GAO, OIG, or Departmental compliance and assistance review reports); Actions to mitigate significant vulnerabilities found in periodic testing that the SO or Authorizing Official (AO) deems necessary to report; and Actions to correct deficiencies found in self-assessments Information System Inventory (PM-5) This control addresses the inventory requirements in Federal Information Security Management Act (FISMA). OMB provides guidance on developing information systems inventories and associated reporting requirements. OPM shall develop and maintain an inventory of it's FISMA information systems. FISMA (through 44 USC 3505) requires that agencies maintain an inventory of major information systems, to include major national security systems. Major Applications (MA) are all defined to be major information systems. Additionally, some General Support Systems (GSS) are major information systems. These typically include platforms and other infrastructural elements. FISMA also requires that the inventory include an identification of the interfaces between each such system and all other systems and networks, including those not operated by or under the control of the agency. The inventory shall be updated at least annually. The key distinction between major and non-major/minor systems is the degree of attention to security required: special attention and attention, respectively. To add further clarity to this distinction, it is OPM policy that systems shall be considered major information systems if they meet one of the following criteria: Systems with a FIPS 199 security categorization level of Moderate and High based on the following criteria; Information contained, processed, stored, or transmitted requires special protection, or the information system is critical to the agency's mission. Any system that is called out in a major CPIC (Capital Planning and Investment Control) investment. Any system that is comprised of (or contains) an OPM-designated Critical Infrastructure Protection asset. Minor systems may be included in the inventory as part of a MA or GSS when considered part of the security authorization boundary, and not listed separately. Note that the business owner of the minor system must be consulted and agree to whether the system will be assessed separately or not. Whether in a stand-alone Security Authorization or as a component of a major system Security Authorization, the security controls in a minor application must still be described and tested. Candidates for systems that can be included as part of a larger system Authorization are systems with a FIPS-199 categorization of LOW ITSP provides consultation as part of the OPM System Registration process, and can help determine the appropriate handling of information systems as they relate to the OPM System Inventory and Authorization. 25

30 An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. A major information system is an information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources. A "major application" is an application that requires special attention to security due to the risk and magnitude resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. A "general support system" is considered a major information system when special management attention is required, there is high development, operating, or maintenance costs; and the system/information has a significant role in the administration of agency programs. A "minor application" is an application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the information in the application. FISMA and Reporting of Contractor Systems FISMA requires Federal agencies to be responsible for security of information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. FISMA requirements apply to Federal information as well as Federal information systems. OMB clarifying guidance states that FISMA requirements may apply to contractors, grantees, State and local governments, industry partners, and others and that Agencies must develop policies for information security oversight of users with privileged access to Federal data. OMB s guidance promulgates the FISMA requirements to provide security protections...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency." To implement these requirements, the following definition of contractor systems under FISMA will apply: A system is considered a FISMA reportable contractor system when it is operated by an external (i.e., non-opm) organization (e.g., contractor, grantee, State or local government, industry partner, fiscal agent, other Federal agency) that collects, processes, or handles OPM-owned information on behalf of OPM; and A system or application that is being run by another Federal agency exclusively for OPM would be reported as part of OPM s inventory. In the case where OPM, along with other organizations, is using another agency for services (e.g., payroll processing) the system would not be reported 26

31 as an OPM system since it would be reported under the FISMA reporting chain by the agency providing the service. Examples of systems operated by external organizations that are FISMA reportable include: Outsourced systems, network operations, telecommunications services; Government Owned, Contractor Operated (GOCO) systems; or Major applications or general support systems operated by external organizations under contracts to support OPM s mission. Per OMB guidance, in most cases incidental systems are not reportable to FISMA. OMB provides the following example of incidental systems: Corporate human resource or financial management systems acquired by an external organization solely to assist managing corporate resources assigned to a government contract provided the system does not use OPM information or interconnect with OPM s network infrastructure Information Security Measures of Performance (PM-6) Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. OPM shall develop, monitor, and report on the results of information security measures of performance Enterprise Architecture (PM-7) Enterprise architecture implemented by an organization must align with the Federal Enterprise Architecture. The integration of information security requirements and associated security controls into the organization s enterprise architecture helps to ensure that security considerations are addressed by organizations early in the system development life cycle. Security requirements and control integration are most effectively accomplished through the application of the Risk Management Framework and supporting security standards and guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security requirements and security controls into enterprise architectures. OPM shall develop enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. The OPM Enterprise Architecture is guided by the Federal Enterprise Architecture Framework (FEAF) for the integration of business and technology. The FEAF incorporates the use of several associated OMB reference models. These models are included as a process of the IT Governance Process. The OMB Federal Enterprise Architecture Framework reference models are as follows: The Performance Reference Model (PRM), which is a standard to measure the performance of major IT investments. 27

32 The Technical Reference Model (TRM), which is used to identify the standards, specifications, and technologies that support and enable the delivery of service. The Business Reference Model (BRM), which describes the business operations of the Federal Government. The Service Component Reference Model (SRM), which classifies service programs/processes with respect to how they support business and/or performance objectives Critical Infrastructure Plan (PM-8) Presidential Decision Directive (PDD) 63, "Critical Infrastructure Protection", Homeland Security Presidential Directive (HSPD)-7 "Critical Infrastructure Identification, Prioritization, and Protection", HSPD-8 "National Preparedness", and Executive Office (EO) "Critical Infrastructure Protection in the Information Age" require Federal Departments and agencies to identify, prioritize, and coordinate the protection of CI/KR (Critical Infrastructure / Key Resource) systems to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them. Federal departments and agencies are required to work with state and local governments as well as the private sector to accomplish this objective. Critical Infrastructure means "systems and assets, whether physical or virtual, so vital to the United States the incapacity or destruction of such systems and assets would have a debilitating impact on security, nation economic security, national public health or safety, or any combination of those matters." The term "key resources" means "publicly or privately controlled resources essential to the minimal operations of the economy and government." OPM shall address information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan Risk Management Strategy (PM-9) An organization-wide risk management strategy includes an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization s risk tolerance, and approaches for monitoring risk over time. The use of a Risk Executive Function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by riskrelated inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. OPM shall: Develop a comprehensive strategy to manage risk to OPM operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and Implement that strategy consistently across the organization. OPM follows the NIST Risk Management Framework (RMF). In addition to supporting the authorization of information systems, the RMF tasks support the selection, development, 28

33 implementation, assessment, authorization, and ongoing monitoring of common controls inherited by organizational information systems. This approach recognizes the importance of security control effectiveness within information systems and the infrastructure supporting those systems. OPM has also established a Risk Executive Function to manage enterprise risk Security Authorization Process (PM-10) The security authorization process for information systems requires the implementation of the Risk Management Framework and the employment of associated security standards and guidelines. Specific roles within the risk management process include a designated Authorizing Official (AO) for each organizational information system. Authorization is the official management decision given by an agency executive to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. OPM shall: Manage (e.g., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and Integrate fully the security authorization processes into an organization-wide risk management program. All OPM General Support Systems (GSS) and Major Applications (MA) shall undergo a Security Assessment and Authorization prior to processing any OPM information that has security considerations due to its confidentiality, integrity, or availability requirements. Security authorization shall be updated at least every three (3) years or when there is a significant change to the system. Information system security controls shall be continuously monitored and assessed annually to ensure continued effectiveness. All information system security controls shall be assessed for authorization; a subset of security controls shall be assessed as part of continuous monitoring. Examples of changes that may require re-authorization are: Installation of a new or upgraded operating system, middleware component, or application; Modifications to system ports, protocols, or services; Installation of a new or upgraded hardware platform or firmware component; or Modifications to cryptographic modules or services; Connections added to information systems outside the accreditation boundary; 29

34 Changes or enhancements to system functionality that affect its mission criticality, information types, user base, or classification of data supported by the information system; and/or Security incident(s) that result in significant changes to the information system Mission/Business Process Definition (PM-11) Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (e.g., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization s information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. OPM shall: Define mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determine information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained Use of Information Technology Resources Everyone who uses, manages, operates, maintains, or develops OPM applications or data wherever they reside (referred to as OPM users ) must comply with OPM s Information Security and Privacy Policy, unless a specific waiver is obtained from the Chief Information Officer (CIO) or the CISO in accordance with the waiver process in Chapter 1. The Information Security and Privacy Policy also applies to all contractors acting on behalf of OPM and to non- OPM organizations or their representatives who are granted authorized access to OPM information and information systems. Finally, this policy applies to other agencies systems as delineated in memorandums of understanding (MOUs) and interconnection security agreements (ISAs) with OPM. The implementation standards in this policy and its references and attachments apply to all OPM information and information technology (IT) resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or digital form. OPM IT resources include OPM hardware, software, media, and facilities. Intentional and unintentional misuse and abuse of information systems pose a threat to information security. All users of OPM information systems shall meet minimum requirements for eligibility for physical and logical access to OPM-controlled facilities and OPM information systems at a risk or sensitivity level appropriate to their roles. Such determinations of suitability 30

35 for employment may require the use of personnel investigations and other verification techniques. OPM policy shall: Ensure that individuals (including third-party service providers) requiring access to information systems and occupying positions of responsibility have background investigations that the OPM CIO or designee agrees is appropriate to the functions they will perform before access is authorized; Ensure that information and information systems are protected if adverse actions are taken against an OPM user, such as termination or suspension; and Employ formal sanctions for personnel who fail to comply with OPM security policies and procedures Information System Security Controls Policy Federal agencies achieve information security for electronic information and related information systems by applying safeguards and countermeasures, known as controls. Controls can be managerial, operational, or technical. NIST has identified 18 families or categories of controls to support the appropriate level of confidentiality, integrity, and availability of information. The guidance applies to paper and electronic information systems. Information systems shall provide adequate, risk-based protection in the 18 security control families defined in NIST SP for the designated FIPS 199 security categorization impact level (Low, Moderate, or High). The Information Security and Privacy Policy aligns to the NIST SP Revision 3 security controls for low, moderate and high information systems. Guidance to assess security control implementation is documented within NIST SP A. The ISPP provides security control requirements and implementation guidance in accordance with NIST SP , Revision 3. The ISPP shall be used to assist in control implementation and development of security related documentation (e.g., security plan, contingency plan, security assessment plan, configuration management plan, etc.) for OPM information systems. The controls in this document shall be addressed and documented throughout the system development lifecycle (SDLC). OPM information systems shall be assessed against a subset of these controls at least annually to determine the effectiveness of implemented controls. The ISPP applies to OPM information and information resources, including contractor supported and/or hosted OPM information systems and their representatives who are granted authorized access to these systems and information. Information includes data that is collected, processed, maintained, used, shared, disseminated, or disposed by OPM. Information may exist in either physical or digital form. Information resources include information technology (e.g., hardware, software, and media), facilities, and personnel. Combinations of information resources that support the same business function or mission are referred to as an information system. Chapters 5-7 provide the OPM management, operational and technical security control families. Appendix H, OPM Defined Security Control Parameters, provides a reference to OPM minimum standard parameters and responsibilities for information systems. System Owners (SO) may implement more stringent parameters at their discretion. 31

36 Security Control Organization and Structure Security controls described in this manual have a well-defined organization and structure. For ease of use in the security control selection and specification process, controls are organized into management, operational, and technical controls by each NIST SP control family. A two-character identifier is assigned to uniquely identify each security control family. To identify each security control, a numeric identifier is appended to the family identifier to indicate the number of the control within the family. For example, CP-9 is the ninth control in the Contingency Planning family and AC-2 is the second control in the Access Control family. The security control structure includes the unique control name, an explanation or overview of the control (if necessary), and a control statement(s) indicated by the use of the word "shall". The applicable security baselines of Moderate and High are noted in parentheses within or following the control statement. If the security baseline is not noted, the control applies to all OPM information systems including Low. The control statement(s) provides specific securityrelated activities or actions to be carried out by the organization or by the information system. NIST has provided flexibility by allowing organizations to selectively define input values for certain parameters associated with some controls and control enhancements. This flexibility is achieved through the use of assignment and selection operations within the control. The OPMdefined parameters are part of the control, and the control implementation is assessed against the completed control statement. All OPM-defined parameters are noted in a red, bold, and italicized font. Government-wide Controls OPM information systems shall provide adequate, risk-based protection in the 18 control areas defined in FIPS 200 by using the appropriate NIST SP baseline security controls for the designated FIPS 199 impact level. The SO in coordination with the CISO shall select an appropriate set of security controls and assurance requirements for their information system that satisfies the minimum security requirements and are tailored (enhanced or limited) based on the results of a risk assessment and local conditions, including common control or system-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances. Agency-wide Controls (Common Controls) Common controls provide a security capability for multiple information systems across OPM, which provide adequate, risk-based protection. Common controls are more cost-effective, and they provide more consistent information security across the organization. The allocation of common controls can also simplify risk management activities. Agency-wide (written as OPM-wide) common controls include management, operational, and technical controls that are applicable to OPM information systems. Common controls are inheritable by one or more information systems. A security control is inheritable by an information system or application when that system or application receives protection from the security control (or portions of the security control). 32

37 Implementation and assessment of these controls is handled at the agency level. Unless there is uniqueness, these controls are outside the direct control of application owners and are centrally maintained and managed. Compensating Controls for Agency-wide Controls Compensating security controls are the management, operational, or technical controls employed by an organization, in lieu of prescribed controls in the Low, Moderate, or High security SP control baselines, which provide equivalent or comparable protection for an information system. Compensating security controls shall be employed only under the following conditions: The SO or their representative in coordination with the IT Security Office selects the compensating controls from the security control catalog in NIST SP ; The SO develops a complete and convincing rationale and justification for how the compensating controls provide an equivalent security capability or level of protection for the information system; and The Authorizing Official (AO) assesses and formally accepts the risk associated with employing the compensating controls in consultation with the CISO or CIO in the information system. Only an OPM executive may accept risk. Risk Acceptance requires a Risk Acceptance Memo and supporting risk assessment for justification. The use of compensating security controls must be reviewed, documented in the System Security Plan (SSP), and approved by the AO for the information system. Organization-wide Security Control Augmentation and Parameters Security control policies may be supplemented by OPM program offices with more stringent requirements based on site-specific risks, vulnerabilities, and threats; however, no decrease in control requirements may be made without written approval (see Section 1.3, Compliance, Enforcements and Exceptions). System Specific Security Controls and Parameters A system-specific security control for an information system is a control that has not been designated as a common security control. OPM system-specific controls shall provide a security capability for a particular information system only. These controls are the primary responsibility of SOs and their respective AOs. OPM allocates security controls to an information system consistent with enterprise architecture and information security architecture. By allocating security controls to each information system as system-specific controls, hybrid controls, or common controls, the OPM assigns responsibility and accountability to specific organizational entities for the overall development, implementation, assessment, authorization, and monitoring of those controls. Policy on Exemptions to Agency-wide Controls If compliance with any control requirement is technically impossible, cost prohibitive, or not feasible, risk acceptance may be requested using the Risk Acceptance Memo (Appendix E). The memo requires a control analysis which includes: Justification, Threat Identification; Vulnerability Identification; Likelihood Determination, Impact Analysis, Current Compensating Controls, Control Recommendations, Results Documentation, Risk Determination, and 33

38 Acknowledgement of Risk. The Risk Acceptance Memo requires a signature from the Designated Security Officer (DSO) and/or Information System Security Officer (ISSO), SO, and the Authorizing Official (AO). Exemptions to policy for information systems may be approved or denied by the AO, in coordination with the CISO and/or the CIO, using a Policy Waiver form (Appendix D). Risk Acceptance Memos or Policy Waivers shall be referenced within and included as attachments to OPM System Security Plans (SSP) Emerging Technologies Personnel shall only use approved information solutions provided by OPM. A risk assessment shall be conducted for emerging technologies (e.g., social media networking sites, voice solutions, data solutions, etc.) not currently approved and provided by OPM. Emerging technologies may present unknown risk to OPM and its customers; therefore, it is crucial that the purpose, mitigating security controls, and associated risk be documented and approved. The Program Office shall request the use of emerging technologies through the IT Security and Privacy (ITSP) Office. The ITSP shall coordinate a risk assessment and formalize approval or denial of the requested emerging technology. The ITSP shall coordinate the evaluation of these technologies (approved and unapproved) on a case-by-case basis Cloud Computing Cloud Computing is a newly defined model for the deployment of information services through a service provider which is gaining significant popularity among Federal organizations. Cloud Computing as defined by the National Institute of Standards and Technology is model for enabling convenient, on-demand network access to a shared pool of configuration computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. Throughout this policy document, references to cloud computing exist in the particular security control areas that encompass cloud computing. In addition to the specific security control requirements for all information systems, OPM shall implement the following security policies associated with cloud computing as the organization looks to capitalize on potential economic benefits of utilizing cloud computing: Prior to receiving services from a cloud provider a risk assessment shall be performed to assess the overall risk to OPM, OPM systems, and OPM personnel associated with utilizing the services from the cloud provider. Contract agreements with Cloud providers shall address OPM security requirements to the fullest extent possible. Compensating security controls shall be employed where OPM security requirements can not be met by the cloud computing provider. OPM Authorization Official, CISO, and CIO must approve use of cloud resources prior to moving OPM information system or services to a cloud environment. 34

39 OPM systems operating in a cloud environment shall have a valid Authority To Operate (ATO) Teleworking OPM allows employees to work at alternative worksites as part of their regular tour of duty through the OPM telework program. Refer to the Telecommuting section of Human Resources Handbook, found at Locations for telework may include employee homes, satellite telecommuting centers or other approved sites away from the office. Employees working in non-opm facilities must comply with all OPM security policies and procedures unless non-compliance is pre-approved by the CISO and documented. Below are a list of the security controls that are most relevant to the protection of OPM information and information systems as related to a teleworking environment. Additional information can be found in the specific control section of the policy document for the associated control. Remote Access (AC-17) - Teleworkers access OPM information and information systems remotely. Methods for remote access must be approved prior to implementation and only these methods may be used to gain access. Information systems are required to be monitored to ensure no unauthorized access is established. Remote access servers must be configured to comply with remote access policies. Wireless Access (AC-18) - Teleworkers often connect to the Internet through a wireless access point. These access points may be administered by external organizations, or OPM personnel with limited knowledge of networking protocols. Wireless access points not maintained by OPM are assumed to be un-trusted and methods used to access OPM systems from these access points must include appropriate security measures to protect the information in transit and at each end point. Alternate Work Sites (PE-17) - In order to maintain security, the alternate work site must ensure the same level of security that exists at the primary work site. Alternate work sites may include government facilities or private residences of employees. Rules of Behavior (PL-4) / Access Agreements (PS-6) - All OPM personnel and contractors shall abide by the OPM Computer User Responsibilities, which are included within the OPM IT Access Request Form Supervisors and users must sign the form before access is established. The user responsibilities apply to all users regardless if the user is located within OPM facilities or is teleworking. Security Awareness (AT-2) - OPM Users are required to complete user awareness training prior to accessing OPM information and information system, and take an annual refresher. These requirements ensure that users are properly informed of appropriate security measures and how to implement them prior to being allowed access to OPM information and systems. 35

40 4. PRIVACY PROGRAM The IT Security and Privacy (ITSP) Office of Office of Personnel Management (OPM) is responsible for ensuring compliance across all departments in regards to Personally Identifiable Information (PII) protection and enforcing mandatory compliance with its Information Security and Privacy Policy (ISPP). OPM's Chief Information Officer (CIO) is responsible for establishing and maintaining the information security and privacy program at OPM, and also serves as the Chief Privacy Officer (CPO) (also known as the OPM Senior Agency Official for Privacy). This responsibility has been delegated to OPM's Chief Information Security Officer (CISO). The CISO continually reviews and monitors the status of OPM's information security and privacy controls by monitoring: The effectiveness of security and privacy control measures, Compliance with existing policies, procedures, standards, and guidelines, User awareness of information security and privacy, and Active adoption of the ISPP requirements. For further overview on the roles and responsibilities for privacy as they apply to OPM, please refer to Chapter 2, Roles and Responsibilities. The ITSP administrative responsibilities include establishing and maintaining an information (IT) security and privacy organization that is compliant with OPM's strategic goals and priorities, the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the Clinger-Cohen Act of 1996 and other applicable federal IT security and privacy laws and directives. The OPM ITSP Office believes protecting privacy is a core consideration for every Federal organization, and it is best achieved when it is an integral part of the organization s business operations. Privacy shall be considered as part of the upfront assessment of policy and programmatic decision-making as well as business operations, application development, and related activities. Privacy stewardship and governance shall be the keys to a successful privacy program. The organizational structure below provides a high-level representation of the ITSP program areas, to include Privacy. 36

41 Figure 2 ITSP Program Areas (Privacy) This chapter establishes OPM's enterprise wide policy on privacy in regards to the protection of PII to avoid harm to individuals that have entrusted the handling of their personal data. It defines the requirements necessary to meet the fundamental privacy objectives of confidentiality, integrity, and availability. It also ensures that these requirements are effectively communicated and provides specific mandatory guidance for using, managing, and distributing OPM information in any form electronic or paper. The policies in this document, and its references, apply to all OPM information and information technology resources as outlined in Chapter 1, Introduction. This policy supersedes all previously issued guidance on privacy. All OPM personnel (e.g., including Federal employees, independent consultants, and government contractors) involved in OPM programs shall comply with OPM privacy policy. The responsibility of implementation rests on the System Owner (SO) for the security and privacy of their system, platform, or application, not the CIO or CISO. 4.1 Privacy Framework OPM has adopted the best practices belief that a strong and multi-faceted privacy program will help ensure the organization considers privacy protections and controls when first making business decisions involving the collection, use, sharing, retention, disclosure, and destruction of PII, whether in paper or electronic form. 37

42 With this mindset, there are seven elements that can influence business decisions involving the use of new technologies or other interactions with the public, contractors, or employees that may not involve the collection and use of PII but may nonetheless raise privacy risks or concerns (e.g., the use of surveillance cameras, global positioning systems, or body imaging screening devices). Elements of a Federal Privacy Program identifies the fundamental building blocks of a robust privacy program. The seven elements are: Element 1 Leadership Element 2 Privacy Risk Management and Compliance Documentation Element 3 Information Security Element 4 Incident Response Element 5 Notice and Redress for Individuals Element 6 Privacy Training and Awareness Element 7 Accountability Each element corresponds to recommended best practices that are illustrative of the actions necessary to establish a comprehensive Federal privacy program. OPM's mission, as well as legal, regulatory, and operational obligations, requirements, and authorities, affect the design and implementation of this privacy program. OPM has implemented the above privacy program elements within the following functions: Privacy Policy and Procedure Development Privacy Impact Assessment (PIA) Maintenance Privacy Incident Management System of Records Notice (SORN) Computer Matching Agreements Regulatory Reporting Privacy Training Policy: OPM shall establish and maintain a privacy program that incorporates the requirements and practices as specified in the Privacy Act of The OPM Information Security and Privacy Policy (ISPP) shall serve as the foundation for the OPM privacy program. Policy shall be adjusted in accordance with changes to Federal or OPM policies, standards, procedures, guidance, and technology. OPM shall develop specific procedures and/or standards to support implementation of its privacy program. OPM shall use the Fair Information Practice Principles (FIPPs) as the policy framework to enhance privacy protections by assessing the nature and purpose of all PII collected to fulfill OPM s mission. FIPPs are rooted in the tenets of the Privacy Act of 1974, which govern the 38

43 appropriate use of PII. This framework shall be used in support of conducting Privacy Impact Assessments (PIAs) and System of Records Notices (SORNs). The FIPPs include: Notice and Awareness Before collecting, using, and storing PII, the agency shares its information practices with individuals. Choice and Consent Before using PII, the agency gives the individuals a choice about how the information is to be used. Access and Participation Individuals have the right to access information that has been collected about themselves and to request corrections to this information to ensure it is accurate and complete. Integrity and Security Information is protected by security safeguards that prevent loss; theft; unauthorized access, destruction, or use; and unauthorized modification or disclosure of data. Enforcement and Redress Willful violations of the Fair Information Practices are not tolerated. For further guidance on the implementation of the privacy principles as they apply to OPM, contact the OPM Privacy Program Manager via [email protected]. 4.2 PII Handling Requirements Minimizing and Protecting the Collection of PII The IT Security and Privacy (ITSP) Office recognizes that collecting PII is integral to the operations and functions of OPM, its components, and programs. As a Fair Information Practice Principles (FIPPs) principle, data minimization underlies all OPM policies and procedures to ensure that PII is collected only to the extent authorized by law and necessary to accomplish the Agency's mission. OPM Program Offices inventory, document, and publish current holdings of PII through the use of PIAs and/or SORNs and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, complete, and reduced to the minimum necessary for the performance of a documented agency function. As part of PII inventory and documentation review, OPM Program Offices shall assess their recordkeeping and disposal policies and practices as they pertain to holdings of PII Handling PII The OPM Records Management Handbook sets standards for how OPM personnel shall handle PII because of the nature of the data and the increased risk to an individual if his or her data were 39

44 compromised. The Records Management Handbook explains how to identify PII, how to protect PII in various formats (e.g., paper, electronic), and what to do when PII is believed to have been compromised. The Records Management Handbook also contains instructions on encrypting data as well as frequently asked questions on specific procedures to follow when protecting PII. OPM personnel shall follow the Records Management Handbook for instructions on handling of sensitive PII Managing Computer-Readable Extracts Containing Sensitive PII Office of Management and Budget (OMB) Memorandum Safeguarding Against and Responding to the Breach of Personally Identifiable Information (OMB M-07-16) requires Federal agencies to have a process in place to log all computer-readable extracts (CREs) from databases holding sensitive information and to verify each extract, including whether sensitive data has been erased within 90 days or its use is still required. SOs shall ensure that information systems log all CREs from databases holding sensitive information, and verify whether information extracted has been erased within 90 days or its use is still required Information Sharing The OPM IT Security and Privacy (ITSP) Office shall ensure that privacy is considered through review of all information sharing agreements (e.g., Memorandum of Understanding (MOU), Service Level Agreements (SLA), etc.). The Privacy Office s presence helps ensure that privacy is considered throughout the development cycle of each information-sharing initiative undertaken by the Agency Securing OPM Information Technology Systems that Contain PII The OPM IT Security and Privacy (ITSP) Office shall work closely with the OPM CISO, Information Technology Security Program Manager, SOs, Information System Security Officers (ISSO), and Designated Security Officers (DSOs) to ensure that privacy is considered in information system security activities. ITSP staff shall attend meetings related to PII to increase coordination and cooperation to secure PII within OPM information systems. 4.3 Privacy Compliance The OPM IT Security and Privacy (ITSP) Office shall evaluate all new or proposed OPM information systems and programs for their impact on privacy. The Office is responsible for evaluating new technologies, programs, regulations, and legislation for potential privacy impacts, and for advising OPM senior leadership regarding implementation of corresponding privacy protections Identification and Compliance Oversight The OPM IT Security and Privacy (ITSP) Office shall identify programs that must go through the privacy compliance process through two main avenues: The Federal Information Security Management Act (FISMA) Security Assessment and Authorization and the Office of 40

45 Management and Budget (OMB) Exhibit 300 budget process. Working with the OPM CIO and OPM Chief Financial Officer (CFO), the ITSP plays an integral role by serving as a subject matter expert for reviews of new IT programs and new budget programs to identify privacy compliance issues FISMA Privacy Reporting Privacy and information security are closely linked, and strong practices in one area typically support the other. Ensuring security of PII is one of the Fair Information Practice Principles (FIPPs). To that end, the OPM IT Security and Privacy (ITSP) Office shall monitor compliance with the privacy requirements under Federal Information Security Management Act (FISMA). On a quarterly and annual basis, OPM ITSP shall report to OMB with progress in conducting Privacy Impact Assessments (PIA) and issuing System of Records Notices (SORNs) for FISMAbased information systems OMB Exhibit 300s The OPM IT Security and Privacy (ITSP) Office shall review all major information technology program capital expenditures on an annual basis, prior to submission to OMB for inclusion in the President s annual budget. The OMB Exhibit 300 submissions for OPM information systems shall demonstrate privacy investment planning. The ITSP staff shall work with each Program Office to complete necessary documentation and ensure that appropriate privacy protections have been incorporated. The ITSP shall evaluate and score each investment based on its responses to a standardized set of questions. To receive a passing score, either submissions must include the appropriate privacy documentation or the ITSP must determine the investment does not require privacy documentation. The ITSP works in close cooperation with the OPM CIO and the OPM Chief Financial Officer (CFO) to ensure that OPM information technology investments meet the established legal and policy standards set forth by OPM, OMB, and the Congress Compliance Documentation The Privacy Impact Assessments (PIA) and System of Records Notices (SORN), described below, are the tools through which OPM assesses privacy in information systems and programs, and to track PII inventories. As part of the privacy compliance process, the OPM IT Security and Privacy (ITSP) Office shall work with program managers, system owners, and information security personnel to ensure that sound privacy practices and controls are integrated into OPM operations. To assist those responsible for completing privacy compliance documentation, the ITSP shall publish and/or refer to official guidance regarding the requirements and content for PIAs, SORNs, and Privacy Act (e)(3) Statements (disclosures required by Section (e)(3) of the Privacy Act to appear on documents used by OPM to collect PII from individuals to be maintained in a Privacy Act System of Records) PIAs The IT Security and Privacy (ITSP) Office shall provide support in conducting Privacy Impact Assessments (PIAs) on technologies (e.g., information systems, mobile devices, websites, social media, etc.), rulemakings, human resources, programs, and activities, regardless of their type of classification, to ensure that privacy considerations and protections are incorporated into all 41

46 activities of OPM. A PIA assesses how PII is collected, used, disseminated, and maintained. It examines how privacy is incorporated throughout the development, design, and deployment of a technology, program, or rulemaking. If a PIA is required, the program manager shall work closely with ITSP to complete the PIA utilizing the OPM Privacy Impact Assessment (PIA) Guide. The PIA is intended to serve as a decision-making tool and should be used at the beginning of the design stage of a project and updated as needed to address significant changes in the project. Once completed, the PIA shall be sent to ITSP for review and approval by the OPM Chief Privacy Officer (CPO). Approved PIAs shall be published on the OPM website unless they are classified, such as systems involving national security SORNs The OPM IT Security and Privacy (ITSP) Office is responsible for managing the SORN process. The Privacy Act requires Federal agencies to issue System of Records Notices (SORN) for every system of records under their control that collects PII and from which information is retrieved by an identifier. A SORN is a legal document used to promote transparency and provide notice to the public regarding rights and procedures for accessing and correcting PII maintained by an agency on an individual. To help facilitate the SORN process, the OPM has created a SORN template and published the OPM System of Records Notice (SORN) Guide. OPM issues two types of SORNs: (1) OPMwide SORNs that cover multiple systems of records with common subject matter or functions across the entire Agency; and (2) component-specific SORNs that cover a system of records with subject matter or functions that apply to a specific component. A component-specific SORN may also cover a system of records that applies to more than one component but not to the Agency as a whole. Each OPM Program Office shall identify the system(s) of records for which it is responsible and completing the SORN process. The ITSP shall work with Program Offices to determine if a new system can be covered by an existing SORN or if a new SORN needs to be drafted. The ITSP shall work closely with the project manager, and legal counsel to draft a new SORN or update existing SORN. The OPM Office of General Counsel shall perform a final review of each SORN. All SORNs shall be approved by the OPM Chief Privacy Officer (CPO) prior to publication Privacy Act (e)(3) Statements The IT Security and Privacy (ITSP) Office shall develop guidelines for developing Privacy Act Statements required by subsection (e)(3) of the Privacy Act when collecting PII from the public. Privacy Act Statements are required on most forms (paper and electronic) that OPM uses to collect PII from members of the public, where the information will be entered into a system of records. These statements inform individuals at the time their information is collected what the legal authority for and purpose of the collection is, and how OPM will use this information. Privacy Act Statements also notify individuals as to whether providing the information requested is mandatory or voluntary and explain the consequences of failing to provide the information. 42

47 4.3.5 Computer Matching Agreements The IT Security and Privacy (ITSP) Office shall review and approve computer matching agreements for OPM with other Agencies. Computer matching agreements are also required to include procedures governing the recipient agency s use of information and procedures on notification to individuals, information verification, record retention, and records security Emerging & Mobile Network Technologies The IT Security and Privacy (ITSP) Office shall review and approve emerging and mobile network technologies and standards that revolutionize how networks are operated and used; with special emphasis placed on mobile systems and communications (e.g., social media, personal devices, personal digital assistants - PDAs, USBs, etc). OPM relies heavily on the networking industry to research, develop, promote, measure, and deploy these technologies. Before an emerging or mobile network technology can be connected, in any form, to OPM or its property a Privacy Impact Assessments (PIA) and Risk Assessment shall be performed on such related technologies. Regardless of the technology used (e.g., social media websites, cell phones, cameras, etc.), OPM employees and contractors shall adhere to the same policies in regards to protection of sensitive data, including PII. The policies in this section, and its references, apply to all OPM emerging and mobile network technologies as outlined in Chapter 3, Security Program. Refer to OPM Social Media Policy for additional information in regards to blogs, message boards, social networking sites (e.g., MySpace, Facebook, etc.), video sharing, and other media sharing Websites. 4.4 Education and Awareness Mandatory Training The IT Security and Privacy (ITSP) Office shall provide annual privacy awareness training for all new and current OPM employees and contractors. Training shall include instruction and materials on protecting PII and sensitive PII in OPM systems. ITSP shall designate required OPM annual privacy training course(s) for all OPM employees and contractors. This course expands on basic privacy concepts initially presented in the new employee orientation and provides an understanding of the essentials of the Privacy Act and E-Government Act, including individual responsibility to use PII only for authorized purposes and to protect it from loss. ITSP shall provide copies of this training course to OPM Program Offices and to other Federal agencies as requested Supplemental Training In addition to mandatory training, the IT Security and Privacy (ITSP) Office shall provide supplemental privacy training annually to its members (Privacy Officers). Training shall include instruction on privacy regulations, guidance, etc. specific to the privacy program operations. 4.5 Privacy Complaints The IT Security and Privacy (ITSP) Office shall ensure that OPM has procedures to receive, investigate, respond to, and provide redress for complaints from individuals who allege that the 43

48 Department has violated their privacy. U.S. citizens, Lawful Permanent Residents (LPRs), visitors, and legal aliens may all file complaints or inquiries through a broad array of channels including telephone, , facsimile, OPM redress programs, and U.S. mail. Refer to OPM's Notice of the Office of Personnel Management's Privacy Practices (NPP). 4.6 Managing Privacy Incidents The OPM Situation Room (SitRoom) is responsible for implementing and managing OPM's privacy incident response program. Working with the Office of Inspector General (OIG), the OPM CIO, and the IT Security and Privacy (ITSP) Office, the SitRoom shall ensure that all OPM privacy and computer security incidents are identified, reported, and appropriately responded to in order to mitigate harm to individuals and to OPM-maintained assets and information. OPM employees and contractors shall immediately report any breaches of PII data to the SitRoom. Reference OPM's Records Management Handbook, which informs OPM employees and contractors of their obligation to protect the PII they are authorized to handle and how they must respond to any suspected or confirmed loss or compromise of PII. 44

49 5. MANAGEMENT CONTROLS 5.1 Planning (PL) Planning (PL) security controls address the development and maintenance of security documentation and associated planning activities associated with the implementation of a riskbased security program. All Office of Personnel Management (OPM) systems process, store, and/or transmit sensitive information and require protection as part of risk management. Policy: System Owners (SO) shall develop, document, update at least annually, and implement System Security Plans (SSP) for information systems. SSPs shall describe the security controls in place or planned, and the rules of behavior for individuals accessing the system. Privacy Impact Assessments (PIA) shall be maintained for information systems that contain information covered by the Privacy Act Security Planning Policy and Procedures (PL-1) The policies under this family shall be implemented with the OPM Security Planning Procedure. Security planning procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary System Security Plan (PL-2) Pursuant to Office of Management and Budget (OMB) Circular A-130, a System Security Plan (SSP) is required for all Major Applications (MA) and General Support Systems (GSS). All OPM systems are required to have a SSP, either addressed as a sub-system or minor system within an SSP of a larger system or an SSP specific to the system. SSPs shall be developed in accordance with OPM SSP template included as part of OPM s Security Assessment and Authorization Procedure. The purpose of the SSP is to provide an overview of the security requirements of the system and describe the controls their status (In Place, Planned, Not Applicable) and how they are implemented in the system. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The SO, in consultation with the Designated Security Officer (DSO) and Information System Security Officer (ISSO), shall: Develop and implement a SSP for each information system that: Is consistent with OPM s enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system; 45

50 Describes relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and Is reviewed and approved by the Authorizing Official (AO) or designated representative prior to plan implementation. Review the SSP for the information system at least annually and submits the updated SSP to the Chief Information Security Officer (CISO) office; and Update the SSP to address changes to the security posture of the system based on newly implemented security controls, results of security assessments, or changes to the operational environment Rules of Behavior (PL-4) Rules of behavior clearly delineate responsibilities and expected behavior of all individuals with access to information and an information system. The rules state the consequences of noncompliance. The rules of behavior are made available to every user prior to receiving authorization for access to the system. The CISO (OPM-wide rules of behavior) and SO (system rules of behavior) shall: Establish and make readily available to all information system users, a set of rules that describe their responsibilities and expected behavior with regard to information and information system usage. Receive signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. OPM considers different sets of rules based on user roles and responsibilities, for example, differentiating between the rules that apply to privileged users and rules that apply to general users. For access to OPM systems, all OPM personnel and contractors shall abide by the OPM Computer User Responsibilities, which are included within the OPM IT Access Request Form Supervisors and users must sign the form before access is established. The user responsibilities apply to all users regardless if the user is located within OPM facilities or is teleworking. For privileged (administrative) access, OPM personnel and contractors shall sign and abide by the OPM Rules of Behavior for Privileged Use of Information Technology Systems. Application or system specific rules of behavior may be developed and maintained by Program Management Offices (PMO) if the application has specific rules that are in addition to those specified in the OPM Computer User Responsibilities Privacy Impact Assessment (PL-5) 46

51 OPM handles a large volume of information that is subject to the Privacy Act of 1974; therefore, OPM must ensure that the appropriate practices and protections are in place and applied. This has become particularly important as developments in information technology have allowed information to be quickly and easily collected, as well as allowed OPM to provide quicker and more efficient services to the public. Federal agencies are tasked by the E-Government Act to conduct Privacy Impact Assessments (PIA) to ensure the protection of personally identifiable information (PII). A PIA is an analysis of how personal information is collected, stored, shared, and managed in an information system. SO of OPM information systems shall conduct a Privacy Threshold Analysis (PTA) in compliance with the E-Government Act of 2002, Privacy Act, OMB, and National Institute of Standards and Technology (NIST) guidance. PTAs are used to determine if a system contains PII, whether a PIA is required, whether a System of Records Notices (SORN) is required, and if any other privacy requirements apply to the information system. All OPM information systems shall have a PTA. If the PTA reveals that the system collects no information in identifiable form, the Privacy Program Manager will indicate in the PTA review that no PIA is required. The PTA shall be incorporated into the system Security Authorization documentation. If the PTA indicates that a PIA is required, the Privacy Program Manager reviews the PTA and provides further instructions and guidance to the SO on conducting a PIA. The PIA shall be approved by the SO, Chief Information Officer (CIO), and Chief Privacy Officer (CPO). The completed PIA will be incorporated into the Security Authorization documentation and posted on the OPM Web site. The SO shall review their PTA and PIA (if applicable) at least annually and document whether there are any changes to the system as required by Federal Information Security Management Act (FISMA) reporting. These documents shall be provided to the Chief Information Security Officer s (CISO) office for review as part of the annual assessment. If there are no changes, an update is required every three (3) years consistent with the security authorization process. OPM publishes the PIA publicly, available through the OPM Website. It is important to note that systems that require a PIA may also require a SORN and an Information Collection Request (ICR). Also note that completing a PIA does not fulfill the Privacy Act requirement to complete a SORN. Under the Privacy Act, federal agencies must issue public notices, known as a SORN, in the Federal Register for systems that maintain, collect, use, or disseminate information about individuals that use a personal identifier such as an ID number, social security number, date of birth, or other element to retrieve the information being collected. Under the Paperwork Reduction Act (PRA), agencies must submit an ICR and obtain an OMB electronic information collection approval number (also known as an OMB control number) for an information system before using that system to collect information from members of the public numbering ten (10) or more, whether or not the information is considered to be information in identifiable form. The SO, in conjunction with the CIO and CPO, shall perform an analysis of privacy risks identified as a result of the PIA and ensure appropriate mitigating procedures and system 47

52 controls are implemented to adequately protect PII stored, processed, or transmitted within the information system. The Program Management Offices (PMO) shall conduct oversight to ensure that OPM personnel (e.g., investigators, retirement specialists, etc.) properly protect PII and that customer agencies, service providers, etc. adhere to agreed upon privacy protection measures established through Memorandum of Understanding/Agreements (MOU/As), Service Level Agreements (SLAs), contracts, etc. Oversight can be established through periodic, structured evaluations of business procedures, interviews with OPM personnel and personnel acting on behalf of OPM, annual testing of information system security controls, etc. Reference the Privacy Chapter within this document, OPM Privacy Guide, OPM System of Records Notice Guide, and the OPM Paperwork Reduction Act for additional information. NIST SP , Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), provides additional guidance on the protection of PII information Security-Related Activity Planning (PL-6) The SO, in coordination with the DSO and ISSO, shall plan and coordinate security-related activities affecting the information system before conducting such activities in order to minimize the impact on OPM operations (e.g., mission, functions), image, reputation, OPM assets, and individuals. This applies to all systems regardless of system security categorization level (Federal Information Security Management Act (FIPS) 199). OPM security-related activities include, but are not limited to, risk assessments, system hardware and software maintenance, vulnerability scanning, penetration testing, security controls testing, security impact analysis, table-top exercises and disaster recovery exercises. Security-related planning must address both emergency and non-emergency situations. These security-related activities shall be completed as defined in the System Development Life Cycle (SDLC). For contractor systems, the SO and ISSO shall participate in all facets of the contractor s security-related activities. The SO shall provide written confirmation that testing is conducted on an annual basis. 48

53 5.2 Security Assessment and Authorization (CA) Assessment and Authorization (CA) security controls provide guidance for the Security Assessment and Authorization (formerly Certification and Accreditation (C&A)) policy and procedures, Security Assessments, Information System Connections, Plans of Action and Milestones (POA&Ms), Security Authorization, and Continuous Monitoring. Authorization to operate (ATO) information systems and associated information system connections is based on a formal Security Assessment and Authorization process. Authorization is required for all Office of Personnel Management (OPM) information systems and information system interconnections. Establishing system authorization boundaries is a challenging task for OPM and across the Federal government. Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) provide broad flexibility in establishing system authorization boundaries. NIST recommends that organizations consider the following when establishing system boundaries: Management Control Are all components under the same management? System Purpose or Business Objective Do all components within the authorization boundary support the same business objective? Operating Environment Are all components operating within the same operating environment? Establishing too many small low-risk information systems can pose an unnecessary burden on OPM and OPM resources in maintaining the necessary security documentation and requirements; however, establishing too large and complex a system can pose significant obstacles in truly assessing and maintaining security across the entire boundary potentially with competing management interest across components of the system. Authorization boundaries shall be developed with the approval of the System Owner (SO) and the Chief Information Security Officer (CISO). Authorization packages are comprised of several primary security documents including the System Security Plan, POA&M, and Security Assessment Report. These documents contain sensitive information regarding OPM systems and shall be handled accordingly. Authorization packages shall not be sent external to OPM without prior CISO approval. Authorization packages shall not be copied or duplicated. Requests to review Authorization packages by external organizations or personnel shall be granted only for on-site reviews. Policy: Information systems shall be authorized to operate considering determination and acceptance of risk based on the results of a security assessment. Security authorization shall be updated at least every three (3) years or when there is a significant change to the system. Information system security controls shall be continuously monitored and assessed annually to ensure continued effectiveness. All information system security controls shall be assessed for authorization; a subset of security controls shall be assessed as part of continuous monitoring. 49

54 POA&Ms shall be developed and implemented to correct deficiencies and reduce vulnerabilities in information systems Security Assessment and Authorization Policies and Procedures (CA-1) The policies under this control are implemented with the OPM Security Assessment and Authorization Procedure. Assessment and Authorization procedures shall be developed and disseminated by the OPM Information Security and Privacy Group. The procedures shall be reviewed at least annually and updated as determined necessary Security Assessments (CA-2) A Security Assessment Plan (SAP) shall be developed for information systems that outline the scope of the assessment, selected security controls and devices, procedures to determine effectiveness, physical and logical environment, and the assessment team. The current version of National Institute of Standards and Technology (NIST) SP /800-53/800-53A shall be used as the basis for documenting and assessing system security controls. For security controls not included in /800-53A, the method of how a control is tested shall be documented in the SAP. Security controls assessment shall be conducted at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. To satisfy the Federal Information Security Management Act (FISMA) annual assessment requirement, results from any of the following sources may be used, including but not limited to: (i) assessments conducted as part of an information system authorization or reauthorization process when all controls are assessed; (ii) continuous monitoring (see CA-7), when subset of controls are assessed; or (iii) testing and evaluation of an information system as part of the ongoing system development life cycle (SDLC) (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness). Existing security control assessment results are reused to the extent that they are still valid and are supplemented with additional assessments as needed. A Security Assessment Report (SAR) documenting results shall be provided to the Authorizing Official (AO) for risk determination and acceptance as part of initial and continued system authorization. An independent assessor or assessment team shall be employed by OPM for security assessments supporting authorization and re-authorization. An independent assessor or assessment team is any individual or group capable of conducting an impartial assessment of an organizational information system. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain associated with the information system or to the determination of security control effectiveness. Independent security assessment services can be obtained from other elements within the agency or can be contracted to a public or private sector entity outside of the organization. Contracted assessment services are considered independent if the information system owner is not directly involved in the contracting process or cannot unduly influence the impartiality of the assessor or assessment team conducting the assessment of the security controls in the information system. The AO in consultation with the CISO determines the required level of assessor independence 50

55 based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets, and to individuals. (Moderate and High) OPM shall include as part of security assessments, in-depth monitoring, malicious user testing, penetration testing, vulnerability scanning, or other forms of testing as designated and approved by the Information System Security Officer (ISSO), Designated Security Officer (DSO), SO, and CISO. (High) Information System Connections (CA-3) The SO, Authorizing Official (AO), CISO, and Chief Information Officer (CIO) shall: Authorize connections from OPM information systems to other information systems outside of the system authorization boundary through the use of Interconnection Security Agreements (ISA); Document, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and Monitor the information system connections on an ongoing basis verifying enforcement of security requirements. A system interconnection is defined as the direct connection of two or more information systems for the purpose of sharing data and other information resources. A system interconnection has three basic components: two information systems (System A and System B) and the mechanism by which they are joined (the pipe through which data is made available, exchanged, or passed one-way only). System A and System B are owned and operated by different organizations (e.g., OPM and Treasury). Systems may be connected using a dedicated line that is owned by one of the organizations or is leased from a third party (e.g., an Integrated Services Digital Network (ISDN), T1, or T3 line). A less expensive alternative is to connect systems over a public network (e.g., the Internet) using a virtual private network (VPN). A VPN is a data network that enables two or more parties to communicate securely across a public network by creating a private connection, or tunnel, between them. All dedicated connections to information systems outside of the system boundary that are owned and operated by another agency or contractor shall be authorized using an Interconnection Security Agreement (ISA). Program Offices may develop a Memorandum of Understanding (MOU) to document the purpose for direct interconnection as necessary. The name of the external organization and system, and the current date of the ISA and MOU (if applicable) shall be listed as an interconnection in the System Security Plan (SSP). The ISA is a security document that specifies the technical and security requirements for establishing, operating, and maintaining the interconnection. Specifically, the ISA documents the requirements for connecting the information systems, describes the security controls that will be used to protect the systems and data, contains a topological drawing of the interconnection, and provides a signature line. The MOU documents the terms and conditions for sharing data and information resources in a secure manner. Specifically, the MOU defines the purpose of interconnection; identifies relevant 51

56 authorities; specifies the responsibilities of both organizations; and defines the terms of agreement, including apportionment of costs and the timeline for terminating or reauthorizing the interconnection. The MOU should not include technical details on how the interconnection is established or maintained; that is the function of an ISA. A single ISA and MOU (if applicable) may cover multiple system connections from multiple systems within OPM to the same external organization. MOUs and ISAs are valid for three years from the date of the last signature on the document and shall be reviewed at least every two years. All MOUs and ISAs are stored by the Program Office (PO) responsible for the OPM system(s) involved in the interconnection. ISAs shall be included as part of the Authorization Package submitted to the AO for authorization decision. Management and coordination of MOUs and ISAs are the responsibility of SO and Information Owner (IO) who are responsible for storing and safeguarding them. If both systems are owned by the organization MOUs and/or ISAs are not required, but the interface characteristics between systems shall be documented in the respective SSPs. An ISA is not required for information sharing that exists with information systems outside of the system boundary that are owned and operated by another agency or contractor where there are no direct connections; however, these scenarios may be documented using an MOU. Information sharing may be over an electronic link or other information exchange (e.g., shipment of tapes) between two systems. Characteristics that describe information sharing when there is no direct interconnection between systems shall be documented in the respective SSPs Plan of Action and Milestones (POA&Ms) (CA-5) The SO shall: Develop a plan of action and milestones(poa&ms) for the information system to document the organization s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and Update existing plan of action and milestones quarterly for low and moderate systems, and monthly for high systems based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. POA&Ms shall be submitted quarterly for low and moderate systems, and monthly for High systems to the OPM IT Security and Privacy (ITSP) Office in accordance with Office of Management and Budget (OMB) and other guidance. All new vulnerabilities shall be entered into appropriate POA&Ms within: one (1) month of identification for program-level weaknesses and those for Federal Information Processing Standard (FIPS) 199 HIGH systems; and two (2) months for weaknesses for other systems. Vulnerabilities that are determined to pose a low risk to OPM are ideal candidates for risk acceptance. The determination to accept risk for low risk vulnerabilities must be made based on the operating environment of the system and includes analysis of the total risk posed to OPM 52

57 based on the entirety of all low risk vulnerabilities for a system. Risk shall not be accepted for Low risk vulnerabilities where the collection of Low risk vulnerabilities raises the risk of system operation to a Moderate or High level. All risk acceptance decisions are made in consultation with the CISO. Refer to the OPM POA&Ms Guide and PM-4 for additional information Security Authorization (CA-6) The Authorizing Official (AO) shall authorize information systems for processing before commencing operations based on determination and acceptance of risks identified through security assessment. Security authorization shall be updated at least every three (3) years or when there is a significant change to the system. The CISO shall review security assessments for compliance and risk determination prior to the authorization decision. Additional guidance regarding Office of Personnel Management's (OPM) authorization process is contained within OPM s Security Assessment and Authorization Procedure. Security authorization is the official management decision, conveyed through the authorization decision document, given by a senior organizational official or executive (e.g., AO) to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. AOs typically have budgetary oversight for information systems or are responsible for the mission or business operations supported by the systems. Security authorization is an inherently federal responsibility and therefore, AOs shall be federal employees. AOs are in executive management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. AOs shall grant one of three authorization decisions based on CISO or CIO concurrence. These decisions are: Authorization To Operate (ATO) This decision grants authorization to operate a system for three years or until a major change. Any limitations or restrictions are documented in the authorization letter detailing the authorization decision. Limited Authorization To Operate This decision allows the system to operate; however, the length of the authorization is 60, 90, or 180 days and under specific restrictions (as documented in the authorization letter). After the limited period of authorization, a new decision must be made based on an updated authorization package and reduction of risk. Denial of Authorization to Operate The decision requires the system to cease operations until risks are reduced to an acceptable level as documented in the authorization letter Systems may include external components (outside the OPM authorization boundary) or the entire system may be managed by an external provider. This external provider may either be contracted to OPM or be another Federal organization. Each of these types of external systems requires the authorization steps to be completed, but depending on the external organization, different approaches may apply. For external systems and services that are contracted to OPM: 53

58 Contractor can perform assessment steps with OPM input (other than inherently federal government responsibilities). OPM manages the assessment and authorization process. OPM makes official authorization decision. For external systems that are contracted to OPM and shared with other Federal organizations, there can be reciprocity for Security Assessment and Authorization packages based on the following conditions: The information system must have a valid Authority to Operate (ATO) issued by a Federal Agency Senior Executive. The security assessment and authorization must be done per current Federal Information Security Management Act (FISMA)/National Institute of Standards and Technology (NIST) guidelines and requirements. ISO27001 and DIACAP certification may be considered for acceptance after review for compliance with NIST guidelines. CISO approval is required if done outside of NIST guidelines. The OPM Program Office must perform a risk analysis. The OPM IT Security Office will review all authorization data, and may conduct a site visit to ascertain compliance, variances, and/or exceptions found in the review. The Program Office Senior Executive must assume all risk in a form of a MOU, identifying that any changes in the status or security infrastructure of the system must be relayed immediately to the OPM Program Office and IT Security Office. The OPM IT Security Office must perform an assessment to determine if there is an adequate trust level between OPM standards/policies and those of the other organization. The adoption of public or private cloud computing models requires cloud information systems to meet the same requirements identified for federal departments and agencies. The security authorization decision for a cloud computing environment remains with the federal agency, and that decision is built on a chain of trust abstracted through various cloud models and external service providers. NIST defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. A public cloud is a vendor that hosts both commercial and federal agency resources within the same common infrastructure. Private (government dedicated) clouds are either government owned clouds or owned by a commercial organization that creates a separate infrastructure strictly for use by federal agencies Continuous Monitoring (CA-7) The ISSO/DSO and technical managers, in consultation with the SO, Authorizing Official (AO), and CISO shall assess all security controls in an information system during the initial security authorization. Subsequent to the initial authorization and in accordance with OMB policy, a subset of the controls shall be assessed annually as part of continuous monitoring activities 54

59 (ongoing security operations). SOs shall report the security state of the information system to appropriate organizational officials at least annually. For new security authorizations and re-authorizations, the testing accomplished during the security assessment meets the annual Federal Information Security Management Act (FISMA) testing requirement. Therefore, a separate annual assessment is not required. The anniversary date of the authorization shall be used as the due date for the annual assessment. Testing of a system's security-relevant changes that occur out of the authorization cycle but do not necessarily constitute a major change necessitating a new authorization meets the annual FISMA testing requirement. The selection of an appropriate subset of security controls for security assessment is based on the Federal Information Processing Standard (FIPS) 199 security categorization of the information system and the specific security controls selected and employed to protect the information system. All other controls shall be assessed at least once during the information system s 3-year authorization cycle. Priority for selection of security controls to be tested shall be based on a completed POA&Ms, recent system changes, and high volatile security controls. There is no set number of controls to be tested annually; however, the number of controls should take into account the FIPS 199 security categorization level of the system. Controls selected for testing should not be limited to technical controls, but also include operational and management controls since they are volatile due to personnel turnover, degradation in infrequently used skills, and other factors. For example, access control lists and permissions (both for general support systems and applications) must be continuously maintained as a result of personnel transfers or terminations. SOs shall also consider the importance of system specific controls that are not necessarily high volatile and POA&M items. A SAP shall be developed for information systems that outline the scope of the assessment, selected security controls and devices, procedures to determine effectiveness, physical and logical environment, and the assessment team. The current version of NIST SP /800-53A shall be used as the basis for documenting and assessing system security controls. For security controls not included in /800-53A, the method of how a control is tested shall be documented in the SAP. Remediation evidence shall be recorded within testing documentation when weaknesses are immediately corrected. Planned corrective actions shall be entered into the POA&Ms for weakness not immediately corrected. Changes to the system shall be documented in the SSP and shall be assessed prior to implementation to determine impacts to the security controls established for the system. Noted deficiencies shall be addressed in the POA&Ms. Information systems and their constituent components shall be included within a configuration management process to ensure baseline security configurations are maintained. 55

60 5.3 Risk Assessment (RA) Risk Assessment (RA) security controls provide guidance for identification and management of security risks to information systems. Risk assessment is an ongoing process of identifying the likelihood of a given threat-source exercising a potential vulnerability, and the resulting impact of that adverse event on the information system and organization. Risk management is a process that allows Program Management Offices (PMO) to balance the operational and economic costs of protective measures to achieve gains in mission capability by protecting the information systems and data that support their missions. Risk assessments are performed throughout the system development life cycle (SDLC) to assess security threats and vulnerabilities and ensure the appropriate security controls are planned and implemented. Therefore, risk assessment should be completed as part of system design, prior to system implementation, and on routine changes to the system. Risk assessments address the magnitude of harm that could result from the loss, unauthorized modification, or disclosure of information (including information and information systems managed and operated by external parties). The risk assessment process shall be integrated within the SDLC and shall be tailored to the particular phase of the Office of Personnel Management (OPM) SDLC in which it occurs. Some risk assessment activities may not take place in all phases of the SDLC, or may take on a modified methodology. When assessing a system, provisions should be made for those security activities that may be missing. Part of the assessment will be determining which, or how many, activities need to be completed from prior phases in the SDLC. With respect to risk assessments completed by OPM personnel, phases include Initiation, Acquisition/Development, Operations/Maintenance, and Disposal. Policy: OPM shall assess the risk to operations (including mission and functions), image, reputation, assets, and individuals resulting from the operation of information systems and the processing, storage, and transmission of information whenever change occurs. Initial vulnerability scans for new systems and routine scans as part of the ongoing continuous monitoring shall be conducted Risk Assessment Policy and Procedures (RA-1) The policies under this family are implemented with the OPM Risk Assessment Procedure. Risk assessment procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Security Categorization (RA-2) The System Owner (SO) shall ensure categorization of the information system and the information processed, stored, or transmitted by the system in accordance with Federal Information Processing Standard (FIPS) 199, National Institute of Standards and Technology (NIST) SP , and other applicable laws, Executive orders, directives, policies, regulations, standards, and guidance using the OPM FIPS 199 template. The security categorization results (including supporting rationale) shall be documented in the System Security Plan (SSP). The Authorizing Official (AO) shall review and approve the security categorization. 56

61 To establish sensitivity ratings, the security categorization for each information type and the information system shall be determined. The criteria for establishing security categories are defined in NIST SP , Guide for Types of Information and Information Systems to Security Categories. The FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, provides criteria to determine the potential impact level for each security objective. Establishing a SC requires determining the potential impact for each security objective associated with an information type. Once the NIST SP sensitivity ratings have been established for each information type, the information is used to determine the SC for the system. An initial Preliminary Risk Assessment provides the foundation for the SSP, including the establishment of a system s sensitivity level by identification of Security Categories for the information system and information type, identification of threats to the system, determination of information and system sensitivity levels (FIPS 199), and validation of security controls necessary (NIST SP ),to ensure security. OPM shall conduct the security categorization process as an organization-wide activity with the involvement of the SO, Information System Security Officer (ISSO), Information Owner (IO), Chief Information Security Officer (CISO), and Chief Information Officer (CIO). The security categorization process facilitates the creation of an inventory of information assets. A clearly defined authorization boundary is a prerequisite for an effective security categorization. Security categorization describes the potential adverse impacts to organizational operations, organizational assets, and individuals should the information and information system be comprised resulting in a loss of confidentiality, integrity, or availability. Potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts shall also be considered in categorizing information systems Risk Assessment (RA-3) Risk assessments (either formal or informal) can be conducted by organizations at various steps in the Risk Management Framework (RMF), as they are integrated into every phase of the system development life cycle (SDLC). Risk assessments shall be accomplished prior to the implementation of system changes to determine impacts to the security controls established for the system. Risk assessments support and also may be part of the Security Assessment and Authorization process. Risk Assessments for OPM systems are documented in the Security Assessment Report (SAR) that contains both the risk assessment methodology and results of the risk assessment. OPM SOs shall ensure: Assessment of risk is conducted, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits which supports the operations and assets of the OPM (including information and information systems managed and operated by external parties); System risk assessment results are documented in the Security Assessment Report (SAR); 57

62 The SAR is updated at least annually and submitted to the CISO office; and The SAR is updated at least annually in conjunction with the security assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the level of residual risk posed to organizational operations and assets, individuals, other organizations, and the Nation based on the operation of the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). Risk assessments also take into account public access to OPM information systems. In accordance with Office of Management and Budget (OMB) policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. Reference IA Vulnerability Scanning (RA-5) Vulnerability scanning includes scanning for specific functions, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms. The security categorization of the information system guides the frequency and comprehensiveness of the vulnerability scans. Vulnerability analysis for custom software and applications may require additional, more specialized techniques and approaches (e.g., web-based application scanners, source code reviews, source code analyzers). System Owners (SOs) shall ensure: Scanning for vulnerabilities in the information system and hosted applications is completed at least quarterly for high systems and semi-annually for other systems, and when new vulnerabilities potentially affecting the system/applications are identified and reported. Employment of vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting and making transparent, checklists and test procedures; and Measuring vulnerability impact. Security Content Automation Protocol (SCAP) validated tools shall be used where and when available (e.g., Federal Desktop Core Configuration FDCC). Tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities shall be considered. The Common Weakness Enumeration (CWE) and the National Vulnerability Database (NVD) are also excellent sources for vulnerability information. 58

63 Analysis of vulnerability scan reports and results from security control assessments and track vulnerabilities in the Plan of Action and Milestones (POA&Ms) that could not be remediated within 30 days. Remediation of legitimate vulnerabilities in accordance with the OPM Risk Assessment Procedure. Note: Risk must be assessed for all vulnerabilities identified during scanning. The remediation timeline applies to vulnerabilities that OPM plans to address, and does not apply to proven false positives and vulnerabilities that will be accepted. Share information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). OPM shall employ vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. (Moderate and High) SOs shall ensure: The list of information system vulnerabilities scanned weekly is updated or when new vulnerabilities are identified and reported. Employment of vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). Attempts are made to discern what information about the information system is vulnerable to adversaries. Privileged access authorization to system devices (network components, servers, workstations, etc.) and databases is included for selected vulnerability scanning activities to facilitate more thorough scanning. Employment of automated mechanisms real-time, to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials. (High). 59

64 5.4 System and Services Acquisition (SA) System and services acquisition controls ensure that appropriate technical, administrative, physical, and security requirements will be included in all specifications for the acquisition, operation, or maintenance of Office of Personnel Management (OPM) facilities, equipment, software, and related services or those operated by external providers of information system services on behalf of OPM. Policy: OPM shall: Allocate sufficient resources to adequately protect organizational information systems; Employ system development life cycle processes that incorporate information security considerations; Employ software usage and installation restrictions; Ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization; and Ensure that all information technology acquisitions are processed through the Office of the Chief Information Officer (CIO) System and Services Acquisition Policy and Procedures (SA-1) The policies under this control are implemented with the OPM System and Service Acquisition Procedure. System and Service Acquisition procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Allocation of Resources (SA-2) OPM shall determine, document, and allocate, as part of its capital planning and investment control process, the resources required to adequately protect all information systems. The System Development Life Cycle (SDLC) requires consideration of IT security in budget requests. As a result, programs shall include the capital asset budget planning process and follow a methodology consistent with National Institute of Standards and Technology (NIST) SP Office of Management and Budget (OMB) Circular A-11 and Memorandum M require that security be built into and funded as part of the system architecture. As a result, each Program Management Office is responsible for security roles as part of the IT investments and capital programming processes. The funding shall include all products, procedures, and personnel (Federal employees and contractors) that are primarily dedicated to or used for provision of IT security for the specific IT investment. System Owners (SO) shall ensure: Mission/business process planning includes a determination regarding information security requirements for the information system; The capital planning and investment control process for the information system includes determination, documentation, and allocation of the resources required to protect the information system; and 60

65 Establishment of a discrete line item for information security in organizational programming and budgeting documentation. Compliance with OMB Memorandum M-11-11, and OPM policy which requires: FY2012, existing physical and logical access control systems shall be upgraded to use PIV credentials, in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities. Refer to OPM's Capital Planning and Investment Control (CPIC) process and information, which includes IT investment budget planning, by contacting the Chief, IT Investment Management in the CIO office. In addition, refer to the Information Technology System Management available on OPM s intranet which provides guidance on OPM s SDLC standard. Lastly, Life Cycle Support (SA-3) All federal information systems, including operational systems, systems under development, and systems undergoing modification or upgrade, are in some phase of what is commonly referred to as the System Development Life Cycle (SDLC). Many activities during the SDLC have cost, schedule, and performance implications. In addition to the functional requirements levied on an information system, security requirements must also be considered. When fully implemented, the information system must be able to meet its functional requirements and do so in a manner that is secure enough to protect OPM operations, assets, and individuals. In accordance with the provisions of Federal Information Security Management Act (FISMA), agencies are required to have an agency-wide Information Security Program and that program must be effectively integrated into the SDLC. The SO shall ensure: Management of the information system using a system development life cycle (SDLC) methodology that includes information security considerations; The definition and documentation of information system security roles and responsibilities throughout the s SDLC; and Individuals having information system security roles and responsibilities are identified Acquisitions (SA-4) The Contracting or Procurement Officer shall work with the SO to include the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: Security functional requirements/specifications (including requirement for services and products involving facility or system access control shall be in accordance with HSPD-12 policy and the Federal Acquisition Regulation); Security-related documentation requirements (including Interconnection Security Agreements (ISA) for services); and Developmental and evaluation-related assurance requirements. 61

66 The SO shall require in the solicitation documents that appropriate documentation be provided describing the functional properties of the security controls employed within the information system, components or services with sufficient detail to permit analysis and testing of the controls. The SO shall acknowledge that each information system component and service acquired is explicitly assigned to an information system. (Moderate and High) The SO shall require in the solicitation documents that appropriate documentation be provided describing the design and implementation details of the security controls employed within the information system, components or services (including functional interfaces among control components) with sufficient detail to permit analysis and testing of the controls. (High) Information System Documentation (SA-5) Documentation of information systems involves the collection of detailed information (e.g., functionality, system mission, unique personnel requirements, type of data processed, architectural design, system interfaces, system boundaries, hardware and software components, system and network diagrams, asset costs, and system communications and facilities). Service provider documentation would include Memorandum of Understanding/Agreement (MOU/A), Interconnection Security Agreements (ISA), and Service Level Agreement (SLA) where applicable. The SO shall obtain, protect as required, and make available to authorized personnel adequate documentation for the information system. Administration documentation is to include: secure configurations, installation, operation, effective use, and maintenance of security functions, and known vulnerabilities regarding configuration and administrative functions. User documentation shall include: user-accessible security functions and their use, methods for user interaction so users are able to use the system in a more secure manner, and user's security responsibilities for the information and information system. The SO shall document the attempt to obtain information system documentation when such documentation is either unavailable or nonexistent. The SO shall obtain, protect as required, and make available to authorized personnel, vendor, manufacturer, or service provider documentation that describes the functional properties of the security controls employed within the information system. The documentation will include a high-level design of the information system in terms of the subsystems and implementation details of the security controls with sufficient detail to permit analysis and testing. (Moderate and High) The SO shall obtain, protect as required, and make available to authorized personnel, vendor, manufacturer or service provider documentation that describes the security-relevant external interfaces to the information system. The documentation will include sufficient detail to permit analysis and testing of the controls. (High) Software Usage Restrictions (SA-6) Compliance with software contractual and copyright usage restrictions is imperative. The distribution of approved software must be tracked and controlled for software to ensure contractual agreements and copyright laws are not violated. The SO shall ensure: 62

67 OPM uses software and associated documentation in accordance with contract agreements and copyright laws; Employment of tracking systems to manage and control the distribution of software and associated documentation protected by quantity licenses; and Control and documentation of the use of peer-to-peer file sharing technology to ensure it is not used for unauthorized distribution or reproduction of copyrighted work User-Installed Software (SA-7) User-installed software, including downloaded software, can contain viruses and other types of malicious code. In addition, such software can alter the equipment configuration causing malfunctions, cause the loss of data, expose data and cause costly support calls. Users should be warned about such risks and be instructed to refrain from installing any software on equipment without proper approval. OPM prohibits the installation of unapproved software by users within the Computer User Responsibilities (Form 1665). Software shall be requested and approved by OPM Managers and Supervisors prior to installation by system administrations and computer support personnel. The SO shall ensure annual assessments of computers and networks are conducted to verify installed software has the appropriate licenses and remove software that does not have appropriate licenses Security Engineering Principles (SA-8) The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle (SDLC). The organization applies for legacy information systems, security engineering principles to system upgrades and modifications to the extent feasible, given the current state of the hardware, software, and firmware within the system. See "National Institute of Standards and Technology (NIST) Special Publications Rev. A - Engineering Principles for Information Technology Security" for more details on security engineering principles. The SO shall ensure use of security engineering principles in the specification, design, development, implementation, and modification of the information system. (Moderate and High) External Information System Services (SA-9) An external information system service is a service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Some examples of external information system services are: joint ventures, business partnerships, outsourcing arrangements (e.g., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of external information system services remains with OPM SOs and Authorizing Officials (AO) where applicable. 63

68 AOs require an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information security. A chain of trust requires the organization establish and retain a level of confidence, that each participating provider of services external to the organization, in the potentially complex consumer-provider relationship, provides adequate protection for the services rendered to the organization. The extent and nature of this chain of trust varies based on the relationship between the organization and the external provider. (e.g., the organization employs compensating security controls or accepts the greater degree of risk when a sufficient level of trust cannot be established in the external services and/or service providers.) The external information system services documentation includes government, service provider, end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of noncompliance. Information security requirements must be incorporated in contractual documents that involve the acquisition, development, and/or operation and maintenance of computer resources. These requirements must be applied at the beginning of a project or acquisition and in all follow-on contracts or purchasing agreements involving the acquisition of computer resources. Computer resources include hardware, software, maintenance, and other associated IT products and services. Contractors fill a vital role in OPM operations and they too have a responsibility to protect the information they access. Contractors must adhere to the same rules and regulations as government employees to ensure the security of the information in their charge. The SO shall ensure: Providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards and guidance (Reference CA-6). Government oversight and user roles and responsibilities with regard to external information system services is defined and documented. Security control compliance is monitored Developer Configuration Management (SA-10) It is important that information system configuration management plans are developed and maintained to control changes to the system during design, development, implementation, and operation. The SO shall ensure requirement of information system developers/integrators to: Perform configuration management during information system design, development, implementation, and operation; Manage and control changes to the information system; 64

69 Implement only organization-approved changes; Document approved changes to the information system; and Track security flaws and flaw resolution. (Moderate and High) Developer Security Testing (SA-11) The SO shall require that information system developers/integrators, in consultation with associated security personnel (including security engineers): Create and implement a security test and evaluation plan; Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and Document the results of the security testing/evaluation and flaw remediation processes. Developmental security test results are used to the greatest extent feasible after verification of the results. In addition, recognizing that these results are impacted whenever there have been security-relevant modifications to the information system subsequent to developer testing. Test results may be used in support of the security authorization process for the delivered information system Supply Chain Protection (SA-12) The SO shall ensure protection against supply chain threats by employing the use of information technology procurement procedures and approved federal acquisition contracts as part of a comprehensive, defense-in-breadth information security strategy. (High) Examples to reduce supply chain threats include: Stockpiling information system components and spares to avoid the need to use less trustworthy secondary or resale markets in future years. Reviewing supplier claims with regard to the use of appropriate security processes in the development and manufacture of information system components or products. Using trusted shipping and warehousing to reduce opportunities for subversive activities or interception during transit, such as using geographically aware beacons to track shipment diversions or delays. Using a diverse set of suppliers for information systems, information system components, information technology products, and information system services. Employing standard configurations for information systems, information system components, and information technology products. Minimizing the time between purchase decisions and required delivery of information systems, information system components, and information technology products, the organization limits the opportunity for an adversary to corrupt the purchased system, component, or product. Performing independent analysis and penetration testing against delivered information systems, information system components, and information technology products. 65

70 A defense-in-breadth approach helps to protect information systems (including the information technology products that compose those systems) throughout the system development life cycle (SDLC) (i.e., during design and development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). This is accomplished by the identification, management, and elimination of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to mitigate risk Trustworthiness (SA-13) The intent of this control is to ensure that organizations recognize the importance of trustworthiness and making explicit trustworthiness decisions when designing, developing, and implementing organizational information systems. Trustworthiness is a characteristic or property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system. Trustworthy information systems are systems that are capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Two factors affecting the trustworthiness of an information system include: (i) security functionality (i.e., the security features or functions employed within the system); and (ii) security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Appropriate security functionality for the information system can be obtained by using the Risk Management Framework(RMF) (Steps 1, 2, and 3) to select and implement the necessary management, operational, and technical security controls necessary to mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation. Appropriate security assurance can be obtained by: (i) the actions taken by developers and implementers of security controls with regard to the design, development, implementation, and operation of those controls; and (ii) the actions taken by assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. The SO shall ensure information systems meet a level of trustworthiness (determined through acquisition, security engineering principles, security function isolation, risk assessment, Security Assessment and Authorization, and continuous monitoring) equivalent to the Federal Information Processing Standard (FIPS 199) security categorization and acceptable to the Authorizing Official (AO), Chief Information Security Officer (CISO), and CIO. (High) 66

71 6. OPERATIONAL CONTROLS 6.1 Security Awareness and Training (AT) Awareness and Training (AT) controls include security awareness, security and role-based training, and the management of training records. All personnel with access to information systems, or who have a significant role in the development, testing, operating, maintaining, supporting, and security of information systems, must receive training commensurate with their position and role. A key objective of an effective information security program is to ensure that all employees and contractors understand their roles and responsibilities and are adequately trained to perform them. Office of Personnel Management (OPM) cannot protect the confidentiality, integrity, and availability of its information systems and the information they contain without the knowledge and active participation of its employees and contractors in the implementation of sound security principles. Federal Information Security Management Act (FISMA) requires federal agencies to provide mandatory training in security awareness and accepted security practices for all employees who are involved in the management, use, or operation of a computer system within or under the supervision of OPM. Policy: OPM personnel including both internal and external contractors shall receive security awareness as part of initial training for new users, and annually thereafter. OPM personnel including both internal and external contractors with significant information security responsibility shall receive specialized training to facilitate their unique role in the security of the information system prior to receiving access to the system. Program Supervisors, assisted by the Information System Security Officer (ISSO) and Designated Security Officer (DSO), are responsible for identifying the level of training for their employees (e.g., senior, mid, and entry) depending on their job functions and experience. The Chief Information Security Officer (CISO) will determine the number of hours to be completed for those requiring the additional role-based training. The training activities include interactive video training, web-based training, classroom training, educational vendor presentation, conference presentation, professional association chapter meeting, and CISO held training sessions. All training shall be documented and attendance must be certified and retained or captured as a matter of record of the individual s actions Security Awareness and Training Policy and Procedures (AT-1) The policies under this control are implemented with the OPM Awareness and Training Procedure. Awareness and training procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Security Awareness (AT-2) All information system users have a responsibility to protect information and need to understand their role. To help understand their role, the CISO shall provide basic security awareness training to all information system users prior to accessing OPM information systems (including managers, senior executives, and contractors). All OPM users shall receive annual (refresher) training in IT security awareness at least annually. 67

72 Unless a waiver is granted by the CISO, user accounts and access privileges (e.g., access to ) will be disabled for those OPM employees who have not received annual refresher training Security Training (AT-3) The CISO, Program Supervisors, ISSO, and DSO shall identify personnel with significant information system security roles and responsibilities, document those roles and responsibilities, and provide appropriate information system security training before authorizing access to the system, and at least annually thereafter. In addition: ISSOs, DSOs, Contracting Officer's Technical Representatives (COTR) and System Owners (SO) shall establish additional system-specific security training for sensitive systems under their purview, when necessary. ISSOs and DSOs shall ensure that OPM personnel and internal and external contractors with significant security responsibilities (e.g., management and system administrators) receive annual specialized training specific to their security responsibilities. Training may be required more frequently due to system changes. The level of training shall be commensurate with the individual s duties and responsibilities and promote a consistent understanding of the principles and concepts of information system security. Internal and external contractors shall adhere to OPM annual training and specialized training requirements. Unless a waiver is granted by the CISO, user accounts and access privileges, including access to , will be disabled for those OPM employees who have not received annual refresher training. The following roles contain significant security responsibilities: Chief Information Officer (CIO) Deputy Chief Information Officer (DCIO) Chief Information Security Officer (CISO) Authorizing Official (AO) Information Owner System Owner (SO) Information System Security Officer (ISSO) Designated Security Officer (DSO) Programmers/Developers Information Security Specialists System Administrators Database Administrators 68

73 Network Administrators Change Management Staff Help Desk Personnel COTRs for IT contracts The organization determines the appropriate content of security training based on assigned roles and responsibilities and the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides information system managers, system and network administrators, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training to perform their assigned duties. Organizational security training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. The organization also provides the training necessary for these individuals to carry out their responsibilities related to operations security within the context of the organization s information security program Security Training Records (AT-4) The CISO shall: Document and monitor individual information system security training activities including basic security awareness training and specific information system security training; and Retain individual training records one year for auditing and reporting purposes. To ensure the awareness and training process is executed correctly, the CISO will review the awareness and training controls for each information system as part of the System Security Plan (SSP) review for each information system during Security Assessment and Authorization process. Identified weaknesses in awareness and training controls will be reported to the ISSO, DSO, and SO for remediation. The ISSO and SO shall coordinate to remediate identified weaknesses using the POA&M process. 69

74 6.2 CONFIGURATION MANAGEMENT (CM) Configuration management is the process whereby individual configuration items are identified, a baseline configuration for each item is established (e.g., security hardening instructions, default settings, etc.) and an inventory developed. The inventory of configuration items is tracked throughout the system development life cycle (SDLC). The functional and physical attributes of an information system and its components are identified and documented, and changes to the system and its components are controlled and tracked. The goal of configuration management is to make it easier to detect any changes to hardware or software within an information system. Policy: It is OPM s policy to: Establish and maintain baseline configurations and inventories of information systems; Establish and enforce security configuration settings for information technology products employed in information systems; and Monitor and control changes to baseline configurations established for information systems and their components (including hardware, software, and firmware) throughout the life cycle of each component and system, and update configuration documentation throughout the life cycle as appropriate Configuration Management Policy and Procedures (CM-1) The policies under this control are implemented with the Office of Personnel Management (OPM) Configuration Management Procedures. Operational configuration management procedures may be developed by program offices and operational groups where necessary. Configuration management procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Baseline Configuration (CM-2) A baseline configuration is a well-defined, documented, and approved specification to which an information system is built. It describes the approved configuration of an information system including all its hardware, software, and firmware components; how the components are interconnected; and the physical and logical locations of each. The baseline configuration of an information system may evolve over time depending on the stage of the System Development Life Cycle (SDLC). The baseline configuration provides information about the components of an information system (e.g., the standard software load for a workstation, server, network component, or mobile device including operating system/installed applications with current version numbers and patch information), network topology, and the logical placement of the component within the system architecture. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. System Owners (SO) shall ensure a baseline configuration and an inventory of the system s constituent components is developed, documented, and maintained under configuration control. 70

75 SOs shall ensure baseline configurations of the information system are reviewed and updated (Moderate and High): At least annually; When required due to significant changes to the current operating environment; and As an integral part of information system component installations and upgrades. SOs shall ensure older versions of baseline configurations for the information system are retained as deemed necessary to support rollback. (Moderate and High) SOs shall ensure the information system is monitored and changes controlled to baseline configurations established for information systems and their components (including hardware, software, and firmware) throughout the life cycle of each component and system, and update configuration documentation throughout the life cycle as appropriate. SOs shall ensure the information system employs automated mechanisms to maintain an up-todate, complete, accurate, and readily available baseline configuration of the information system. (High) Software inventory tools are examples of automated mechanisms that help organizations maintain consistent baseline configurations for information systems. Software inventory tools can be deployed for each operating system in use within the organization (e.g., on workstations, servers, network components, mobile devices) and used to track operating system version numbers, applications and types of software installed on the operating systems, and current patch levels. Software inventory tools can also scan information systems for unauthorized software to validate organization defined lists of authorized and unauthorized software programs. SOs shall ensure: A list of unapproved software is developed and maintained; and Information systems employ an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system. (Moderate and High) SOs shall ensure: A list of approved software is developed and maintained; and Information systems employ a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system. (High) SOs shall ensure a baseline configuration is maintained for development and test environments that are managed separately from the operational baseline configuration. (High) Configuration Change Control (CM-3) Information systems undergo changes to the system or system components throughout the system development life cycle (SDLC). It is important that these changes are documented, tested, evaluated and approved. It is also important to take into account the security impact of the change. A configuration change control process helps to maintain the integrity, confidentiality and availability of the system. 71

76 Types of changes to the information system that are configuration controlled must be identified and documented. Configuration change control for the information system involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products (e.g., operating systems, applications, firewalls, and routers), emergency changes, and changes to remediate flaws. OPM performs auditing of changes in activity before and after a change is made to the information system and the auditing activities required to implement the change. SSOs shall ensure: Types of changes to the information system that are configuration controlled are documented; Approval is obtained for configuration-controlled changes to the system with explicit consideration for security impact analyses from the Configuration Control Board; Approved configuration-controlled changes to the system are documented; Records of configuration-controlled changes to the system are retained and reviewed; Activities associated with configuration-controlled changes to the system are audited; and Change control activities outlined in the Configuration Management Policy are coordinated. (Moderate and High) SOs shall ensure the information system is tested, validated, and changes documented to the information system before implementing the changes on the operational system. (Moderate and High) The organization ensures that testing does not interfere with information system operations. The individual/group conducting the tests understands the organizational information security policies and procedures, the information system security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. An operational system may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an information system must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. In situations where the organization cannot conduct testing of an operational system, the organization employs compensating controls (e.g., providing a replicated system to conduct testing) in accordance with the general tailoring guidance. SOs shall ensure the information system employs automated mechanisms to: Document proposed changes to the information system; Notify designated approval authorities; Highlight approvals that have not been received within designated response times; Inhibit change until designated approvals are received; and Document completed changes to the information system. (High) 72

77 6.2.4 Security Impact Analysis (CM-4) Security impact analysis may include reviewing information system documentation such as the security plan to understand how specific security controls are implemented within the system and how the changes might affect the controls. Security impact analysis may also include an assessment of risk to understand the impact of the changes and to determine if additional security controls are required. Security impact analysis is scaled in accordance with the security categorization of the information system. SOs shall ensure the information system includes an analysis of changes to the information system to determine potential security impacts prior to change implementation utilizing the OPM Security Impact Analysis template. Changes to the information system shall be tested prior to implementation of change, monitored after implementation of change, and security impact analyses shall be conducted in order to determine the effects of the changes. SOs shall ensure the information system includes an analysis of new software in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. (High) Access Restriction for Change (CM-5) Changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Maintaining records of access is essential for ensuring that configuration change control is being implemented as intended and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system. Access restrictions for change include physical and logical access controls, workflow automation, media and software libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). System Owners (SO) shall ensure the information system includes defined, documented, approved, and enforced physical and logical access restrictions associated with changes to the information system. SOs shall ensure the information system employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. SOs shall ensure audits of information system changes are conducted at least weekly and when indications so warrant to determine whether unauthorized changes have occurred. SOs shall ensure information systems are configured to prevent the installation of critical software programs and/or modules such as patches, service packs, and where applicable, device drivers that are not signed with a certificate that is recognized and approved by the organization. (High) Configuration Settings (CM-6) 73

78 Information technology products should be configured to the most restrictive security settings, but still allow functionality to meet organizational needs. Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system, such as registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Organizations establish organization-wide mandatory configuration settings from which the settings for a given information system are derived. A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, security guide, security technical implementation guide (STIG), or benchmark) is a series of instructions or procedures for configuring an information system component to meet operational requirements. Checklists can be developed by information technology developers and vendors, consortia, academia, industry, federal agencies (and other government organizations), and others in the public and private sectors. An example of a security configuration checklist is the Federal Desktop Core Configuration (FDCC). The Security Content Automation Protocol (SCAP) and defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. Office of Management and Budget (OMB) establishes Federal policy on configuration requirements for Federal information systems. SOs shall ensure: Mandatory configuration settings for information technology products employed within the information system using the National Checklist Program (National Institute of Standards and Technology (NIST) SP ), or OPM developed secure configuration baselines (approved by the Chief Information Officer (CIO), Chief Information Security Officer (CISO), or designees) that reflect the most restrictive mode consistent with operational requirements are established and documented; Configuration settings are implemented; Exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements are identified, documented, and approved; Changes to the configuration settings in accordance with organizational policies and procedures are monitored and controlled; and Security configuration settings for information technology products employed in information systems are established and enforced. The CISO, in coordination with the SOs, shall ensure the detection of unauthorized, securityrelevant configuration changes are incorporated into OPM's incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. (Moderate and High) SOs shall ensure automated mechanisms are employed to centrally manage, apply, and verify configuration settings; and to respond to unauthorized changes to all configurable devices. (High) Responses to unauthorized changes to configuration settings can include alerting 74

79 designated organizational personnel, restoring mandatory/organization-defined configuration settings, or in the extreme case, halting affected information system processing Least Functionality (CM-7) Least functionality includes reviewing a system for, and eliminating, all unnecessary functions of a system, which can reduce unnecessary threats and vulnerabilities to a system. Information systems are capable of providing a wide variety of functions and services, which provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., server or web server, not both). The functions and services provided by organizational information systems or individual components of information systems, must be carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, file sharing). Organizations should consider disabling unused or unnecessary physical and logical ports and protocols (e.g., Universal Serial Bus (USB), File Transfer Protocol (FTP), Internet Protocol Version 6 (IPv6), Hyper Text Transfer Protocol (HTTP)) on information system components to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Network scanning tools, intrusion detection and prevention systems, and end-point protections (e.g., firewalls and host-based intrusion detection systems) should be used to identify and prevent the use of prohibited functions, ports, protocols, and services. System Owners (SO) shall ensure information systems are configured to provide only essential capabilities and specifically prohibits or restricts the use of specific functions, ports, protocols, or services such as Domain Name System (DNS), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Internet Relay Chat (IRC), Network Basic Input Output System (Netbios), Simple Mail Transfer Protocol (SMTP), and Structured Query Language (SQL) in order to provide only those capabilities that are essential. SOs shall ensure information systems are reviewed at least annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. (Moderate and High) SOs shall ensure automated mechanisms are employed to prevent program execution in accordance with a list of authorized software programs. (High) Information System Component Inventory (CM-8) An information system component inventory provides a means of tracking the security posture of IT assets and tracking system responsibility and compliance with security requirements for those assets. SOs shall ensure an inventory of information system components is developed, documented, and maintained that: Accurately reflects the current information system; Is consistent with the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; 75

80 Includes where applicable: hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, the component network name and network address; and Is available for review and audit by designated organizational officials. SOs shall ensure that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system are verified. The inventory of information system components shall be updated as an integral part of component installations, removals, and information system updates. (Moderate and High) SOs shall ensure automated mechanisms are employed to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. (High) SOs shall ensure (High): Automated mechanisms are employed to detect near real-time the addition of unauthorized components/devices into the information system; and Network access, by such components/devices, is disabled or designated organizational officials are notified. SOs shall ensure property accountability information for information system components includes a means for identifying by role, position, or name individuals responsible for administering those components. (High) Configuration Management Plan (CM-9) The configuration management plan satisfies the requirements in the organization s configuration management policy while being tailored to the individual information system. The configuration management plan defines detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. The plan describes how to move a change through the change management process, how configuration settings and configuration baselines are updated, how the information system component inventory is maintained, how development, test, and operational environments are controlled, and how documents are developed, released, and updated. The configuration management approval process includes designation of key management stakeholders that are responsible for reviewing and approving proposed changes to the information system, and security personnel that would conduct an impact analysis prior to the implementation of any changes to the system. SOs shall ensure a configuration management plan for the information system is developed, documented, and implemented that (Moderate and High): Addresses roles, responsibilities, and configuration management processes and procedures; Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and 76

81 Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items. 77

82 6.3 Contingency Planning (CP) Contingency planning provides guidance and direction necessary to maintain acceptable levels of information services in the event the primary service (system or application) sustains an interruption in service. Contingency plans identify critical assets (using the Business Impact Assessment (BIA)), key personnel and vendors, and established procedures to respond to outages. The plan identifies alternate processing locations, provides schemas to activate those locations, and facilitates return to the primary location. Key personnel necessary to facilitate operations are identified including the means to contact them at any time. Considerations in the plan address short, moderate, and long-term interruptions, as well as, catastrophic loss of the facility, recovery, repair, and salvage of assets plus the identification of key supplies necessary to facilitate processing. Training programs to prepare key personnel are developed along with desk-top and functional exercises designed to assess and evaluate the plan. Policy: Office of Personnel Management (OPM) System Owners (SO) shall ensure the establishment, maintenance, and effective implementation of plans for emergency response, disaster recovery, backup operations, and post-disaster recovery for their information systems guaranteeing the availability of critical information resources and continuity of operations in emergency situations. These plans help the OPM recover from serious incidents involving information systems in the minimum time and with minimum cost and disruption. Contingency Plans shall be reviewed, updated, and tested at least annually to ensure its effectiveness Contingency Planning Policy and Procedures (CP-1) The policies under this control are implemented with the OPM Contingency Planning Procedure. Operational contingency planning procedures may be developed by program offices and operational groups where necessary. Contingency planning procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Contingency Plan (CP-2) Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. A Contingency Plan is a group of controls that provides SOs a mechanism to ensure the availability of information systems to prevent a negative impact to business functions in the event of emergency. Examples of actions to call out in contingency plans include: graceful degradation, information system shutdown, fall-back to a manual mode, alternate information flows, or operating in a mode that is reserved solely for when the system is under attack. SOs shall ensure: Development of a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements through conducting Business Impact Assessments (BIA); 78

83 Provides recovery objectives, restoration priorities, and metrics as part of the BIA; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and Is reviewed and approved by the SO, Chief Information Security Officer (CISO), and the Authorizing Official (AO). Copies of the contingency plan are distributed to key contingency personnel and other related organizational elements or entities; Contingency planning activities are coordinated with incident handling activities; The contingency plan is reviewed for the information system at least annually; The contingency plan is revises to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and Contingency plan changes are communicated to key contingency personnel and other related organizational elements or entities. The SO shall coordinate contingency plan development with organizational elements responsible for related plans, such as Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan (COOP), Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan. (Moderate and High) SOs shall conduct capacity planning to ensure necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. (High) OPM shall plan for the resumption of essential missions and business functions within 12 hours of contingency plan activation. (High) Contingency Training (CP-3) In the event of an emergency, there is usually less time for planning and reacting; therefore, personnel that must execute information system contingency plans need to be trained on their responsibilities to ensure any delay in recovering critical systems is minimal. SOs shall train personnel in their contingency roles and responsibilities with respect to the information system and provide refresher training at least annually. SOs shall incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. (High) Contingency Plan Testing and Exercises (CP-4) 79

84 Executing contingency plans during controlled tests and/or exercises provides a mechanism to test the effectiveness of the contingency plan, provide training, and correct weaknesses in the plan in a controlled situation. SOs shall ensure: The contingency plan for the information system is tested and/or exercised at least annually using OPM defined and information system specific tests and exercises such as checklist, walk-through/tabletop, simulation, parallel, full interrupt to determine the plan s effectiveness and the organization s readiness to execute the plan; and Contingency plan test/exercise results are reviewed and corrective actions is initiated (i.e., update contingency plan procedures at least annually). SOs shall ensure test results are provided to the CISO quarterly for evidence and reporting. Contingency plan testing and/or exercises shall be coordinated with organizational elements responsible for related plans, such as Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan (COOP), Crisis Communications Plan, Critical Infrastructure Plan, Cyber Incident Response Plan, and Occupant Emergency Plan. (Moderate and High) The SO shall ensure testing/exercising of the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site s capabilities to support contingency operations. As part of contingency plan testing, the SO includes a full recovery and reconstitution of the information system to a known state. (High) For some smaller (particularly Federal Information Processing Standard (FIPS) 199 Low availability) systems, a full contingency plan may not be required if the SO determines that the system s contingency plan is to not recover the system after an incident. These decisions shall be documented based on the Business Impact Analysis (BIA) that supports the decision to not recover or reconstitute the system. The testing requirement for these systems can be satisfied by annually validating and appropriately updating documentation of the decision. There are two principal approaches to contingency plan testing: Classroom Exercises. Participants in classroom exercises, often called tabletop, walk through the procedures to ensure the documentation reflects the ability to adequately perform the tasks outlined without any actual recovery operations occurring. Classroom exercises are the most basic and least costly of the two types of exercises and should be conducted before performing a functional exercise. Functional Exercises. Functional exercises are more extensive than tabletops and include simulations, parallel operations, or full interrupt (failover) testing. Often, scripts are written for role players pretending to be external organization contacts, or there may be actual interagency and vendor participation. A functional exercise might include actual relocation to the alternate site and/or system cutover. In either case, test scenarios might include but are not limited to: equipment damage/failure scenario, COOP emergency relocation scenario, data loss/corruption scenario, network outage scenario or staff shortage due to pandemic influenza scenario. 80

85 Classroom exercises are generally appropriate for systems with a FIPS 199 Low availability impact. Tabletop exercises augmented with limited functional exercises (e.g., loading backup files; telephone call tree exercises) are appropriate for Moderate availability systems. High availability systems shall undergo more extensive functional exercises (e.g., testing of switchover capabilities). The FIPS 199 level here applies only to availability (e.g., a FIPS 199 High system because of confidentiality may in fact have a low availability impact rating) Alternate Storage Site (CP-6) In order to support events requiring the recovery of information systems, the information to recover the system must be stored at an alternate site. The Data Center Manager and SOs shall ensure the establishment of an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information. The alternate storage site shall be separated from the primary storage site so as not to be susceptible to the same hazards. Potential accessibility problems shall be identified to the alternate storage site in the event of an area-wide disruption or disaster and explicit mitigation actions shall be outlined. Explicit mitigation actions include duplicating backup information at another alternate storage site if access to the first alternate site is hindered; or, if electronic accessibility to the alternate site is disrupted, planning for physical access to retrieve backup information. (Moderate and High) SOs shall ensure configuration of the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. (High) Alternate Processing Site (CP-7) In order to support the recovery of information systems in an emergency, it may be necessary to recover at an alternate processing site as the primary site might not be accessible. SOs and Data Center Manager shall ensure: Establishment of an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within 12 hours when the primary processing capabilities are unavailable; and Equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organizationdefined time period for resumption. (Moderate and High) The alternate processing site shall be separated from the primary processing site so as not to be susceptible to the same hazards. Potential accessibility problems shall be identified for the alternate processing site in the event of an area-wide disruption or disaster and explicit mitigation actions shall be outlined. Alternate processing site agreements shall be developed, that contain priority-of-service provisions in accordance with the organization s availability requirements. The alternate processing site shall provide information security measures equivalent to that of the primary site. (Moderate and High) SOs and Data Center Manager shall configure the alternate processing site so that it is ready to be used as the operational site supporting essential missions and business functions. (High) 81

86 6.3.7 Telecommunications Services (CP-8) Telecommunications services are a key in technology operations; as such, the organization needs to obtain both primary and alternate services that will support ongoing operations. The following policy addresses the requirement for organizations to identify alternate telecommunications services for the resumption of information system operations in the event of a disaster or major disruption of services. SOs and Data Center Manager shall ensure establishment of alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within 12 hours when the primary telecommunications capabilities are unavailable. The primary and alternate telecommunications service agreements shall contain priority-of-service provisions in accordance with the organization s availability requirements. Telecommunications Service Priority shall be requested for telecommunication services used for national security emergency preparedness in the event that the primary and/or alternate services are provided by a common carrier. In addition, alternate telecommunications services shall be obtained with consideration for reducing the likelihood of sharing a single point of failure with the primary telecommunications services. (Moderate and High) Alternate telecommunications service providers shall have contingency plans and be separated from primary service providers so as not to be susceptible to the same hazards. (High) Information System Backup (CP-9) In order to successfully recover an information system, the components of the system and data must be backed up successfully. For each system it must be determined what information must be backed up and necessary for the successful recovery of the system. The frequency in which the backups are performed will depend on the availability requirement of the data. It is important that backups are tested to ensure usability. SOs shall ensure: Backups are conducted of user-level information contained in the information system periodically (Low), weekly (Moderate), and daily (High) for file shares on the network; end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers; Backups are conducted of system-level information (e.g., system-state information, operating system and application software, and licenses) contained in the information system periodically (Low), weekly (Moderate), and daily (High); Backups are conducted of information system documentation including security-related documentation periodically (Low), weekly (Moderate), and daily (High) for file shares on the network; end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers; and Protection of the confidentiality and integrity of backup information at the storage location. Digital signatures and cryptographic hashes are examples of mechanisms that can be employed by organizations to protect the integrity of information system backups. An organizational assessment of risk guides the use of encryption for protecting backup 82

87 information. The protection of system backup information while in transit is beyond the scope of this control (Reference CP-6 and MP-4). SOs shall ensure a test is performed of the backup information at least annually (recommend quarterly for High and semi-annually for Moderate) to verify media reliability and information integrity. (Moderate and High) SOs shall ensure a sample of backup information is used in the restoration of selected information system functions as part of contingency plan testing. Backup copies of the operating system and other critical information system software, as well as, copies of the information system inventory (including hardware, software, and firmware components), shall be stored in a separate facility or in a fire-rated container that is not co-located with the operational system. (High) Information System Recovery and Reconstitution (CP-10) The goal of contingency planning is the successful recovery and reconstitution of the information system to a secure and usable state. Recovery is executing information system contingency plan activities to restore essential missions and business functions. Reconstitution takes place following recovery and includes activities for returning the information system to its original functional state before contingency plan activation. Recovery and reconstitution procedures are based on organizational priorities, established recovery point/time and reconstitution objectives, and appropriate metrics. Reconstitution includes the deactivation of any interim information system capability that may have been needed during recovery operations. Reconstitution also includes an assessment of the fully restored information system capability, a potential system reauthorization and the necessary activities to prepare the system against another disruption, compromise, or failure. Recovery and reconstitution capabilities employed by the organization can be a combination of automated mechanisms and manual procedures. SOs shall ensure the recovery and reconstitution of the information system is accomplished to a known state after a disruption, compromise, or failure. SOs shall ensure implementation of transaction recovery for transaction-based systems. Database management systems and transaction processing systems are examples of information systems that are transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. (Moderate and High) SOs shall ensure compensating security controls are provided for circumstances that can inhibit recovery and reconstitution to a known state (e.g., baselines not kept or backups not performed). (Moderate and High) SOs shall ensure the capability is provided to reimage information system components within established recovery time objectives (RTO) from configuration-controlled and integrityprotected disk images representing a secure, operational state for the components. (High) 83

88 6.4 Incident Response (IR) An incident is a violation or imminent threat of violation of information security policies, acceptable use policies, or standard computer security practices. Incidents may result from intentional or unintentional actions. Incident response relates to action taken in reaction to an incident occurrence. These incidents can severely disrupt computer supported operations, compromise the confidentiality of sensitive information, and diminish the integrity of critical data. To help combat the disruptive short and long-term effects of security incidents, each government agency is required to implement and maintain a security incident reporting and handling capability. Incident response plans provide clear instructions to individual users on the proper response to events such as malicious software, denial of service attacks, viruses, and unauthorized access. These procedures are designed to limit the impact of the incident and to recover sufficient information to assist in follow-up investigations. Policy: OPM shall: Establish an operational incident handling capability for OPM information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. Report all suspected incidents to the OPM Situation Room (SitRoom) at / STU. SitRoom personnel shall initiate a Remedy Ticket, and notify appropriate parties. The OPM Computer Incident Response Team (CIRT) shall report incidents to United States Computer Emergency Readiness Team (US-CERT), in accordance with the OPM Incident Response and Reporting Guide. Components shall not send incident reports directly to US-CERT Incident Response Policy and Procedures (IR-1) The policies under this family are implemented with the OPM Incident Response Procedures. Operational Incident Response procedures may be developed by program offices and operational groups where necessary, but must include reporting to the OPM Situation Room (SitRoom) for all incidents. Incident response procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Incident Response Training (IR-2) Quickly responding to incidents provides a mechanism for controlling the impact of the incident on the information systems; therefore, individuals must understand their incident response responsibilities and the actions they should take if an incident is suspected. To accomplish this individuals require training in incident detection and response. Incident response training includes user training in the identification and reporting of suspicious activities both from external and internal sources. The Chief Information Security Officer (CISO), Program Supervisors, Information System Security Officer (ISSO), and Designated Security Officer (DSO) shall: 84

89 Train personnel in their incident response roles and responsibilities with respect to the information system; and Provide refresher training at least annually. OPM shall incorporate simulated events into incident response training by using automated mechanisms to provide a more thorough and realistic training environment and facilitate effective response by personnel in crisis situations. (High) Incident Response Testing and Exercises (IR-3) To determine the effectiveness and weaknesses of OPM s Incident Response capability and to improve on that capability requires that tests and exercises be performed in a controlled manner and the results analyzed. The CISO, System Owner (SO), ISSO, and DSO shall test and/or exercise the incident response capability for the information system at least annually using scenario based exercises to determine the incident response effectiveness and documents the results. (Moderate and High) OPM shall employ automated mechanisms to more thoroughly and effectively test/exercise the incident response capability. (High) Incident Handling (IR-4) In order to protect information assets, OPM s security incident handling capability must provide the necessary steps for security incident detection and resolution. The CISO shall ensure: Incident handling capability for security incidents is implemented that includes preparation, detection and analysis, containment, eradication, and recovery; Incident handling activities are coordinated with contingency planning activities; and Lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. OPM shall employ automated mechanisms to support the incident handling process. (Moderate and High) Incident Monitoring (IR-5) In order to protect information systems it is necessary to monitor for incidents on an ongoing basis, as information assets are susceptible at any time to either intentional or unintentional damaging incidents. 85

90 The CISO, SO, ISSO, and DSO shall provide a process to track and document information system security incidents. Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. OPM shall employ automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (Moderate and High) Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents Incident Reporting (IR-6) The timely reporting of incidents or suspected incidents assists in incident containment, impact, and mitigation. This includes reporting incidents dealing with Personally Identifiable Information (PII). A PII incident involves suspected and confirmed breaches in the protection of personally identifiable information in electronic or physical form. All OPM personnel and contractors shall immediately (no more than 30 minutes after becoming aware of the incident) report suspected security incidents to the OPM Situation Room (SitRoom) ( ) in accordance with OPM s Incident Response and Reporting Guide. In addition, all OPM personnel and contractors must promptly report any actual or suspected breaches of PII to the OPM SitRoom in accordance with the reporting procedures on the Privacy (PII) Web pages on the OPM intranet. OPM's Computer Incident Response Team (CIRT) shall report security incident information to designated authorities within and outside of OPM in accordance with the United States Computer Emergency Readiness Team (US-CERT) guidelines. OPM shall employ automated mechanisms to assist in the reporting of security incidents. Network and host-based intrusion detection systems (IDS) and other system monitoring tools can be utilized to provide automated detection of incidents and send alerts to appropriate security personnel. The OPM CERT may use automated tools to track and report possible security incidents, such as centralized service desk ticketing tools. (Moderate and High) Reference the OPM Incident Response and Reporting Guide for detailed information Incident Response Assistance (IR-7) Since the handling of security incidents is not a primary duty of information system users, system users should have resources available to them to assist in responding to incidents from staff whose responsibilities include security incident response. OPM shall provide an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. Possible implementations of incident response support resources include a help desk or an assistance group and access to forensics services, when required. 86

91 OPM shall employ automated mechanisms to increase the availability of incident responserelated information and support. (Moderate and High) Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support Incident Response Plan (IR-8) It is important that OPM has a formal, focused, and coordinated approach to responding to information security incidents. OPM's mission, strategies, and goals for incident response help determine the structure of its incident response capability. The CISO shall ensure: Development of an Incident Response Plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by designated officials within the organization. Distribution of copies of the Incident Response Plan to the Chief Information Officer (CIO), SOs, ISSOs, DSOs, and additional staff as necessary; The review of the Incident Response Plan at least annually; Revision of the Incident Response Plan to address system organizational changes or problems encountered during plan implementation, execution, or testing; and Communicate Incident Response Plan changes to the CIO, CISO, SOs, ISSOs, DSOs, and other impacted staff. 87

92 6.5 Maintenance (MA) Regularly scheduled maintenance activities are essential to system life and longevity. Periodic, routine, and emergency maintenance activities are defined to include the functions (and individuals) responsible, notification and scheduling procedures, and level of service to be provided including response times for various types of outages. Special considerations applicable to remote maintenance procedures must also be identified. Policy: Office of Personnel Management's (OPM) policy is to: Perform periodic and timely maintenance on information systems. Provide effective controls on the mechanisms, techniques, tools, and personnel used to conduct information system maintenance System Maintenance Policy and Procedures (MA-1) The policies under this control are implemented with the OPM-wide System Maintenance Procedure. Operational maintenance procedures may be developed by program offices and operational groups where necessary. Maintenance procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Controlled Maintenance (MA-2) Routine preventive and regular maintenance activities must be accomplished without adversely affecting the system security or operations. System Owners (SO) shall ensure: Maintenance and repairs on information system components are scheduled, performed, documented, and reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements; Maintenance activities are controlled, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; Designated officials explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; Equipment is sanitized to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and All potentially impacted security controls are checked to verify that the controls are still functioning properly following maintenance or repair actions. Maintenance activities shall follow configuration management and change control processes (Reference CM-3). SOs shall ensure maintenance records for the information system include: Date and time of maintenance; Name of the individual performing the maintenance; 88

93 Name of escort, if necessary; Description of the maintenance performed; and List of equipment removed or replaced (including identification numbers, if applicable). (Moderate and High) SOs shall ensure use of automated mechanisms to schedule, conduct, and document maintenance and repairs as required, producing up-to-date, accurate, complete, and available records of maintenance and repair actions needed, in process, and completed. (High) Maintenance Tools (MA-3) Security-related issues may arise from the hardware and software used for information system diagnostic and repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). SOs shall ensure approval, control of, monitoring the use of, and maintenance on an ongoing basis, information systems repair tools. Maintenance tools carried into a facility by maintenance personnel shall be inspected for obvious improper modifications. Media containing diagnostic and test programs for malicious code shall be checked before the media are used in the information system. (Moderate and High) SOs shall ensure prevention of unauthorized removal of maintenance equipment by one of the following: (i) verification that there is no organizational information contained on the equipment; (ii) sanitization or destruction of the equipment; (iii) retention of the equipment within the facility; or (iv) exemption from a designated organization official is obtained explicitly authorizing removal of the equipment from the facility. (High) Remote Maintenance (MA-4) Maintenance may be performed on site or remotely. Remote maintenance presents several opportunities for compromising the security of a system. Maintenance performed remotely via communications connections requires transmission encryption, identification, multi-factor authentication, and an audit trail of the access and actions. If a system has a maintenance account, the passwords or accounts shall be disabled until they are needed. SOs shall ensure: Maintenance, diagnostic activities and tools which are non-local, are authorized, monitored, controlled and consistent with organizational policy and documented in the security plan for the information system; Strong identification and authentication techniques are utilized during non-local maintenance and diagnostic sessions; Maintenance and diagnostic activities which are non-local, are documented and maintained; and Sessions and network connections, when non-local maintenance is completed, are terminated. 89

94 6.5.5 Maintenance Personnel (MA-5) When maintenance personnel are making modifications to the system or system components, the opportunity for accidental or intentional compromises and mistakes exist. Only authorized personnel may perform maintenance on the information system. SOs shall ensure: Processes are established for maintenance of personnel authorization plus, maintain a current list of authorized maintenance organizations or personnel; Personnel performing maintenance on the information system have required access authorizations or designate organizational personnel with required access authorizations and necessary technical competence to supervise information system maintenance when maintenance personnel do not possess the required access authorizations; Individuals not previously identified in the information System Security Plan (SSP), such as vendor personnel and consultants, may legitimately require privileged access to the system (e.g., when required to conduct maintenance or diagnostic activities with little or no notice). Based on a prior assessment of risk, the organization may issue temporary credentials to these individuals. Temporary credentials may be issued for a limited time period; and Maintenance is performed by authorized vendors Timely Maintenance (MA-6) If a system or component is critical for the system to remain available, the System Owner (SO) shall ensure that maintenance can be performed within a predetermined and agreed to time with the vendors so as not to cause a greater interruption to the business functions that the system supports. The (SO) obtains maintenance support and/or spare parts for critical information system components and/or key information technology components defined by SOs within 72 hours of failure. SOs shall specify information system components that, when not operational, result in increased risk to the organization, individuals, or the Nation because the security functionality intended by that component is not being provided. Security-critical components include: firewalls, guards, gateways, intrusion detection systems, audit repositories, authentication servers, and intrusion prevention systems. 90

95 6.6 Media protection (MP) Media Protection (MP) security controls are designed to ensure sensitive information is protected from inadvertent and intentional disclosure or destruction. Information resides in many forms and can be stored in different ways. Media controls are protective measures specifically designed to safeguard electronic data and hardcopy information. This policy addresses the protection, marking, sanitization, production input/output, and disposal of media containing sensitive information. Digital media can be USB memory sticks, external hard disk drives, cameras, music players, or any device that has the ability to store data. Policy: All Office of Personnel Management (OPM) information in printed form or on digital media shall be protected within and outside of OPM facilities. Both physical and logical access to media containing sensitive information (including but not limited to personally identifiable information PII) shall be limited to authorized personnel. Before disposal or release for reuse, all digital and non-digital media shall be sanitized or destroyed. All OPM personnel and contractors (internal and external) shall limit printing and transporting of media containing PII to only the minimum required to complete the mission. The responsibility for protecting PII begins when that information is first placed in the individual's custody and does not end until custody of that information is properly transferred to another responsible official. Personnel shall protect information at the office, in automobiles (government or privately owned), at home, in a hotel room, or anywhere outside of OPM controlled facilities. Program Supervisors shall perform periodic, structured evaluations to ensure that individuals handle and protect PII according to agency policies and procedures Media Protection Policy and Procedures (MP-1) The policies under this control are implemented with the OPM Media Protection Procedures. Media Protection Procedures may be developed by program offices and operational groups where necessary. Media Protection Procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Media Access (MP-2) In order to protect and secure sensitive information the media used to store or present the information shall be protected from improper access and properly destroyed when no longer required. Media shall be restricted to only authorized individuals based on the sensitivity of the data. Furthermore, appropriate physical security and access control measures shall be established for facilities storing media, including off-site facilities. System Owners (SO) shall ensure that only authorized users have access to information in printed form or on digital media removed from the information system using formal documented procedures. SOs shall ensure automated mechanisms are implemented to restrict access to media storage areas and to audit access attempts and access granted. (Moderate and High) 91

96 6.6.3 Media Marking (MP-3) In order to protect the information on stored media, the media should be appropriately labeled with its sensitivity so that individuals handling the media or information understand the level of protection that should be provided. All users shall ensure that external labels are affixed to removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings. All portable computer storage media containing PII shall be labeled "FOR OFFICIAL USE ONLY (FOUO)". The System Owner (SO) may exempt portable digital and non digital media from marking as long as the exempted items remain within a secure environment (locked room either accessible by manual key, key fob, electronic physical access card, or cipher lock). (Moderate and High) Media Storage (MP-4) An additional level of protection is provided by securely storing media based on the information s required level of protection. All users shall physically control and securely store information system media, both paper and electronic, within controlled areas using approved resources, techniques, equipment, and procedures for the information system's highest security category defined by Federal Information Processing Standard (FIPS) 199. The information system media shall be protected until the media is destroyed or sanitized using approved equipment, techniques, and procedures. (Moderate and High) Media Transport (MP-5) To prevent a possible compromise of information, the media storing the information must be protected during transport outside of organizational controlled areas. All users shall protect, control, and maintain accountability for digital and non digital media during transport outside of controlled areas using approved resources, techniques, equipment, and procedures for the information system's highest security category defined by Federal Information Security Management Act (FIPS) 199. The SO shall restrict the activities associated with transport of such media to authorized personnel. The SO shall use FIPS compliant cryptographic mechanisms to protect the confidentiality and integrity of the information stored on digital media during transport outside of OPM controlled areas. All activities associated with the transportation of information system media shall be documented. (Moderate and High) The SO shall employ an identified custodian at all times to transport information system media. (High) Media Sanitization and Disposal (MP-6) 92

97 When media is disposed, it is necessary to properly sanitize the media to prevent compromising the data by destroying the data or destroying the media. The System Owner (SO) shall sanitize information system media, both digital and non-digital, prior to disposal, release out of OPM controlled areas, or release for reuse. The SO shall employ sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. The SO shall ensure: Media sanitization and disposal actions are tracked, documented, and verified. Sanitization equipment and procedures to verify correct performance are tested Annually. Portable, removable storage devices are sanitized prior to connecting such devices to the information system under the following circumstances: When devices are first purchased, prior to initial use. Prior to re-issuing a device. When the organization loses a positive chain of custody for the device. When a device has reached its end-of-life, and is decommissioned. (High) 93

98 6.7 Physical and Environmental (PE) Physical and Environmental Security (PE) represents the first line of defense against intruders and adversaries attempting to gain access to Office of Personnel Management (OPM) facilities and/or information systems. General physical access controls restrict the entry and exit of personnel from a protected area, such as an office building, data center, or room containing information technology equipment. Physical and environmental security involves protecting the agency s physical environments and maintaining security by ensuring physical security controls are in place to protect people, property, and information resources. The OPM Physical Security Manager (PSM), located at the OPM Headquarters Office in Washington, DC, shall establish security standards/guidelines and monitor implementation at the Headquarters Office. The same standards apply at other OPM facilities; however, the Facility Managers are responsible for implementing associated controls within those locations. The PSM shall monitor the implementation of OPM physical standards to ensure compliance at all OPM facilities. Facility Managers, at all OPM facilities, are primarily responsible for building maintenance (e.g., HVAC, lighting, power, fire suppression, etc.) Policy: OPM shall: Limit physical access to information systems, information system equipment, and the respective operating environments to authorized individuals. Protect the security of the physical facilities and the essential utilities and infrastructure. Provide appropriate environmental controls in facilities containing information systems Physical and Environmental Protection Policy and Procedures (PE-1) The policies under this family shall be implemented with the OPM Physical and Environmental Protection Procedure. Physical and Environmental Protection procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Physical Access Authorizations (PE-2) The Physical Security Manager (OPM Headquarters) and Facility Managers at other OPM facilities shall ensure a current list of personnel with authorized access to facilities containing information systems is developed and kept (except for those areas within the facilities officially designated as publicly accessible). Appropriate authorization credentials shall be issued (e.g., badges, identification cards, smart cards and key fobs). The Physical Security Manager (PSM), Facility Manager, System Owner (SO), and Data Center Manager shall ensure the access list and authorization credentials are reviewed and approved at least monthly. Access rights shall be granted based on the principle of least privilege. The Physical Security and or Facility Manager shall ensure procedures are developed, maintained, and reviewed annually to issue, modify, and revoke authorization credentials Physical Access Control (PE-3) 94

99 All physical access points (including designated entry/exit points) to facilities shall be controlled (except for those areas within the facilities officially designated as publicly accessible), and individual access authorizations are to be verified before granting access to the facilities. Access shall be controlled to areas officially designated as publicly accessible, as appropriate, in accordance with the assessment of risk. Physical access procedures include: Only authorized employees and contractor employees shall be granted entrance to the OPM data center or contractor data center. Visitors shall sign in and be escorted on a continuous basis. Physical access to all business and mission critical systems and information shall be monitored to detect and respond to incidents. Real-time physical intrusion alarms and surveillance equipment are monitored and automated mechanisms employed to recognize potential intrusions and initiate appropriate response actions. The Physical Security/Facility Manager shall: Verify individual access authorizations before granting access to the facility. Control entry to the facility containing the information system using physical access devices and/or guards. Control access to areas officially designated as publicly accessible in accordance with the organization s assessment of risk. Secure keys, combinations, and other physical access devices. Inventory physical access devices at least annually. Change combinations and keys at least annually and when keys are lost, combinations are compromised, or individuals are transferred or terminated. Emergency exit and re-entry procedures shall ensure that only authorized personnel are allowed to enter a facility after emergency evacuations. The Data Center Manager or SO enforces physical access authorizations to the information system independent of the physical access controls for the facility. (High) Access Control for Transmission Medium (PE-4) Protecting system distribution and transmission lines is important to protect the information from being intercepted during transmission. The Facility Manager and SO shall ensure there are controls in place for physical access to the information system s distribution and transmission lines by locking wire cabinets, disconnecting or locking spare jacks, protecting cabling by conduit or cable trays, or another acceptable method. (Moderate and High) Access Control for Output Devices (PE-5) The SO shall ensure controls are in place for physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Monitors, printers, and audio devices are examples of information system output devices. Physical access to devices displaying information must be controlled to ensure it is not visible to those that should not have access. The authorized user may orient keyboards and monitor screens away from casual 95

100 viewers to secure data if physical protections are not in place to limit traffic. Privacy filters for computer screens may also be used. Printers shall be located in secure areas to prevent unauthorized access to output. (Moderate and High) Monitoring Physical Access (PE-6) The Physical Security Manager (PSM)/Facility Manager, Data Center Manager, and SO shall: Monitor physical access to the information system to detect and respond to physical security incidents; Review physical access logs quarterly; and Coordinate results of reviews and investigations with the organization s incident response capability. The Physical Security/Facility Manager shall ensure monitoring of real-time physical intrusion alarms and surveillance equipment. (Moderate and High) Facility Managers shall ensure automated mechanisms are implemented to recognize potential intrusions, protecting controlled access areas, and initiate follow-up designated response actions. (High) Visitor Control (PE-7) The Physical Security/Facility Manager, Data Center Manager, and SO shall ensure controls are in place for physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. OPM has a campus initiative with Department of Interior (DOI), and General Services Agency (GSA). OPM employees can visit those building cafeterias and take exercise classes in those buildings. Current employees from DOI and GSA have access to the OPM building using their Federal ID badge. These employees are only allowed to access the public areas (e.g., cafeteria, lobby, and exercise room). Visitors shall be signed in by OPM personnel. When necessary, visitors must be escorted by authorized OPM federal personnel. (Moderate and High) Visitors receiving temporary badges shall be instructed to display the badges at all times while in the facility. The escort shall ensure that all temporary badges are returned before the visitor departs the facility Access Records (PE-8) The SO, Data Center Manager, and Physical Security/Facility Manager shall ensure visitor access records are maintained at the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible). Designated officials within OPM shall review visitor access records quarterly. Visitor access logs to all facilities shall record the following: Name and organization of the visitor; Date of access; 96

101 Time of entry and departure; Purpose of the visit; and Name and organization of the person visited. Automated mechanisms shall be used to facilitate the maintenance and review of access records. The SO shall maintain a record of all physical access, both visitor and authorized individuals. (High) Power Equipment and Power Cabling (PE-9) Power equipment and power cabling require protection from damage and destruction to safeguard the availability of the information assets. The Facility Manager, Data Center Manager, and SO shall ensure protection of power equipment and power cabling for the information system from damage and destruction. The Facility Manager shall ensure that electric power, and other utilities that can cause a service interruption and/or damage are in proper working order. Regularly scheduled maintenance shall be performed and documented. Where feasible, the Facility Manager, Data Center Manager, and SO shall ensure redundant and parallel power cabling paths are employed. (Moderate and High) Emergency Shutoff (PE-10) The Facility Manager and Data Center Manager shall: Provide the capability of shutting off power to the information system or individual system components in emergency situations; Place emergency shutoff switches or devices in a location near the information system or information system component to facilitate safe and easy access for personnel; and Protect emergency power shutoff capability from accidental or unauthorized activation. This applies to facilities containing concentrations of information system resources (e.g., data centers, server rooms, and mainframe computer rooms). (Moderate and High) Emergency Power (PE-11) Emergency power provides personnel with the ability to shutdown information systems in an orderly manner protecting possible compromise of the information assets in the event of a primary power source failing. This may provide support staff a means to prevent major system problems. The SO shall provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. (Moderate and High) The SO shall provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. (High) 97

102 Emergency Lighting (PE-12) Automatic emergency lighting systems that activate in the event of a power outage or disruption are a physical control that will provide safety to support staff. The Facility Manager shall employ and maintain automatic emergency lighting systems that activate in the event of a power outage or disruption and that cover emergency exits and evacuation routes within the facility Fire Protection (PE-13) The Facility Manager shall employ and maintain fire suppression and detection devices/systems for the information system that can be activated in the event of a fire, and are supported by an independent energy source where feasible. Fire suppression and detection devices/systems include sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. The Facility Manager shall ensure that the building and/or area are evaluated for fire threats based upon established regulations and standards, including local fire codes. The Facility Manager shall employ: Fire detection devices and systems that activate automatically and notify OPM and emergency responders in the event of a fire; Fire suppression devices and systems that provide automatic notification of any activation to OPM and emergency responders; and An automatic fire suppression capability in facilities that are not staffed on a continuous basis. (Moderate and High) Temperature and Humidity Controls (PE-14) The Facility Manager, Data Center Manager, and SO shall: Maintain temperature and humidity levels within the facility where the information system resides at acceptable levels per the system equipment specifications (or temperatures of f and relative humidity of 50% +/- 10%); and Monitor temperature and humidity levels at acceptable intervals per the system requirements, or continuously Water Damage Protection (PE-15) The Facility Manager, Data Center Manager, and SO shall protect the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel. While plumbing leaks do not occur every day, they can be seriously disruptive. The Facility Manager shall know the location of plumbing lines that might endanger information system hardware and take steps to reduce risk (e.g., moving hardware, relocating plumbing lines, and identifying shutoff valves). They shall also ensure that water, sewage, and other utilities that can cause a service interruption and/or damage are in proper working order. 98

103 The Facility Manager shall employ mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak. (High) Delivery and Removal (PE-16) The Physical Security Manager (PSM), Facility Manager, Data Center Manager, and/or SO shall authorize, monitor, and control information system-related items (hardware and firmware) entering and exiting the facility and maintains records of those items through the use of an asset tagging and control system. Record entries shall, at a minimum, include manufacturer, type, model, status, physical location, and asset owner. Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries Alternate Work Site (PE-17) Everyone who uses, manages, operates, maintains, or develops OPM applications or data wherever they reside (referred to as OPM users ) must comply with OPM s Information Security and Privacy Policy (ISPP), unless a specific waiver is obtained. In order to maintain security, the alternate work site must ensure the same level of security that exists at the primary work site. Alternate work sites may include government facilities or private residences of employees. The SO shall ensure (Moderate and High): Employment of an equivalent level of security protection equal to the highest rated information or information system accessed at alternate work sites; The effectiveness of security controls at alternate work sites are assessable as feasible; and Provide a means for employees to communicate with information security personnel in case of security incidents or problems. OPM users shall report security problems to OPM s Help Desk. Reference OPM's Telework Policy and National Institute of Standards and Technology (NIST) , Guide to Enterprise Telework and Remote Access Security for additional information Location of Information System Components (PE-18) The Facility Manager, Data Center Manager, and SO shall position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. (Moderate and High) Physical and environmental hazards include flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and electromagnetic radiation. 99

104 The Facility Manager plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. (High) 100

105 6.8 Personnel Security (PS) Office of Personnel Management (OPM) information systems face threats from many sources, including the actions of people (e.g., employees, external users, and contractor personnel). The intentional and unintentional actions of these individuals can potentially harm or disrupt information systems and their facilities. These actions can result in the destruction or modification of the data being processed, denial of service to the end users, and unauthorized disclosure of data, potentially jeopardizing OPM s mission. Personnel security controls are needed to ensure that individuals occupying positions of responsibility are trustworthy and meet established security criteria for those positions; that information and IT systems are protected during and after personnel actions such as terminations and transfers; and that formal sanctions are employed for personnel failing to comply with OPM security policies and procedures. Policy: OPM shall: Ensure that individuals (including third-party service providers) requiring access to information systems and occupying positions of responsibility have background investigations that the OPM Chief Information Officer (CIO) or designee agrees are appropriate to the functions they will perform before access is authorized. Ensure that information and information systems are protected if adverse actions are taken against an OPM user, such as termination or suspension. Employ formal sanctions for personnel who fail to comply with OPM security policies and procedures Personnel Security Policy and Procedures (PS-1) The policies under this family are implemented with the OPM-wide Personnel Security Procedures. Operational personnel security procedures may be developed by program offices and operational groups where necessary. Personnel Security procedures shall be developed and disseminated. The procedures shall be reviewed and updated every two years Position Categorization (PS-2) Program Offices, in coordination with Human Resources and Physical/Personnel Security, shall designate the position sensitivity level for all government positions that use, develop, operate, or maintain information systems under their purview and shall determine risk levels for each contractor position in accordance with OPM policy and guidance. Risk designations shall be assigned to all positions and screening criteria are established for individuals filling those positions. Position risk designations shall be reviewed and revised at least annually Personnel Screening (PS-3) In accordance with Executive Order 10450, Security Requirements for Government Employees, 5 CFR 731, 732, 735 all employees shall be subject to an appropriate background check prior to permitting access to information systems and computer resources. Background investigations ensure that all employees and contractor employees are designated with position-sensitivity levels that are commensurate with the responsibilities and risks associated with the position. The 101

106 Background Investigation may consist of a National Agency Check (NAC), subject interview, written inquiries, record searches, credit check, and personal interviews with selected sources covering employment, residence, education, and law enforcement agencies during the most recent five-year period, but not less than two years with a credit check up to seven years. Background investigations shall be completed and favorably adjudicated for personnel assigned to these positions prior to allowing access to sensitive systems and networks. Contracts shall include language requiring background checks equivalent to NAC with Investigation (NACI). For contractor employees, the risk designation or sensitivity level of the contract determines the type of background investigation that shall be conducted for the individual performing the work. Regardless of the risk or sensitivity rating of the contract, Personal Identity Verification under Homeland Security Presidential Directive-12 (HSPD-12) and in accordance with the Federal Information Processing Standard (FIPS) 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors may dictate a more stringent background investigation for individuals performing work on the contract. OPM shall screens individuals prior to authorizing access to the information system; and rescreen individuals according to change in position risk designation, new position with higher risk designation, or other according to HSPD-12 requirements Personnel Termination (PS-4) It is critical to the protection of information assets that access be terminated immediately to prevent misuse of privileges granted to an individual either by the terminated individual or others that may misuse the access. When employment is terminated, the Facility Manager, Network Manager (NM), and System Owner (SO) shall ensure: Information system access is immediately terminated within 24 hrs following an individual's separation; Exit interviews are conducted; OPM information system-related property (e.g., keys, identification cards, building passes) is returned; and Appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems Personnel Transfer (PS-5) When personnel transfer within OPM, the Physical Security Manager (PSM) and SO shall review access to information resources to ensure that personnel access privileges are still applicable to the new role and responsibilities to prevent either accidental or intentional misuse. OPM shall review information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within OPM and initiate appropriate actions within 24 hrs, such as: Closing old accounts and establishing new accounts; Changing system access authorizations; 102

107 Ensuring the return of all OPM information system-related property (e.g., keys, identification cards, building passes); and Ensuring that appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems Access Agreements (PS-6) Access agreements are necessary for individuals and entities to understand their responsibility in the protection of information and information assets. Acknowledgment of these responsibilities is achieved by having the individuals review and sign appropriate access agreements associated with the information or information assets (e.g., nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest agreements). Supervisor (or designee) approval is required to access OPM information systems for OPM employees. Contracting Officer s Technical Representative (COTR) approval is required for contractors. OPM personnel and contractors shall sign access agreements before access is granted to OPM information and information systems. All OPM employees shall sign a hard copy or an electronic copy of the OPM Rules of Behavior, prior to being granted access to OPM information systems. Access agreements shall be reviewed and updated at least annually Third-Party Personnel Security (PS-7) Third-party personnel shall acknowledge and confirm their understanding and accountability for maintaining the security of the information assets for which they are responsible. Third-party providers include, service bureaus, contractors, other organizations providing information system development, information technology services, outsourced applications, and network and security management. Third party providers shall comply with the OPM Information Security and Privacy Policy (ISPP). Contract Officer Technical Representatives (COTR) shall monitor provider compliance. 6.8 Personnel Sanctions (PS-8) OPM shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. This standard shall be applicable to all OPM employees, contractors, fiscal agents, financial agents, and subcontractor personnel who handle or access OPM information systems and equipment where OPM information is processed, transmitted, and stored. This sanctions process shall address compliance, enforcement, and waivers of this policy. 6.9 System and Information Integrity (SI) System and information integrity controls provide users with a level of confidence that Office of Personnel Management's (OPM) systems and information are protected by methods that prevent unauthorized users from modifying or destroying data. System and information integrity controls include provisions for the identification, reporting, and correction of system flaws, security patches, and other fixes. Antivirus, spyware, and other protections are needed to ensure 103

108 information systems are secure. Intrusion detection systems and other security monitoring tools must be used to identify and support remediation of security incidents. Health and performance monitoring tools must also be used to identify and support remediation of system problems that may affect availability and other protections. Information systems must also be designed to validate data entered or processed and provide error messages without revealing system information or data. Policy: OPM s policy is to: Identify, report, and correct information and information system flaws in a timely manner. Monitor information system security alerts and advisories and take appropriate actions in response. Provide protection from malicious code at appropriate locations within information systems System and Information Integrity Policy and Procedures (SI-1) The policies under this control are implemented with the OPM System and Information Integrity Procedure. System and information integrity procedures may be developed by program offices and operational groups where necessary. System and information integrity procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Flaw Remediation (SI-2) Information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) shall be identified, reported, and promptly remediated by installing security-relevant software updates (e.g., patches, service packs, and hot fixes) that are tested as part of the configuration management and change control process. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, shall also be addressed expeditiously. OPM System Owners (SO) shall use resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in information systems. United States Computer Emergency Readiness Team (US-CERT), vendor, and other applicable alerts shall be addressed. SOs shall ensure information system flaws are: Identified, reported, and corrected; Tested for effectiveness and potential side effects on organizational information systems before installation; and Incorporated into the organizational configuration management process (Reference CM- 2, CM-3, and CM-4). The Software Development Manager, and Network Manager shall identify, report, and correct flaws discovered in the information system software or hardware. Software updates, related to flaw remediation, shall be tested for effectiveness and potential side effects on OPM information 104

109 systems before installation. Flaw remediation shall be incorporated into OPM configuration management process. SOs shall ensure automated mechanisms periodically (semi-weekly for servers, monthly for workstations, and quarterly for network resources) and on demand to determine the state of information system components with regard to flaw remediation. (Moderate and High) SOs shall ensure the flaw remediation process is centrally managed and ensure software updates are automatically installed. Due to information system integrity and availability concerns, SOs shall carefully consider the methodology used to carry out automatic updates. For example, updates may be first pushed to less critical environments (e.g., test environment) or components (e.g., secondary production web server) prior to critical components (e.g., primary production web servers). (High) Malicious Code Protection (SI-3) Software is vulnerable to malicious code; therefore, it is essential that OPM provide protection mechanisms and tools to reduce the threat of attacks. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or contained within a compressed file. A variety of technologies and methods exist to limit or eliminate the effects of malicious code attacks. Pervasive configuration management and strong software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber attacks that could affect organizational missions and business functions. Traditional malicious code protection mechanisms are not built to detect such code. Organizations must, in these situations, rely instead on other risk mitigation measures to include, secure coding practices, trusted procurement processes, configuration management and control, and monitoring practices to help ensure that software does not perform functions other than those intended. SOs shall ensure: Malicious Code protection mechanisms at information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers) at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or Inserted through the exploitation of information system vulnerabilities; Update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with OPM configuration management policy and procedures; Configure malicious code protection mechanisms to: Perform scans of the information system at least weekly and real-time scans of files from external sources (i.e., USB devices, compact disks, attachments, etc.) as the files are downloaded, opened, or executed in accordance with OPM security policy; and 105

110 Send alert to administrator; and quarantine or eradicate malicious code (e.g., viruses, worms, Trojan horses) in response to malicious code detection; and Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. SOs shall ensure malicious code protection mechanisms are centrally managed and automatically updated (including virus signature definitions). Information systems shall prevent nonprivileged users from circumventing malicious code protection capabilities. (Moderate and High) Information System Monitoring (SI-4) Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components). Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces. The Einstein network monitoring device from the Department of Homeland Security is an example of a system monitoring device. The granularity of the information collected is determined based on monitoring objectives and the capability of the information system to support such activities. An example of a specific type of transaction of interest to the organization with regard to monitoring is Hyper Text Transfer Protocol (HTTP) traffic that bypasses organizational HTTP proxies, when use of such proxies is required. SOs shall ensure: Events on the information system are monitored in accordance with risk-based objectives and information system attacks are detected; Unauthorized use of the information system is identified; Monitoring devices are deployed: Strategically within the information system to collect OPM-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to OPM. The level of information system monitoring activity is heightened whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and 106

111 Legal opinion is obtained with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. SOs shall employ automated tools to monitor inbound and outbound communications for unusual or unauthorized activities or conditions, support near real-time analysis of events, and provide real-time alerts of potential compromise such as perimeter router and firewalls generate audit records when network traffic is blocked in accordance to configuration policy and/or ACLs, IDS detects and reports suspicious activity or an attack signature is detected, etc. (Moderate and High) Unusual/unauthorized activities or conditions include internal traffic that indicates the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. Alerts may be generated from a variety of sources, audit records or input from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. SOs shall ensure information systems are configured to prevent non-privileged users from circumventing intrusion detection and prevention capabilities. (Moderate and High) Security Alerts, Advisories, and Directives (SI-5) Security alerts and advisories are generated by the United States Computer Emergency Readiness Team (US-CERT) to maintain situational awareness across the Federal Government. Security directives are issued by Office of Personnel Management (OMB) or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse affects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. The Chief Information Security Officer (CISO) shall ensure: Information system security alerts, advisories, and directives from designated external organizations is received on an ongoing basis; Internal security alerts, advisories, and directives are generated as deemed necessary; Security alerts, advisories, and directives are disseminated to SOs, Information System Security Officers (ISSO), and Designated Security Officers (DSO), OPM users, etc.; and Security directives are implemented in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. The CISO shall employ automated mechanisms to make security alert and advisory information available throughout OPM as needed. (High) Security Functionality Verification (SI-6) The need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests the organization either implements 107

112 compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include startup, restart, shutdown, and abort. SOs shall ensure that information systems verify the correct operation of security functions upon: System startup Restart and upon command by users with appropriate privilege, system shut-down; and System restarting when anomalies are discovered. (High) Software and Information Integrity (SI-7) Integrity verification applications are employed on information systems to look for evidence of information tampering, errors, and omissions. Organizations must employ good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes, etc.) and use tools to automatically monitor the integrity of the information system and hosted applications. SOs shall ensure that information systems detect unauthorized changes to software and information. SOs shall ensure: Integrity of software and information by performing at least annual integrity scans of the information system. (Moderate and High) Automated tools are employed that provide notification to designated individuals upon discovering discrepancies during integrity verification. (High) Spam Protection (SI-8) Spam presents another mechanism to introduce vulnerabilities into a system as spam is associated with unsolicited . Vulnerabilities may be imbedded within spam in the form of executable programs, references to Internet addresses where malicious programs might be downloaded, and requests for personnel data from the recipient. The recipient may or may not know how to respond to spam which introduces additional vulnerabilities to the system. OPM users shall refrain from spamming (sending or forwarding chain letters, other junk or inappropriate messages). In addition, sending global s of any kind shall be restricted to designated officials within Program Offices. SOs shall ensure: Employment of spam protection mechanisms at information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers) and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and Spam protection mechanisms (including signature definitions) are updated when new releases are available in accordance with organizational configuration management policy and procedures. (Moderate and High) 108

113 SOs shall ensure spam protection mechanisms are centrally managed. (High) Information Input Restrictions (SI-9) Restrictions on organizational personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities. Reference AC-5 and AC-6. SOs shall ensure information systems restrict the capability to input information to authorized personnel. (Medium and High) Information Input Validation (SI-10) Information systems are only legitimate if the information the system presents is accurate, complete, and has not been compromised. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) should be used to verify that inputs match specified definitions for format and content. Inputs passed to interpreters must be prescreened to prevent the content from being unintentionally interpreted as commands. SOs shall ensure the information system checks the validity of information inputs. (Moderate and High) Error Handling (SI-11) The structure and content of error messages must be carefully considered. The extent to which the information system is able to identify and handle error conditions must be guided by organizational policy and operational requirements. SOs shall ensure information systems are configured to: Identify potentially security-relevant error conditions; Generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information such as account numbers, social security numbers (SSNs), credit card numbers, system configuration information, etc. in error logs and administrative messages that could be exploited by adversaries; and Reveal error messages only to authorized personnel. (Moderate and High) Information Output Handling and Retention (SI-12) Information system outputs could be used to compromise the system or expose information that should be protected. Output handling and retention requirements must cover the full life cycle of the information, in some cases extending beyond the disposal of the information system. The National Archives and Records Administration provide guidance on records retention. Reference MP-2 and MP-4. The Chief Information Security Officer (CISO), SOs, and Program Supervisors shall ensure OPM users handle and retain both information within and output from the information system in 109

114 accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. 110

115 7. TECHNICAL CONTROLS 7.1 Access Controls (AC) Access control addresses user authorization to utilize an information system. Access controls are used to restrict access to information system resources only to authorized users, programs, processes, or other systems. Access controls consist of both administrative processes and technical functions that establish who can perform an action, when they can perform it, and how the action can be accomplished. This is the premise for role-based access control. Administrative controls identify users by groups (roles) and associated permissions (e.g., read, write, execute, delete, etc.). Roles and permissions are directly associated with the specific position or function that the user performs in accomplishing mission objectives. Technical controls implement the administrative decision by enabling specific group/roles and linking the group/role to allowed permissions within specified system resources. Policy: Office of Personnel Management (OPM) shall protect access to OPM information and information systems to ensure the security of its data and mission. Access controls authorize OPM users to perform a defined set of actions on a specific set of resources Access Control Policy and Procedures (AC-1) The policies under this control are implemented with the OPM Access Control Procedure. Access control procedures may be developed by program offices and operational groups where necessary. Access control procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Account Management (AC-2) The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls documented within the associated system security plan. Users requiring administrative privileges on information system accounts shall receive additional scrutiny by OPM officials responsible for approving such accounts and privileged access. The Program Supervisor shall: Ensure the new user has completed the required Center for Security and Emergency Actions (CSEA) paperwork to initiate the clearance processes. Obtain a completed OPM IT Access Request Form (OPM Form 1665), fill in the appropriate sections, and obtain the required signatures. This form is available on the OPM Intranet. o OPM personnel require approval from their Supervisor or Designee. o OPM contractors require approval from their Contracting Officer s Technical Representative (COTR). Sign the OPM IT Access Request Form (OPM Form 1665), prior to the user gaining access to the system. 111

116 Provide the form to the new user and discuss his or her responsibilities to protect sensitive information. The new user must sign and date the form and return it to his or her Federal supervisor. System Owners (SO) shall manage information system accounts. This includes: Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); Establishing conditions for group membership. Access privileges must be assigned by group membership where technically feasible (i.e., Active Directory, application roles); Identifying authorized users and specifying access privileges; Requiring appropriate approval for requests to establish accounts; establishing, activating, modifying, disabling and removing accounts; Authorizing and monitoring the use of guest, anonymous and temporary accounts. Use of guest/anonymous and temporary accounts is prohibited unless required to meet OPM mission and business objectives; Notifying account managers when temporary accounts are no longer required and when system users are terminated, transferred, system usage or need-to-know changes; Deactivating accounts that are no longer required; including temporary accounts; Granting access to the system based on valid access authorization, intended system usage and other attributes as required by OPM mission/business functions; and Reviewing accounts at least annually for general access; at least annually for privileged access; and at least annually for data set access privileges. SOs shall ensure: Automated mechanisms are employed to support the management of information system accounts. Temporary and emergency accounts are automatically terminated after no more than 7 calendar days after no longer required. User accounts are automatically disabled after 35 calendar days of inactivity. Automated mechanisms are employed to audit account creation, modification, disabling, and termination actions and to notify appropriate individuals. (Moderate and High) Access Enforcement (AC-3) Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by the OPM to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorized access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for OPM. 112

117 SOs shall configure information systems to enforce approved authorizations for logical access to the system in accordance with OPM s Information Security and Privacy Policy Information Flow Enforcement (AC-4) Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. A few examples of flow control restrictions include: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within OPM, and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are employed by OPM to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services, provide a packetfiltering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics). SOs shall ensure information systems enforce approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with OPM s Information Security and Privacy Policy. (Moderate and High) Separation of Duties (AC-5) Separation of duties is designed to prevent a single individual from being able to disrupt or corrupt a critical security process. This separation is necessary for adequate internal control of sensitive information systems. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. SOs shall ensure: Separate duties of individuals as necessary to prevent conflict of interest activity without collusion; Separation of duties is documented; and Separation of duties is implemented through access authorizations. (Moderate and High) Least Privilege (AC-6) The principle of least privilege is to protect sensitive information and limit the damage that can result from accident, error, or unauthorized use. Least privilege requires that users be granted the most restrictive set of privileges (or lowest clearance) needed to perform authorized tasks (i.e., 113

118 users should be able to access only the system resources needed to fulfill their job responsibilities). OPM employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to OPM operations and assets, individuals, other organizations, and the Nation. SOs shall ensure the concept of least privilege is employed, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Information systems shall be configured to enforce the most restrictive set of rights and privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. (Moderate and High) SOs shall ensure authorized access to security functions including but not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, modifying device configurations, etc ). Authorized personnel include security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. (Moderate and High) SOs shall ensure users of information system accounts, or roles, with access to security functions including but not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, modifying device configurations, etc. use non-privileged accounts, or roles, when accessing other system functions. The SO shall ensure audits of any use of privileged accounts, or roles, for such functions. (Moderate and High) Unsuccessful Login Attempts (AC-7) Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. If a delay algorithm is selected, The OPM may choose to employ different algorithms for different information system components based on the capabilities of those components. Response to unsuccessful login attempts may be implemented at both the operating system and the application levels. SOs shall ensure: Configuration of information systems to enforce a limit of three consecutive invalid access attempts by a user; and The information system automatically locks the account until released by an administrator when the maximum number of unsuccessful attempts is exceeded. This applies regardless of login occurring via a local or network connection. 114

119 7.1.8 System Use Notification (AC-8) System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist. SOs shall: Ensure information systems display an approved system notification message or banner before granting access to the system. The banner shall provide privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; Ensure information systems retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and Ensure publicly accessible information systems (i) display the system use information when appropriate, before granting further access; (ii) display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; (iii) include in the notice given to public users of the information system, a description of the authorized uses of the system. System use notification messages shall be developed by the SO and approved by the Chief Information Security Officer (CISO) Concurrent Session Control (AC-10) Highly sensitive systems should limit the number of sessions that a user can have active to prevent possible unauthorized disclosure, modification, and/or destruction of sensitive information. This control addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple system accounts. SOs shall ensure a limit of the number of concurrent sessions for each system account to one. (High) Session Lock (AC-11) A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may be at the application-level. A session lock is not a substitute for logging out of the information system, for example, if the organization requires users to log out at the end of the workday. SOs shall ensure: 115

120 Information systems prevent access to the system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user; and Information systems retain a session lock until the user reestablishes access using established identification and authentication procedures. (Moderate and High) OPM mobile devices (e.g., laptops, PDAs, smart phones such as Blackberrys, etc.) shall be configured to lock after 15 minutes of inactivity where feasible. A waiver shall be requested and risk analysis documented for OPM devices that cannot meet this policy. For system administrators and users with elevated privileges, the SO shall prevent further access to the system by initiating a session lock after 15 minutes of inactivity Permitted Actions without Identification or Authentication (AC-14) There may be specific instances where an organization determines that no identification and authentication is required for a limited number of user actions under special circumstances. This control does not apply to situations where identification and authentication have already occurred and are not being repeated, but rather to situations where identification and/or authentication have not yet occurred. SOs shall ensure: Specific user actions that can be performed on the information system without identification or authentication are identified; and Supporting rationale is provided and documented in the security plan for the information system, which user actions that do not require identification and authentication. The SO, in consultation with the CISO, may permit actions to be performed without identification and authentication only to the extent necessary to accomplish mission or business objectives. (Moderate and High) Remote Access (AC-17) Remote access is any access to an organizational information system by a user (or process acting on behalf of a user) communicating through an external network (e.g., the Internet). OPM allows remote access only via pre-approved remote access methods. New methods for remote access shall be approved by the CIO and CISO prior to implementation based on a NIST SP Risk Assessment that identifies threats to OPM information, systems, and personnel. Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. SOs shall ensure: Only OPM approved methods of remote access to the information area allowed; Usage restrictions and implementation guidance are established for each allowed remote access method; The information system is monitored for unauthorized remote access; Remote access to the information system is authorized prior to connection; 116

121 Requirements for remote connections to the information system are enforced; Remote access servers are secured effectively and are configured to enforce telework security policies; and Telework client devices are secured against common threats and maintain their security regularly. SOs shall ensure: Automated mechanisms to facilitate the monitoring and control of remote access methods are employed. Automated monitoring of remote access sessions allows organizations to audit user activities on a variety of information system components (e.g., servers, workstations, notebook/laptop computers) and to ensure compliance with remote access policy. Cryptography within the system to protect the confidentiality and integrity of remote access sessions is employed. Encryption solutions used must be Federal Information Security Management Act (FIPS) compliant. Personally Identifiable Information (PII) data at rest is encrypted in contractor and government Cloud computing environment. Information systems route all remote accesses through a limited number of managed access control points. The Execution of privileged commands and access to security-relevant information via remote access is authorized only for compelling operational needs and shall document the rationale for such access in the security plan for the information system. The information system is continuously monitored for unauthorized remote connections, and appropriate actions are taken if an unauthorized connection is discovered. Remote sessions for accessing security functions including but not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, modifying device configurations, etc. employ additional security measures (e.g., two-factor authentication) and are audited. Additional security measures are typically above and beyond standard bulk or session layer encryption (e.g., Secure Shell (SSH), Virtual Private Networking (VPN) with blocking mode enabled). Non-secure protocols such as Telnet, SSH v.1, FTP, HTTP, SNMP v.1 are disabled except for explicitly identified components in support of specific operational requirements. Bluetooth and peer-to-peer networking are additional examples of less than secure networking protocols. (Moderate and High) Wireless Access (AC-18) Wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses 117

122 electromagnetic waves, such as radio waves, for the carrier and this implementation usually takes place at the physical level or "layer" of the network. A wireless access point (WAP) is a device that allows wired communication devices to connect to a wireless network using Wi-Fi, Bluetooth or related standards. The WAP usually connects to a router, and can relay data between the wireless devices (such as computers or printers) and wired devices on the network. Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. In certain situations, wireless signals may radiate beyond the confines and control of organization controlled facilities. The CISO in consultation with the SOs shall ensure: Usage restrictions and implementation guidance for wireless access is established; OPM information systems are monitored for unauthorized wireless access; Users do not independently configure wireless networking capabilities; Wireless access to the information system is authorized prior to connection; and Requirements for wireless connections to the information system are enforced. The SO shall ensure the information system protects wireless access to the system using authentication and encryption. Authentication applies to user, device, or both as necessary. (Moderate and High) SOs shall ensure: Unauthorized wireless connections to the information system are monitored, to include scanning for unauthorized wireless access points at least semi-annually, and taking appropriate action if an unauthorized connection is discovered. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to only those areas within the facility containing the information systems, yet is conducted outside of those areas only as needed to verify that unauthorized wireless access points are not connected to the system; and Wireless communications are confined to organization-controlled boundaries. Actions that may be taken by the organization to confine wireless communications to organization-controlled boundaries include: (i) reducing the power of the wireless transmission such that it cannot transit the physical perimeter of the organization; (ii) employing measures, such as TEMPEST, to control wireless emanations; and (iii) configuring the wireless access such that it is point to point in nature. (High) Reference the OPM Wireless Access Usage Restrictions and Implementation Guidance document for details on usage restrictions and implementation guidance Access Control for Mobile Devices (AC-19) 118

123 Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., personal digital assistants, cellular telephones, digital cameras, music players, ebook readers, and audio recording devices). Personally owned mobile media devices shall not be connected to OPM owned or controlled systems. OPM owned and approved mobile media devices that are Federal Information Processing Standard (FIPS) compliant may be connected to OPM systems. Refer to MP-5 and MP-6 for mobile media devices that may leave OPM-controlled areas and IR-6 for lost or stolen devices. SOs shall coordinate with the CISO to: Establish usage restrictions and implementation guidance for organization-controlled mobile devices; Authorize connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems; Monitor for unauthorized connections of mobile devices to organizational information systems; Enforce requirements for the connection of mobile devices to organizational information systems; Disable information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issue specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and Apply National Institute of Standards and Technology (NIST) guidance ( , ) as well as device specific procedures and measures, including sanitization and/or destruction procedures (e.g., formatting or re-imaging digital storage) when applicable to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Usage restrictions and implementation guidance related to mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Examples of information system functionality that provide the capability for automatic execution of code are AutoRun and AutoPlay. Organizational policies and procedures for mobile devices used by individuals departing on and returning from travel include determining which locations are of concern (e.g., international travel), defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific measures to the device after travel is completed. Specially configured mobile devices include computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). 119

124 Specified measures applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. SOs shall ensure: Use of writable, removable media in organizational information systems is restricted; Use of personally owned, removable media in organizational information systems is prohibited; and Removable media with no identifiable owner is prohibited. An identifiable owner (e.g., individual, organization, or project) for removable media helps to reduce the risk of using such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion). (Moderate and High) Use of External Information Systems (AC-20) External information systems are information systems or components of information systems that are outside of the authorization boundary established by the organization and for which the organization typically has no direct supervision and authority over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to: (i) personally owned information systems (e.g., desktops, laptops, cellular telephones, or personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. For some external systems, in particular those systems operated by other federal agencies including organizations subordinate to those agencies, the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. In effect, the information systems of these organizations would not be considered external. These situations typically occur when there is some pre-existing sharing or trust agreement (either implicit or explicit) established between federal agencies and/or organizations subordinate to those agencies, or such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. This control does not apply to the use of external information systems to access public interfaces to organizational information systems and information (e.g., individuals accessing federal information through The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum: (i) the types of applications that can be accessed on the organizational information system from the external information system; and (ii) the maximum security categorization of information that can be processed, stored, and transmitted on the external information system. SOs in consultation with the CISO shall establish terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from the external information systems; and 120

125 Process, store, and/or transmit organization-controlled information using the external information systems. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system and over which the organization has the authority to impose rules of behavior with regard to system access. The restrictions that an organization imposes on authorized individuals need not be uniform, as those restrictions are likely to vary depending upon the trust relationships between organizations. Thus, an organization might impose more stringent security restrictions on a contractor than on a state, local, or tribal government. SOs shall permit authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization (Moderate and High): Can verify the implementation of required security controls on the external system as specified in the organization s information security policy and security plan; and Has approved information system connection or processing agreements with the organizational entity hosting the external information system. OPM shall limit the use of OPM-controlled portable storage media by authorized individuals on external information systems. Limits on the use of organization-controlled portable storage media in external information systems can include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. (Moderate and High) Publicly Accessible Content (AC-22) Nonpublic information is any information for which the general public is not authorized access in accordance with federal laws, Executive Orders, directives, policies, regulations, standards, or guidance. Information protected under the Privacy Act and vendor proprietary information is examples of nonpublic information. This control addresses posting information on an organizational information system that is accessible to the general public, typically without identification or authentication. The Chief Information Officer (CIO) shall: Designate individuals authorized to post information onto an organizational information system that is publicly accessible; and Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information. The CISO, SOs, and/or designated personnel (e.g., Public Affairs Officer, General Counsel, etc.) shall: Review the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; Review the content on the publicly accessible organizational information system for nonpublic information at least annually; and 121

126 Remove nonpublic information from the publicly accessible organizational information system, if discovered. 122

127 7.2 Audit and Accountability (AU) Audit and accountability provides the means and mechanisms to relate specific system or application level behavior to a certain individual. An individual can be held responsible for their behavior by linking user accounts to system activity. Audit capability includes defining who will be audited, what process or processes shall be used, the mechanisms or tools used, what information shall be captured, who will review the information, the frequency of the review, and the archiving of audit data (referred to as audit trails or system logs). In conjunction with the appropriate tools and procedures, auditing can assist in detecting security violations, performance problems, and application flaws. Audit data shall be of sufficient granularity to support investigations in the event of a security incident and designed to support system reconstruction and recovery. Policy: Audit and accountability activities provide Office of Personnel Management (OPM) with a means to independently and objectively evaluate the security status of its information systems and related processes. OPM System Owners (SO) shall: Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and Ensure that the actions of individual OPM users can be uniquely traced to those users so that they can be held accountable for their actions Audit and Accountability Policy and Procedures (AU-1) The policies under this family are implemented with the OPM-wide Audit and Accountability Procedure. Operational audit and accountability procedures may be developed by program offices and operational groups where necessary. Audit and accountability procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Auditable Events (AU-2) Auditable events are those activities that can be tracked that provide information regarding system resource usage. SOs shall generate audit logs that show the addition, modification, or deletion of information from an information system, called "events". Auditing activity can affect information system performance. Therefore, based upon risk assessment and current threat information, OPM shall decide which events require auditing on a continuous basis and which events require auditing in response to specific situations. The SO shall ensure: Based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: apply checklists and configuration guides from which provide recommended lists of auditable events. The following are possible events to audit: Account creation, modification, disabling, and deletion Administrative permissions executed on user accounts (e.g., inclusion in access groups, reset of password, account lockout override) 123

128 Administrative permissions executed on a system resources (e.g., addition of users or groups to access lists, creation of share points, creation of new access groups, change of access group permissions) Failed login attempts and account lockout Use of su, pu, root, and administrator, or equivalent accounts Activity log roll-over, deletion, or editing All computer-readable data extracts from databases containing Personally Identifiable Information (PII) Successful logins Coordination of the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events; A rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents is provided; and Based on current threat information and ongoing assessment of risk, the determination of what events are to be audited within the information system, and the frequency of each audit: SO will determine a subset of events to be audited along with the frequency of (or situation requiring) auditing for each identified event based on assessment of risk. The SO shall ensure review and update of the list of auditable events at least annually. (Moderate and High) The SO shall ensure inclusion of execution of privileged functions in the list of events to be audited by the information system. (Moderate and High) Content of Audit Records (AU-3) The SO shall ensure the information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. Audit record content that may be necessary to meet this requirement includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. System Owners (SOs) shall ensure information systems provide the capability to include more detailed audit log information by type, location, or subject when required to support investigations. (Moderate and High) The SO shall ensure central management of the content of audit records generated by individual components throughout the system. (High) Audit Storage Capacity (AU-4) 124

129 The SO shall ensure allocation of audit record storage capacity and configure auditing to reduce the likelihood of the auditing storage capacity from being exceeded Response to Audit Processing Failures (AU-5) The SO shall ensure configuration of the information system to: Alert designated organizational officials in the event of an audit processing failure; and Take the following additional actions: continue logging by overwriting the oldest audit records. The SO shall ensure configuration of the information system to provide a warning when allocated audit record storage volume reaches 80% of maximum capacity. The information system shall provide a real-time alert when an audit failure event occurs, such as the ability to log events. (High) Audit Review, Analysis, and Reporting (AU-6) The SO shall ensure: Review and analysis of the information system audit records at a frequency equivalent to the Federal Information Processing Standard (FIPS) 199 security categorization for indications of inappropriate or unusual activity, and report findings to designated OPM officials. Adjustment of the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. The SO shall ensure integration of audit review, analysis, and reporting processes to support OPM processes for investigation and response to suspicious activities. (High) Audit Reduction and Report Generation (AU-7) The SO shall ensure audit reduction and report generation capabilities. An audit reduction and report generation capability provides support for near real-time audit review, analysis, and reporting to support after-the fact investigations of security incidents. Audit reduction and reporting tools do not alter original audit records. The information system shall provide the capability to automatically process audit records for events of interest based on selectable event criteria. (Moderate and High) Time Stamps (AU-8) The SO shall ensure information systems use internal system clocks to generate time stamps for audit records. Time stamps generated by the information system include both date and time. The time may be expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. 125

130 SOs shall synchronize internal information system clocks automatically with authoritative Network Time Protocol (NTP) servers. (Moderate and High) Protection of Audit Information (AU-9) The SO shall ensure protection of audit information and audit tools from unauthorized access, modification, and deletion. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information shall be protected while online and during offline storage Non-Repudiation (AU-10) Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Non-repudiation protects users from being falsely accused of not completing an activity such as sending an message or not signing an electronic document. Digital Signatures are one mechanism for ensuring non-repudiation. The digital signature can be used to prove to a recipient or third party that the originator did in fact sign the message. The information system shall protect against an individual falsely denying having performed a particular action. (High) Audit Record Retention (AU-11) The SO shall ensure retention of information system audit records according to records disposition schedules established in Office of Personnel Management's (OPM) Records Management Handbook to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated; the National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal policy on record retention Audit Generation (AU-12) System Owners shall ensure configuration of information systems to: Provide audit record generation capability for the list of auditable events defined in AU-2 at individual components throughout the system; Allow designated organizational personnel to select which auditable events are to be audited by specific components of the system; and Generate audit records for the list of audited events defined in AU-2 with the content as defined in AU-3. Information systems shall compile audit records from individual components throughout the system where logging is possible, into a system-wide (logical or physical) audit trail that is time- 126

131 correlated to within less than 1 second of National Institute of Standards and Technology (NIST) atomic clock servers. (High) 127

132 7.3 Identification and Authentication (IA) Identification and Authentication (IA) security controls are designed to ensure that only preapproved and authorized personnel are granted access to information systems. IA involves designation and use of user identifiers (userid) and authentication mechanisms to verify and validate the identity of the individual seeking access. IA works in conjunction with role-based access controls to further limit exposure of information assets to only those pre-approved individuals. These controls provide access to information systems and must be carefully managed and administered. Policy: Before allowing access to Office of Personnel Management (OPM) information systems and information, systems shall identify and authenticate users and devices, including automated system processes acting on behalf of users and devices Identification and Authentication Policy and Procedures (IA-1) The policies under this control are implemented with the OPM-wide Identification and Authentication Procedure. Operational identification and authentication procedures may be developed by program offices and operational groups where necessary. Identification and authentication procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary Identification and Authentication Organizational Users (IA-2) The information system shall uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). Organizational users include OPM employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, interns, etc.). Adequate controls shall be implemented and maintained on systems to confirm user identity prior to access. The access protection measures shall provide assurance of individual accountability through identification and authentication of each information system user. Multifactor authentication is required for network access for privileged and non-privileged accounts (Moderate and High). Local access for privileged (Moderate and High) and nonprivileged (High) accounts requires multifactor authentication. Information systems shall use authentication mechanisms that require challenges (e.g., Transport Layer Security (TLS)), and time synchronous or challenge-response one-time authenticators for network access to privileged (Moderate and High) and non-privileged (High) accounts to prevent recording and reuse of previous authentication messages (replay-resistant authentication). OPM shall use credentials compliant with Homeland Security Presidential Directive (HSPD)-12 requirements for access. OPM accepts credentials that include both Personal Identity Verification (PIV) cards and PIV Interoperable cards which can be trusted by the Government consistent with Federal policy guidance, Personal Identity Verification (PIV) Interoperability For Non-Federal Issuers. 128

133 OPM, in accordance with OMB Memorandum M-11-11, shall ensure: All new systems under development are enabled to use PIV credentials, in accordance with NIST guidelines, prior to being made operational. Starting in FY2012, existing physical and logical access control systems shall be upgraded to use PIV credentials, in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities. Procurements for services and products involving facility or system access control shall be in accordance with HSPD-12 policy and the Federal Acquisition Regulation. OPM physical and logical access processes shall accept and electronically verify PIV credentials issued by other federal agencies. Group or shared accounts for individual access are not permitted. If group accounts must be used because of technology, a waiver shall be requested and approved by the Chief Information Security Officer (CISO). Requirements for group accounts include: Individuals shall first authenticate using an individual authenticator prior to using a group authenticator. Administrator accounts, such as root, shall require more than one individual to have access. The number of individuals having access for a given server shall be kept to a minimum. Group accounts that have system-level privileges granted through group membership or programs such as su or sudo shall have a unique password. The number of individuals having access for a given server shall be kept to a minimum. The password for a shared account shall be changed whenever a member no longer has a need for access or when lost or stolen. Auditing shall be enabled for accountability purposes (Reference AU-2). Rationale shall be documented within the applicable System Security Plan (SSP) for user actions permitted without uniquely identifying and authenticating individuals (Reference AC-14). Machine/process accounts used for processing or transferring information are permitted. These accounts are often embedded in application or client/server environments to perform noninteractive automated transaction processes. A common example is the requirement for web based applications to authenticate to databases and applications where data is resident. If machine/process accounts are used, the account owner and purpose of the account shall be documented in the applicable SSP Device Identification and Authentication (IA-3) Devices (e.g., network switches / routers, servers, workstations, laptops, printers, other peripheral devices - smart phones, tablet PCs, etc.) shall be uniquely identified and authenticated prior to accessing the OPM network by using shared known information (e.g., Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses) for identification on local and wide area networks. An organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP), Radius server with EAP-Transport Layer Security (TLS) authentication, Kerberos) shall be used to authenticate 129

134 devices. If a computer is not a member of the domain, it cannot communicate with the network resources because the firewall masks the internal IP addresses and protects them from spoofing, etc Identifier Management (IA-4) System Owners (SO) shall ensure the establishment of standards for user identification naming conventions and unique account identification code requirements. OPM users are uniquely identified by the establishment of a network account. The identity of each user is verified by the OPM Human Resources (HR) department or Contracting Officer Technical Representative (COTR). HR creates a record for each new employee and initiates the process of obtaining the employee background investigation and obtaining fingerprints. The employee s supervisor then requests establishment of a network account using OPM IT Access Form Information system identifiers for users and devices shall be managed by: Receiving authorization from a Program Supervisor to assign a user or device identifier; Selecting an identifier that uniquely identifies an individual or device; Assigning the user identifier to the intended party or the device identifier to the intended device; Preventing reuse of user or device identifiers permanently; and Disabling the user identifier after 30 calendar days of inactivity Authenticator Management (IA-5) SOs shall ensure implementation of authenticators (e.g., passwords, tokens, biometrics, Public Key Infrastructure (PKI) certificates, key cards) that prevent unauthorized access to systems. Users shall maintain authenticators and protect them from inadvertent disclosure. Measures to safeguard user authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. Administration of the authentication data shall include procedures to disable lost or stolen tokens, smart cards, or passwords, and include procedures for the recovery of cryptographic keys. Information system authenticators for users and devices shall be managed by: Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; Establishing initial authenticator content for authenticators defined by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; Changing default content of authenticators upon information system installation; 130

135 Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate); Changing/refreshing authenticators reference authentication types below; Protecting authenticator content from unauthorized disclosure and modification; and Requiring users and devices to implement specific measures to safeguard authenticators. OPM requires Personal Identity Verification (PIV) cards to gain access to information systems in accordance with Homeland Security Presidential Directive (HSPD)-12, Federal Information Processing Standard (FIPS 201), and OMB Memorandum M when feasible. PIV cards may use a combination of authenticator mechanisms (i.e., card holder unique identifier (CHUID), PKI certificate, or biometrics) depending upon the assurance level required. The information system for password-based authentication shall: Enforce minimum password complexity of: At least 8 characters for non-privileged accounts; and at least 12 characters for privileged accounts 3 of the following 4 attributes: o Uppercase letters (A-Z) o Lower case letters (a-z) o Numbers (0-9) o Special characters $, %, &, *, +, =, *,?, {}, [], <>, :, ) Enforce at least one (1) changed character when new passwords are created; Encrypt passwords in storage and in transmission (Passwords shall not be stored in clear text or in any easily reversible form in batch files, automatic login scripts, software macros, terminal function keys, or in any location where an unauthorized person might discover them); Enforce password minimum and maximum lifetime restrictions of one (1) day minimum and 60 day maximum; Prohibit password reuse for twenty four (24) generations; Lock an account after three (3) consecutive invalid login attempts (Reference AC-7). Exceptions: Mainframe passwords shall be 8 characters long and shall be in alphanumeric format (any combination of numbers and/or letters). Blackberry passwords shall be at least 8 alphanumeric characters. Passwords for machine/process accounts may not expire. Additional password management requirements include: 131

136 Passwords shall be audited on a regular basis for compliance to ensure strength of passwords is sufficient. If a password is guessed or cracked during an audit, the user shall change it. Temporary passwords shall be changed upon initial login. The system shall provide a mechanism that notifies the user when a password change is required. Passwords shall not be visible on screen, hardcopy, or any other output device. User passwords shall not be hard-coded into software. When providing user identifiers (userid) and passwords to users, two different media (telephone, postal, , or a secure Web site) shall be used. One to deliver the userid, and one to deliver the password to prevent account compromise. Collection of userids and/or passwords shall not be permitted, except for purposes of authorized network, system, or security administration. The following list outlines additional recommendations, or safeguards for users: Passwords shall not contain any of the following: o UserID or any part of your full name o Dictionary words or common names (e.g., Betty, Fred, Rover) o Portions of associated account names (e.g., userid, login name) o Consecutive character strings (e.g., abcdef, 12345) o Simple keyboard patterns (e.g., qwerty, asdfgh) o Generic passwords (i.e., password cons "password" (e.g., P@sswOrdl)) Shall not reveal a password over the phone to ANYONE. Shall not reveal a password in an message. Shall not reveal a password to the Help Desk. Shall not discuss a password in front of others. isting of a variation of the word Shall not hint at the format of a password (e.g., "my family name"). Shall not reveal a password on questionnaires or security forms. Shall not share passwords with anyone including management, co-workers, administrative assistants, or secretaries. Shall not write down passwords and store in common areas (i.e., side of monitor, under keyboard, etc.). If passwords, such as emergency passwords or administrator passwords must be written down, they shall be placed in a sealed envelope and secured in a locked container. Shall immediately notify supervisors and the respective Help Desk if an account or password is suspected to have been compromised, and change all passwords. 132

137 Reference the LAN Complex Passwords standard for network users and the Sysplex Security Policy and Procedures for Mainframe user identification and authentication requirements. The information system for PKI-based authentication shall: Validate certificates by constructing a certification path with status information to an accepted trust anchor (i.e., certificate revocation lists or online certificate status protocol responses); Enforce authorized access to the corresponding private key; and Map the authenticated identity to the user account. The registration process to receive HSPD-12 PIV smartcards and other PKI authenticators shall be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). Cardholder and PKI certificate Personal Identification Numbers (PIN) are not subject to aging criteria that are required for traditional passwords. The term PIN and password are not synonymous. National Institute of Standards and Technology (NIST) SP control IA-5, regarding Authenticator Management, distinguishes between password expiration requirements and PKI certificate requirements. FIPS PUB defines the logical functions for PIV credentials including: Proof of the identity of the cardholder to the card Proof of the identity of the cardholder to a remote entity (i.e., application, system) NIST SP , Interfaces for Personal Identity Verification Part 2: End-Point PIV Card Application Card Command Interface is an additional reference for PIN requirements. PINs accomplish the intent of category (1) above, validating cardholder identity to the PIV card. Knowledge of a PIN is the means by which an individual can be authenticated to the PIV Card Application. Passwords accomplish the intent of category (2) above by validating cardholder identity to a remote entity, application, or system. The process of PIN entry, validating a cardholder to a card or an individual to a PKI certificate, occurs locally on a number pad or cardholder controlled system. The PIN never traverses an unprotected medium, and thus significantly limits exposure. Passwords may traverse an unprotected network, and thus the use of passwords to validate cardholder identity to a remote entity, application, or system increases exposure. The increased risk of password exposure is mitigated by the use of password aging techniques. The longevity of cardholder and PKI certificate PINs far exceed that of passwords due to the significantly limited exposure to attack, and thus are not subject to the same aging criteria required for traditional passwords. However, it is a recommended best practice that cardholders periodically change their PIN Authenticator Feedback (IA-6) Information systems shall not reveal information during the authentication process that could be used by malicious individuals to gain unauthorized access. Authenticator (e.g., password, Personal Identification Numbers (PIN), etc.) feedback shall be obscured during user login by 133

138 displaying asterisks or using a similar solution. Authenticator error messages shall not contain authenticator content requirements, user identifiers (userid) requirements, or whether or not the user has entered an incorrect userid or password upon login Cryptographic Module Authentication (IA-7) The information system shall use mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Cryptographic-based security systems may be utilized in various computer and telecommunication applications (e.g., data storage, access control and personal identification, network communications, radio, facsimile, and video) and in various environments (e.g., centralized computer facilities, office environments, and hostile environments). The cryptographic services (e.g., encryption, authentication, digital signature, and key management) provided by a cryptographic module are based on many factors that are specific to the application and environment. The focus of this control is implementing the authentication requirements contained in the applicable laws, Executive Orders, etc. (Federal Information Security Management Act (FIPS) 140-2, as amended) with regard to authentication to a cryptographic module. The control does not address using cryptography to protect the authentication session nor other uses of cryptography. In the context of this control, it is the cryptographic module that provides authentication via means that need not involve cryptography (e.g., use of password authentication may meet the requirements of this control). The SO shall ensure the requirements in FIPS are reviewed as amended to determine what authentication mechanism to implement (e.g., role-based authentication, identity-based authentication) for a cryptographic module, and apply the appropriate system configuration to ensure compliance Identification and Authentication Non-Organizational Users (IA-8) Non-organizational users shall be identified by type, organization, agency, etc. within the system s System Security Plan (SSP). Non-organizational users typically include individuals of the public, retired Federal employees (annuitants), non OPM Federal employees, applicants, etc. In accordance with the E-Authentication E-Government initiative, authentication of nonorganizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Accordingly, an E-Authentication Risk Assessment is used in determining the authentication needs of the organization. For public facing information systems, SOs shall ensure an E-Authentication Risk Assessment is conducted in accordance with applicable Office of Management and Budget (OMB)/National Institute of Standards and Technology (NIST) guidance, specifically, OMB M-04-04, E- Authentication Guidance for Federal Agencies and NIST SP , Electronic Authentication Guideline. Identification and authentication technology consistent with the results of E- Authentication Risk Assessments shall be deployed. 134

139 7.4 System and Communications Protection (SC) System and Communications Protection includes instructions on partitioning to preclude inadvertent data contamination and on the isolation of security functions from other areas and services. Boundary protection requirements are addressed which include protections against denial of service. In addition, transmission confidentiality and integrity controls (e.g., cryptographic services and Public Key Infrastructure (PKI) technology rules) are identified. Policy: Office of Personnel Management (OPM) shall provide system and communications protection for OPM information systems and information. This protection will assure users that OPM information is protected by controls to prevent unauthorized users from interfering with authorized communications and from accessing information that resides on, or is transmitted from, OPM systems. OPM s policy shall: Monitor, control, and protect communications (information transmitted or received by information systems); Employ its information systems to transmit information in a secure manner commensurate with the risk and magnitude of harm that could result from unauthorized transmission or receipt of information or from interference with OPM s communications. Manners of securing the transmission of information include the use of trusted path, cryptographic key, data encryption, session encryption, and public key infrastructure (PKI), among other methods; Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within its information systems; Employ methods to protect its information systems from denial of service (DOS) attacks; Authorize, monitor, and control the use of mobile code and communications protocols (e.g., Voice over Internet Protocol) on its information systems; and Provide mechanisms to protect the authenticity of communications sessions conducted on its information systems System and Communications Protection Policy and Procedures (SC-1) The policy under this control is implemented with the OPM System and Communications Protection Procedure. System and Communications Protection procedures shall be developed and disseminated. System specific procedures may be developed by program offices and operational groups where necessary. The procedures shall be reviewed at least annually and updated as determined necessary Application Partitioning (SC-2) Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate. 135

140 System Owners (SO) shall ensure information systems are configured to separate user functionality from information system management functionality. (Moderate and High) Security Function Isolation (SC-3) The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) that controls access to and protects the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process. SOs shall ensure information systems isolate security functions from non-security functions, by using different partitions, domains, or other methods. This controls access to and protects the integrity of the hardware, software, and firmware that perform security functions. (High) Information in Shared Resources (SC-4) Information produced by the actions of a prior user/role should not be available to any current user/role that obtains access to a shared system resource after that resource has been released back to the information system. SOs shall ensure that information systems are configured to prevent unauthorized and unintended information transfer via shared system resources. (Moderate and High) Denial of Service Protection (SC-5) A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization s internal network from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may reduce the susceptibility to some denial of service attacks. SOs shall ensure information systems are designed and configured to protect against or limit the effects of all types of denial of service attacks: National Institute of Standards and Technology (NIST) SP Rev. 1 and US-CERT (United States Computer Emergency Readiness Team) Guidelines. Examples of DoS attacks include but are not limited to: Using all available network bandwidth by generating unusually large volumes of traffic; Sending malformed TCP/IP packets to a server so that its operating system will crash; Sending illegal requests to an application to crash it; Making many processor-intensive requests so that the server s processing resources is fully consumed (e.g., requests that require the server to encrypt each reply); Establishing many simultaneous login sessions to a server so that other users cannot start login sessions; 136

141 Broadcasting on the same frequencies used by a wireless network to make the network unusable; and Consuming all available disk space by creating many large files Boundary Protection (SC-7) Boundary protection of information resources is accomplished by the installation and operation of controlled interfaces (e.g., proxies, gateways, routers, firewall, and load balancers). Controlled interfaces provide an added level of assurance that unauthorized personnel will be unable to access or affect systems that are not authorized for the individual or process. By tracking and controlling data, deciding whether to pass, drop, reject, or encrypt the data, controlled interfaces have proven to be an additional means of effectively securing a network. SOs shall ensure information systems: Monitor and control communications at the external boundary of the information system and at key internal boundaries within the system; and Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture. SOs shall ensure the following controls are implemented (Moderate and High): Physically allocate publicly accessible information system components (e.g., public web servers) to separate networks with separate physical network interfaces; Prevent public access to the organization s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices; Limit the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic; Implement a managed interface (boundary protection devices in effective security architecture) for each external telecommunications service; Establish a traffic flow policy for each managed interface, and document exceptions to the policy with supporting mission/business need and its duration; Review exceptions to the traffic flow policy at least annually (or when changes to the system traffic flow occur) and remove the exceptions that are no longer supported by an explicit mission/business need; Employ security as needed controls to protect the confidentiality and integrity of the information being transmitted; Deny network traffic by default and allow network traffic by exception (i.e., deny all, permit by exception) at managed interfaces; Prevent remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks (split-tunneling); 137

142 Prevent the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms (High); and Route all outbound internal communications traffic to the Internet through authenticated proxy servers within the managed interfaces of boundary protection devices (High). External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy servers are also configurable with organization defined lists of authorized and unauthorized websites Transmission Integrity (SC-8) Integrity, in terms of data and network security, is the assurance that information can only be accessed or modified by those authorized to do so; content of information cannot be changed. SOs shall ensure information systems protect the integrity of transmitted information. Integrity mechanisms (e.g., hashing and checksums) in accordance with the current version of FIPS 180 shall be used to ensure recognition of changes to the information during transmission, unless otherwise protected by alternative physical measures (e.g., physical access controls, conduit, etc.). (Moderate and High) Transmission Confidentiality (SC-9) Confidentiality is ensuring that information is accessible only to those authorized to have access and to prevent the disclosure of information to unauthorized individuals or systems. SOs shall ensure information systems protect the confidentiality of transmitted information. Cryptographic mechanisms shall be used to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., physical access controls, conduit, etc.). (Moderate and High) Cryptographic mechanisms shall be used to prevent unauthorized disclosure of Personally Identifiable Information (PII) during transmission Network Disconnect (SC-10) Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. SOs shall ensure information systems are configured to terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity. (Moderate and High) 138

143 Cryptographic Key Establishment and Management (SC-12) Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users. SOs shall ensure cryptographic keys are established and managed for required cryptography employed within the information system. SOs shall ensure information systems maintain availability of information in the event of the loss of cryptographic keys by users. (High) Use of Cryptography (SC-13) Encryption is the process of changing plain text into cipher text for the purpose of security or privacy. There are two basic types of cryptography, secret key and public key systems. In secret key systems, the same key is used for both encryption and decryption, in which all parties participating in the communication share a single key. There are two keys in public key systems, which are the public key and a private key. SOs shall ensure information systems implement required FIPS compliant cryptographic protections using cryptographic modules that comply with applicable laws, Executive orders, directives, policies, regulations, standards, and guidance Public Access Protections (SC-14) Publically available applications and information must be protected to ensure users can access reliable information at any given time. An organization's mission and/or reputation may be adversely impacted if public facing content is not adequately protected from unauthorized modification or denial of service. SOs shall ensure information systems protect the integrity and availability of publicly available information and applications Collaborative Computing Devices (SC-15) Collaborative computing devices include but are not limited to video teleconferencing, networked white boards, cameras, and microphones. SOs shall ensure the information system: Prohibits remote activation of collaborative computing devices with the following exceptions: authorized administrator access, such as maintenance or troubleshooting. Remote activation is the ability to enable (or activate) a device from a device or system that is not connected directly to that device; and Provides an explicit indication of use to users physically present at the devices when in use. Explicit indication of use may include signals to users when the collaborative device is activated, such as, activity lights and event notifications. 139

144 Public Key Infrastructure Certificates (SC-17) The primary function of a Public Key Infrastructure (PKI) is to allow the distribution and use of public keys and certificates with security and integrity. PKI is a foundation on which other applications and network security components are built. The generation, distribution, and management of public keys and associated certificates normally occur through the use of Certification Authorities (CAs), Registration Authorities (RAs), and directory services, which can be used to establish a hierarchy or chain of trust. In the Internet environment, entities unknown to each other do not have sufficient trust established between them to perform business, contractual, legal, or other types of transactions. The implementation of PKI using a CA provides the mechanisms for this trust. Federal agencies attain certificates from an approved, shared service provider, as required by Office of Management and Budget (OMB) policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, such as application-specific time services. SOs shall ensure public key certificates are issued under an appropriate certificate policy or public key certificates are obtained under an appropriate certificate policy from an approved service provider as required by OMB Memorandum (Moderate and High) Mobile Code (SC-18) Mobile code is software transferred between systems, (e.g., transferred across a network or via a USB flash drive), and executed on a local system without installation or execution by the recipient. Decisions regarding the employment of mobile code within organizational information systems should be based on the potential risk for the code to cause damage to the system if used maliciously. Mobile code technologies include but are not limited to scripts, applets, ActiveX controls, Microsoft Office macros, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. The Chief Information Security Officer (CISO) shall coordinate with SOs to: a) Define acceptable and unacceptable mobile code and mobile code technologies. b) Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies based on the potential to cause damage to the information system, whether intentional or unintentional. SOs shall ensure the use of mobile code within information systems is authorized, monitored, and controlled. (Moderate and High) Voice over Internet Protocol (SC-19) Voice over Internet Protocol (VoIP) is any of a type of methodologies, communication protocols, and transmission technologies for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. 140

145 The CISO shall coordinate with SOs to establish usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. SOs shall ensure the use of VoIP within the information system is authorized prior to use and is monitored and controlled throughout the system life cycle. (Moderate and High) Secure Name/Address Resolution Service (Authoritative Source) (SC-20) This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility and is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity, and authenticated denial of existence. An authoritative name server is a name server that gives answers in response to questions asked about names in one or more zones. SOs shall ensure information systems provide additional data origin and integrity artifacts along with the authoritative data it returns in response to name/address resolution queries. SOs shall ensure information systems, when operating as part of a distributed, hierarchical namespace, provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. For example, indicate the security status of child subspaces through the use of delegation signer (DS) resource records in the DNS Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21) A recursive resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. SOs shall ensure information systems perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. (High) 141

146 Architecture and Provisioning for Name/Address Resolution Service (SC- 22) A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists). SOs responsible for information systems that collectively provide name/address resolution service for an organization shall ensure these systems are fault tolerant and implement internal and external role separation. (Moderate and High) Session Authenticity (SC-23) This control focuses on communications protection at the session, versus packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. For example, this control addresses man-in-the-middle attacks including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services). SOs shall ensure information systems provide mechanisms to protect the authenticity of communications sessions. (Moderate and High) Fail in Known State (SC-24) Failure in a known state can address safety or security. Failure in a known secure state helps prevent loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Failure in a known safe state helps prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of the organization with less disruption of mission/business processes. SOs shall ensure information systems fail to an identified state as documented in the System Security Plan that preserves system integrity in failure while protecting OPM personnel from potential harm. For instance, an information system may fail to an access denied or closed state upon any type of failure of the system or system component preserving system integrity in failure; however, this may not be appropriate for an automated system that controls entry and exit points. (High) Protection of Information at Rest (SC-28) 142

147 Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Configurations and/or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers and authenticator content are examples of system information likely requiring protection. SOs shall ensure information systems protect the confidentiality and integrity of information at rest. (Moderate and High) Information System Partitioning (SC-32) Information system partitioning is a part of a defense-in-depth protection strategy; the partitioning of information system components into separate physical domains (or environments). An organizational assessment of risk or security categorization guides the partitioning of information system components into separate physical domains (or environments). Managed interfaces restrict or prohibit network access and information flow among partitioned information system components. SOs shall ensure information systems are partitioned into components residing in separate physical domains (or environments) as deemed necessary. (Moderate and High) Developers/programmers shall not have access to production environments unless approved by the SO to fix an identified problem. Any such approval shall be on a temporary basis and the developer/programmer must use a special account that is activated for the period of time to fix the identify problem. Production data shall not be used for testing unless approved by the SO with a business justification. 143

148 APPENDIX A: ACRONYMS Acronyms Security Terminology ATO CFR CIO CISO CPO CNSS COTS CVE CUI DSO DNS FDCC FIPS FISMA ICS ICR ISAP ISA MOU NIST NSA OMB Authorization to Operate Code of Federal Regulations Chief Information Officer Chief Information Security Officer Chief Privacy Officer Committee for National Security Systems Commercial Off-The-Shelf Common Vulnerabilities and Exposures Controlled Unclassified Information Designated Security Officer Domain Name System Federal Desktop Core Configuration Federal Information Processing Standards Federal Information Security Management Act Industrial Control System Information Collection Request Information Security Automation Program Interconnection Security Agreements Memorandums Of Understanding National Institute of Standards and Technology National Security Agency Office of Management and Budget 144

149 Acronyms Security Terminology OPM PRA PIV PII PKI POA&Ms RMF SAR SAISO SBU SitRoom SP SDLC SORN SO TCP/IP TSP U.S.C. US-CERT VPN VoIP Office of Personnel Management Paperwork Reduction Act Personal Identity Verification Personally Identifiable Information Public Key Infrastructure Plan of Action and Milestones Risk Management Framework Security Assessment Report Senior Agency Information Security Officer Sensitive But Unclassified OPM Situation Room Special Publication System Development Life Cycle System of Records Notices System Owner Transmission Control Protocol/Internet Protocol Telecommunications Service Priority United States Code United States Computer Emergency Readiness Virtual Private Network Voice over Internet Protocol 145

150 APPENDIX B: GLOSSARY Auditing The automatic, chronological, recording of computer system or application activities. Auditing enables the reconstruction of system activities including file modification or the events of a transaction from initiation to results. Auditing allows management to conduct an independent review of computer system records and activities and to detect and react to departures from established policies, rules, and procedures. Auditable Events Auditable Events show the addition, modification, or deletion of information from an information system. Events are selected based upon risk assessment and current threat information. OPM decides which events require auditing on a continuous basis and which events require auditing in response to specific situations. "Auditable Events are those selected for auditing on a continuous basis. Audit Logs A chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. Authentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Authenticator The means used to confirm the identity of a user, processor, or device (e.g., user password or token). Authorization The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. Authorization Boundary All components of an information system to be authorized for operation by an Authorizing Official (AO) and excludes separately authorized systems, to which the information system is connected. Availability Ensuring timely and reliable access to and use of information. Awareness Security awareness efforts are designed to change behavior or reinforce good security practices. Awareness is defined in NIST Special Publication as follows: "Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, 146

151 whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance. Backup A copy of files and programs made to facilitate recovery if necessary. Baseline Configuration A documented and approved specification to which an information system is built. It describes the approved configuration of an information system including all its hardware, software, and firmware components, how the components are interconnected, and the physical and logical locations of each. Boundary Protection Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels). Boundary Protection Device A device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection. Business Continuity Plan The documentation of a predetermined set of instructions or procedures that describe how an organization s business functions (as opposed to IT functions) will be sustained during and after a significant disruption. Business Impact Analysis (BIA) An analysis of an IT system requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. Cipher A cipher (or cypher) is an algorithm for performing encryption or decryption, a method of transforming text (or data) in order to conceal its meaning (content). Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cold Site A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site. 147

152 Component Uniquely identifiable input, part, piece, assembly or subassembly, system or subsystem, that is required to complete or finish an activity, item, or job, and performs a distinctive and necessary function in the operation of a system. Hardware, Software and Firmware are Information System Components. Computer Matching Agreement (CMA) A written document that establishes the conditions, safeguards, and procedures under which one government entity agrees to disclose data to another entity, where there is to be a computerized comparison of two or more automated System of Records (SORs). Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Configuration Make up of and information system including: its hardware, software, and firmware components, how the components are interconnected, and the physical and logical locations of each. Configuration Management The process by which the functional and physical attributes of an information system and its components are identified and documented, and changes to the system and its components are controlled and tracked. The goal of configuration management is to make it easier to detect any changes to hardware or software within an information system. Contingency Plan Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters. A plan that provides procedures and capabilities for recovering a major application, minor application or general support system based upon the business priorities and requirements. Contingency Planning Coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. Contingency planning generally includes one or more of the following approaches to restore disrupted IT services: (1) restoring IT operations at an alternate location, (2) recovering IT operations using alternate equipment, and (3) performing some or all of the affected business processes using non-it (manual) means (typically acceptable for only short-term disruptions). Contingency Test Plan A plan that describes the details for a major application, minor application or general support system test such as the test purpose, type, scope, objectives, methodology, activities, results (expected and actual), exercise processes (test scripts), responsibilities, and business and technical participants. Continuity of Operations (COOP) Plan 148

153 A predetermined set of instructions or procedures that describe how an organization s mission essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. Continuous Monitoring Continuous monitoring is one of six steps in the Risk Management Framework (RMF). The objective of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. Continuous monitoring is an important activity in assessing the security impacts on an information system resulting from planned and unplanned changes to the hardware, software, firmware, or environment of operation (including threat space). A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system. The implementation of a continuous monitoring program results in ongoing updates to the security plan, the security assessment report, and the plan of action and milestones, the three principal documents in the security authorization package. A rigorous and well executed continuous monitoring program significantly reduces the level of effort required for the reauthorization of the information system. Continuous monitoring activities are scaled in accordance with the security categorization of the information system. Contractor A contractor is a trained professional who chooses to perform important IT functions for a client as an independent contractor. The IT contractor usually operates under the auspices of a working agreement with the customer, and is available for a specified period of time in exchange for the completion of specific tasks within that period of time. Controlled Area Any area or space for which the organization has confidence that the physical and procedural protections provided is sufficient to meet the requirements established for protecting the information and/or information system. Cryptographic Boundary An explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module. Cryptographic Module The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and are contained within the cryptographic boundary. 149

154 Cryptography Cryptography is the science of information security. The word is derived from the Greek kryptos, meaning hidden. Cryptography is closely related to the disciplines of cryptology and cryptanalysis. Cryptography includes techniques such as microdots, merging words with images, and other ways to hide information in storage or transit. However, in today's computer-centric world, cryptography is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). Denial of Service An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space. Defense-in-depth Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Disruption An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction). Domain An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. Education Education is defined in NIST Special Publication as follows: The Education level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response. Electronic Authentication (E-Authentication) The process of establishing confidence in user identities electronically presented to an IT system. Emergency A sudden, unexpected event requiring immediate action because of potential threat to business functionality, health and safety, the environment, or property. An emergency can range from a short-term system outage to a natural disaster to an act of war. External Information System (or Component) An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. 150

155 External Network A network not controlled by the organization. External Organizations External organizations include commercial entities, other Federal agencies, non-governmental organizations, and any other entities that are outside the OPM organization. External User A user who has or is responsible for a system account on any OPM IT system to conduct business on behalf of an organization other than OPM. Federal Information System An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. FIPS-Validated Cryptography A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). Firmware Software that is embedded in a hardware device that allows reading and executing the software, but does not allow modification, e.g., writing or deleting data by an end user. An example of firmware is a computer program in a read-only memory (ROM) integrated circuit chip. A hardware configuration is usually used to represent the software. Hardware A general term for the physical artifacts of a technology. It may also mean the physical components of a computer system, in the form of computer hardware. A personal computer is made up of multiple physical components of computer hardware, upon which can be installed a system software called operating system and a multitude of software applications to perform the operator's desired functions. Hot Site A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption. Identification The means by which a user provides a claimed identity to the IT system. The most common form of identification is the userid. Identification and Authentication Controls used to identify or verify the identity and eligibility of an individual, device, or process acting on behalf of an individual or system, prior to allowing access to the system or specific categories of information within the system. Identification controls include the use of tokens, 151

156 userid, smart cards, etc. Authentication controls include passwords, PIN numbers, biometrics, or other personal mechanisms to authenticate identity. Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Independent Assessor or Assessment Team An individual or group, capable of conducting an impartial assessment of an organizational information system. Impartiality implies the assessor(s) are free from any perceived or actual conflict of interest to the developmental, operational, and/or management chain associated with the information system or to the determination of security control effectiveness. Individual Accounts User accounts associated with individuals who manually authenticate to computer systems using a dedicated userid/password pair. Information Collection The obtaining, causing to be obtained, soliciting, or requiring the disclosure to an agency, third parties or the public of information by or for an agency by means of identical questions posed to, or identical reporting, recordkeeping, or disclosure requirements imposed on, ten or more persons, whether such collection of information is mandatory, voluntary, or required to obtain or retain a benefit. (Source: 5 CFR ) Information Collection Request (ICR) A description of information gathered for an information system that collects information from members of the public numbering ten (10) or more, whether or not the information is considered to be information in identifiable form. Under the Paperwork Reduction Act (PRA), agencies must submit an information collection request (ICR) and obtain an Office of Management and Budget (OMB) electronic information collection approval number (also known as an OMB control number) before using the information system. Information Resources Information and related resources, such as personnel, equipment, funds, and information technology. Information Security The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Information Security Policy Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. 152

157 Information System A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Systems include General Support Systems (GSS), Major Applications, and Minor Applications as identified in the OPM FISMA system inventory. NOTE: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. Information System Security Officer Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program. Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources. Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Interconnections The direct connection of two or more IT systems for the purpose of sharing data and other information resources. A system interconnection has three basic components: two information systems and the mechanism by which they are joined (the pipe through which data is made available, exchanged, or passed one-way only). Interconnection Security Agreement (ISA) An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations. Internal Network A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned. 153

158 Intrusion Detection The act of detecting actions that attempts to compromise the confidentiality, integrity or availability of a resource. When intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system. Least Functionality Reviewing a system for, and eliminating, all unnecessary functions of a system. Local Access Access to an organizational information system by a user (or process acting on behalf of a user) where such access is obtained by direct connection without the use of a network. Local Maintenance Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Machine/Process Accounts Accounts used for system activities and are often embedded in application or client/server environments. They may be utilized to perform non-interactive automated transaction processes. A common example is the requirement for web based applications to authenticate to databases and applications where data is resident. Other examples include network and system management models using SNMP for monitoring resource performance and availability. These accounts are broken into three broad categories: intra-system, inter-system and extra-system. Malicious Code Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system, such as virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. Maximum Tolerable Downtime The amount of time mission/business process can be disrupted without causing significant harm to the organization s mission. Media Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. Memorandum of Understanding/Agreement (MOU/A) A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. An MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. 154

159 Mobile Code Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Mobile Code Technologies Software technologies that provide the mechanisms for the production and use of mobile code (e.g., Java, JavaScript, ActiveX, VBScript). Mobile Computing Devices Portable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory). Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Mobile Device Portable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory). Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Multi-Factor Authentication Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/pin); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Network Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. Network Access Access to an organizational information system by a user (or process acting on behalf of a user) where such access is obtained through a network connection. Non-Local Maintenance Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Non-Organizational User A user who is not an organizational user (including public users). 155

160 Non-Privileged User Individual who does not have access to perform security-relevant functions such as system control, monitoring, or administration functions; a user vs. a privileged user ; a regular user; a normal user. Non-repudiation Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. Notice of the Office of Personnel Management's Privacy Practices (NPP) A document that describes how OPM may use and give out or disclose individually identifiable health information. Object Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. OMB Exhibit 300 OMB Circular No. A-11 Part 7 (Section 300) of the Circular establishes policy for planning, budgeting, acquisition and management of Federal capital assets, and instructs you on budget justification and reporting requirements for major information technology (IT) investments and for major non IT capital assets. Operator An individual accessing a cryptographic module or a process (subject) operating on behalf of the individual, regardless of the assumed role. OPM Information Information in either physical or digital form that is under the possession, custody, or control of OPM. Organizational User An organizational employee or an individual the organization deems to have equivalent status of an employee (e.g., contractor, guest researcher, individual detailed from another organization, individual from allied nation). Personally Identifiable Information (PII) The term PII, as defined in OMB Memorandum M refers to information that can be used to distinguish or trace an individual s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-pii can become PII whenever additional information is made publicly available in any medium and from any source that, when combined with other available information, could be used to identify an individual. 156

161 Personal Identification Number (PIN) A secret number that someone memorizes and uses to authenticate his or her identity. Personal Identity Verification (PIV) Card A physical artifact (e.g., identity card, smart card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable). Plan of Action and Milestones (POA&Ms) A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. Potential Impact The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals. Privacy Impact Assessment (PIA) An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. Privacy Policy The term Privacy Policy is described in OMB Memorandum M-99-18, and is further explained in OMB Memorandum M When the term is used in this Memorandum, it refers to a single, centrally located statement that is accessible from an agency s official homepage. The Privacy Policy should be a consolidated explanation of the agency s general privacy-related practices that pertain to its official website and its other online activities. Privacy Notice While a Privacy Policy is a statement about an agency s general practices, the term Privacy Notice refers to a brief description of how the agency s Privacy Policy will apply in a specific situation. Because the Privacy Notice should serve to notify individuals before they engage with an agency, a Privacy Notice should be provided on the specific webpage or application where individuals have the opportunity to make PII available to the agency. Privacy Threshold Analysis (PTA) An analysis of an information system to determine if it contains personally identifiable information, and if a Privacy Impact Analysis (PIA) needs to be completed. 157

162 Privileged Account An information system account with authorizations of a privileged user. Privileged User A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Public Key Infrastructure (PKI) A set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Public User A user who is not responsible for an account on any OPM IT System. Users who fall into this category do not authenticate to access OPM IT Systems. Public users have access to public" resources such as forms, but no information is stored about the user other than the information associated with the particular one-time transaction. Reciprocal Agreement An agreement that allows two organizations to back up each other. Recovery Point Objective The point in time to which data must be recovered after an outage. Recovery Time Objective The overall length of time an information system s components can be in the recovery phase before negatively impacting the organization s mission or mission/business processes. Remote Access Access to an organizational information system by a user (or process acting on behalf of a user) communicating through an external network (e.g., the Internet). Replay-resistant Authentication Authentication solution that resists replay attacks, which are attempts to gain access to a system by recording and replaying a previous authentication message. Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Risk Assessment The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates 158

163 threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. Risk Management The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. Role-Based Access Control Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals. Rules of Behavior A set of rules for individual users of an information system that delineate responsibilities of and expectations for all individuals who access the information system. The rules of behavior state the consequences of non-compliance. Security Assessment The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Security Assessment Plan (SAP) Plan that provides the objectives for the security control assessment, a detailed roadmap of how to conduct such an assessment, and assessment procedures. The assessment plan reflects the type of assessment the organization is conducting (e.g., developmental testing and evaluation, independent verification and validation, assessments supporting security authorizations or reauthorizations, audits, continuous monitoring, assessments subsequent to remediation actions). Security Assessment Report (SAR) Report prepared by the Security Control Assessor that provides the results of assessing the implementation of the security controls identified in the security plan to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the specified security requirements. The SAR also contains a list of recommended corrective actions for any weaknesses or deficiencies identified in the security controls. Supporting the near real-time risk management objectives of the security authorization process, the SAR is updated on an ongoing basis whenever changes are made to the security controls employed within or inherited by the information system. Updates to the SAR help to ensure that the System Owner (SO), Common Control Provider, and Authorizing Officials (AO) maintain the appropriate awareness with regard to security control effectiveness. 159

164 Security Category The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation. Security Categorization The process of determining the security category for information or an information system. Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Security Control Assessor The individual, group, or organization responsible for conducting a security control assessment. Security Functions The hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security Marking Human-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats and applicable security markings. Sensitive Information Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Service Level Agreement (SLA) Service level agreements are a part of a service contract where the level of service is formally defined between two parties where one is the customer and the other is the service provider. The SLA usually defines the expectations of performance for each required security control, describes measurable outcomes, and identifies remedies and response requirements for any identified instance of non-compliance. Situation Room A 24 hour, 7 days per week, operations center overseen by OPM's Emergency Actions that provides situational awareness to the OPM Director regarding events affecting the operating status of the Federal government. Software Any information recorded on storage media including source code and executable code. 160

165 Spam The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. Spyware Secretly or surreptitiously installed software into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code. Subsystem A major subdivision or component of an information system consisting of information, information technology, and personnel that performs one or more specific functions. System Development Life Cycle (SDLC) A type of methodology used to describe the process for building and maintaining information systems, intended to develop information systems in a very deliberate, structured and methodical way, reiterating each stage of the life cycle through system disposal. System of Records Notice (SORN) Notice that must be published in the Federal Register for all systems that collect information in identifiable form on individuals and use a personal identifier, such as an ID number, social security number, date of birth, or other element, to retrieve the individuals record. The SORN informs the public what information is contained in the system, how it is used, how individuals may gain access to information about themselves, and other specific aspects of the system. (Source: 5 U.S.C. 552a(e)(4)) Technical Controls The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Telework The ability for an organization s employees and contractors to perform work from locations other than the organization s facilities. Threat Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent. Token A device such as a smart card, metal key, or other physical object used to authenticate identity. 161

166 Training Training is defined in NIST Special Publication as follows: The Training level of the learning continuum strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual s attention on an issue or set of issues. User Individual, or (system) process acting on behalf of an individual, authorized to access an information system. UserID A unique identifier that, in conjunction with either something the user has or knows, can be used to authenticate into an IT system. Virtual Private Network (VPN) Data network that enables two or more parties to communicate securely across a public network, by creating a private connection, or tunnel, between them. Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Warm Site An environmentally conditioned work space that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption. 162

167 APPENDIX C: REFERENCES C.1 Authorities C.1.1 Public Laws The following public laws provide authority for this policy: Public Law , Privacy Act of Public Law , Paperwork Reduction Act of Public Law , Division E, Inform ation Technology Management Reform Act (Clinger-Cohen Act) of Public Law , E-Government Act of Public Law , Federal Information Security Management Act of 2002 (Title III of the E-Government Act of 2002), as amended. Public Law , Omnibus Appropriations Act, 2005 (Section 522). C.1.2 Presidential Directives Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, June C.2 Issuances Incorporated by Reference Committee on National Security Systems (CNSS) Department of Homeland Security, National Communications Center, Telecommunications Service Priority (TSP) Program International Organization for Standardization (ISO) Standards National Security Agency (NSA) Media Destruction Guidance Network Device Protection Profile (NDPP) Common Criteria Personal Identity Verification (PIV) Interoperability For Non-Federal Issuers US Computer Emergency Readiness Team (CERT) C.2.1 Fair Information Practice Principles The Information Security and Privacy Policy incorporates the Fair Information Practice Principles, available online at C.2.2 Office of Governmentwide Policy Issuances The Information Security and Privacy Policy incorporates policy and guidance issued by the General Services Administration (GSA) Office of Governmentwide Policy (OGP). Information is available online at 163

168 C.2.3 Office of Management and Budget (OMB) Issuances The Information Security and Privacy Policy incorporates policy and guidance issued by the Office of Management and Budget (OMB), including but not limited to the issuances listed below. Copies are available online at and C OMB Circulars OMB Circular A-11, Preparation, Submission, and Execution of the Budget OMB Circular No. A-1 30, Revised (Transm ittal Memorandum No. 4), Management of Federal Information Resources, November 30, OMB Circular No. A-123, Management s Responsibility for Internal Control, Decem ber 21, C OMB Memorandums OMB M-00-07, Incorporating and Funding Security in Information Systems Investments OMB M-00-15, Guidance on Implementing the Electronic Signatures in Global and National Commerce Act, September OMB M-02-01, Guidance for Prep aring and Subm itting Security Plans of Action and Milestones, October 17, OMB M-03-18, Implementation Guidance for E-Government Act of 2002, August 1, OMB M Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, OMB M-04-04, E-authentication Guidance for Federal Agencies, December 16, OMB M-04-26, Personal Use Policies and File-Sharing Technology, September 8, OMB M-05-04, Policies for Federal Agency Public Websites, December 17, OMB M-05-08, Designation of Senior Agency Officials for Privacy, February 11, OMB M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors. OMB M-06-15, Safeguarding Personally Identifiable Information, May 22, OMB M-06-16, Protecting Sensitive Agency Information, June 23, OMB M-06-19, Reporting Incidents Involving Personally Identifiable Inform ation and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, OMB M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials, January 11, 2007 OMB M-07-11, Im plementation of Com monly Accepted Security Configurations for Windows Operating Systems, March 22, OMB M-07-16, Safeguarding Agai nst and Re sponding to the Breach of Personally Identifiable Information, May 22,

169 OMB M-07-18, Ensuring New Acqui sitions Include Common Security Configurations, June 1, OMB M-07-19, FY Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 25, OMB M-08-01, HSPD-12 Implementation Status, October 23, 2007 OMB M-10-06, Open Government Directive C.2.4 National Institute of Standards and Technology (NIST) Issuances The Information Security and Privacy Policy incorporates standards and special publications issued by the National Institute of Standards and Technology (NIST), including but not limited to the following issuances. They are available on the Web at NIST Federal Agency Security Practices NIST Security Management and Assurance Cryptographic Module and Algorithm Validation Programs C Federal Information Processing Standards (FIPS) Publications NIST FIPS Publications (e.g., 199, 200, 201-1, etc.) NIST Interagency or Internal Reports (NISTIRs) FIPS Publication 140-2, Security Requirements for Cryptographic Modules, June FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February FIPS Publication 200, Minimum Security Standards for Federal Information and Information Systems, March FIPS Publication 201-1, Personal Identity Verification (PIV) of Fe deral Employees and Contractors, March C Special Publications (SPs) Final versions of National Institute of Standards and Technology (NIST) 800 Series Special Publications. (Please note that draft references are not incorporated as the content may change and they are not contractually binding.) NIST Special Publications (e.g., , , , , , , , , , etc.) C.2.5 OPM Issuances The Information Security and Privacy Policy incorporates regulations and internal documents issued by OPM, including but not limited to the following. 165

170 C OPM Regulations Personnel Records, 5 CFR, Chapter I, Part 293. Privacy Procedures for Personnel Records, 5 CFR, Chapter I, Part 297. Employee Responsibilities and Conduct, 5 CFR, Chapter I, Part The most current versions of regulations can be obtained online through a search at the following: C OPM Internal Documents Computer User Responsibilities Enhanced IT Security Guidance on Protecting Federal Em ployee Social Security Numbers and Combating Identity Theft, Memorandum for Chief Human Capital Officers, June 18, 2007 IT Procurement Application IT Access Request Form (OPM Form 1665) Incident Response and Reporting Guide Information Technology System Management LAN Complex Passwords Office of the Chief Information Officer, Social Media Policy, v1, January 2011 Policy on IT Procurement Policy on Personal Use of Government Office Equipment Privacy Impact Assessment Guide Privacy (PII) Web pages on the OPM intranet Process for Analy zing New and Em erging Information Security and Privacy Policy Requirements Records Management Handbook Rules of Behavior Security Assessment and Authorization Guide Sysplex Security Policy and Procedures System Access Authorization Procedures System of Records Notice (SORN) Guide Telework Policy WinZip v9.0 Encryption Procedures Wireless Access Usage Restrictions and Implementation Guidance 166

171 APPENDIX D: WAIVER REQUEST FORM 167

172 168

173 169

174 APPENDIX E: RISK ACCEPTANCE MEMORANDUM United States Office of Personnel Management Risk Acceptance Memorandum TO: THRU: FROM: [Insert audience of memorandum. This will typically be the Authorizing Official (AO), but may also be the Chief Information Officer] Andy Newton Chief Information Security Officer Office of Personnel Management, IT Security and Privacy [Name] [System Owner (SO)/Designated Security Officer (DSO) /Information System Security Officer (ISSO)] SUBJECT: Risk Acceptance Memorandum for POA&M Item # [Insert POA&M Number] [Insert POA&M Title] from [Insert origin of POA&M, e.g., C&A] dated [Month, Day, Year]. Background [Provide a brief description of the weakness, how and when it was discovered, and what recommendations or planned mitigation activities were accomplished or are ongoing. This risk assessment must assess the risks of accepting a noncompliant security control for the system for an extended period of time or throughout the life cycle of the system.] Risk Assessment System Classification [High Moderate Low] [State the system s classification of high, moderate, or low according to the potential impact to OPM of a breach of confidentiality, integrity, or availability. See OPM s Information Security and Privacy Policy for more information.] Threat Identification [Describe the threat posed by this unmitigated weakness. Threat is the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Example Text: Common threat sources include: Natural Threats Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. 170

175 Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network-based attacks, malicious software upload, unauthorized access to confidential information). Environmental Threats Long-term power failure, pollution, chemicals, liquid leakage.] Vulnerability Identification [Describe the vulnerabilities associated with this unmitigated weakness. A vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy.] Control Analysis [Analyze and explain any controls that have been implemented by the organization to minimize or eliminate the likelihood (or probability) of the threat source exercising the system vulnerability.] Likelihood Determination [Determine the likelihood that a potential vulnerability could be exercised by a given threat source and categorize the likelihood as high, medium, or low. The following governing factors must be considered: Motivation and capability of the threat source Nature of the vulnerability Existence and effectiveness of current controls] Impact Analysis [Describe the adverse impact of a security event in terms of loss or degradation (or a combination) of any of the following three security goals: integrity, availability, and Example text: If one or more of the vulnerabilities identified above were successfully exploited, the resulting impact is anticipated to be low. No additional tangible assets are at risk as a result] of this redesign and a failure or compromise of one or more security objectives (confidentiality, integrity, and availability) would not likely result in a noticeable impact on OPM s mission, reputation, or interests.] Risk Determination [Detailed assessment and explanation of the level of risk to the IT system. Sample text: The determination of risk for a particular threat/vulnerability pair can be expressed as a function or combination of: The likelihood that a given threat source will attempt to exercise a given vulnerability, multiplied by The magnitude of the impact in the event a threat source successfully exercises the vulnerability, multiplied by The adequacy of planned or existing security controls for reducing or eliminating risk.] 171

176 [Example text: Based on the results of the preceding steps, the risk to the system under this proposed redesign is considered to be low. This determination was reached by the following analysis: Threats Physical threats to the system may change as a result of the movement of hardware from TRB to Boyers, PA. New servers may not be properly configured (hardened), or patched in accordance with OPM s Information Security and Privacy Policy. Database software upgrades may introduce new software vulnerabilities. Personnel changes (user roles and responsibilities) may change, which could result in improper separation of duties, inadequate staffing, or untrained administrators. Magnitude of Impact HIGH Impact Definition Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources, (2) may significantly violate, harm or impede an organization's mission, reputation or interest (3) may result in human death or serious injury. MEDIUM Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources, (2) may violate harm or impede an organization's mission, reputation, or interest, or(3) may result in human injury. LOW Exercise of the vulnerability (a) may result in the loss of some tangible assets or resources or (2) may noticeably affect on an organization's mission, reputation, or interest. Vulnerability Risks The migration from one facility to another could open the system to new physical threats. Improperly configured servers may be vulnerable to hackers and thieves who could attempt to intercept, modify, or disrupt the system operations. New software may be vulnerable to bugs, backdoors, or newly blended threats. Improperly assigned or untrained administrators could inadvertently expose the system to unknowable potential vulnerabilities. For each threat/vulnerability pair in this assessment, system data and equipment could be stolen, vandalized, compromised, or made unavailable, thereby disrupting critical system business objectives.] 172

177 [The next step in the risk assessment process is to outline the existing compensating controls currently in place or those that are expected to be in place under the proposed redesign. Each threat/vulnerability pair is assessed against the controls that serve to help mitigate the potential risks identified.] [Example text] Current (or Proposed) Compensating Controls The physical security controls at the new hosting site (Boyers, PA) are equally (or more) stringent than the existing controls at TRB. The Boyers, PA facility undergoes certification and accreditation (C&A) reviews more often than the triennial cycle required, because multiple OPM systems with C&A requirements are hosted there. Current physical security assessments for Boyers, PA are on file and available for review. All servers activated on the OPM information network (LAN/WAN) must be built according to OMB-required baseline configurations. These baselines include security configuration settings that support OPM s security policy. The servers at Boyers will be configured to the standard security settings required for Federal (and OPM) information systems. All new software undergoes several trials of testing both at the vendor level and through beta testing for selected vendor customers. The upgraded database application has a number of advisories and patches that must be updated before the system becomes fully active on the network. No significant personnel or staffing changes will occur as a result of this redesign. Existing administrators will continue to operate and manage the system. The current compensating security controls in place for the system redesign contribute to a threat likelihood of low. The successful exploitation of one or more of the identified vulnerabilities would result in a low-magnitude impact to OPM. The combination of these two determinations results in an overall risk rating of low. Threat Impact Likelihood Low (10) Medium (50) High (100) High (1.0) Medium (0.5) Low (0.1) (0.1 x 10) = 1 Control Recommendations [Document the final recommendations of the risk acceptance. Sample text: All Federal information systems are required to conform to NIST-recommended security standards for configuration and operation. Existing and planned security controls meet or exceed those necessary to authorize the system to operate (as certified by the most recent C&A July 2008). No additional control recommendations are made at this time.] Results Documentation [Describe the results of the risk acceptance. Sample text: This risk assessment report comprises 173

178 step 9 of the risk management process by documenting the results of the risk assessment as it pertains specifically to the proposed redesign of the system. This document must be appended to the system s Information System Security Plan, along with the decision by the system DAA to allow (or disallow) the system to operate as described with the unmitigated security control weakness.] Acknowledgement of Risk I understand and accept the residual security risks identified in this assessment as a result of the specified unmitigated security control weakness. This acceptance of risk will remain in place throughout the current Security Assessment and Authorization cycle, after which this control must be reassessed for inclusion in or exclusion from the system s Baseline Security Requirements (BLSR) document. This risk assessment must become an attachment to the current System Security Plan (SSP). [System Designated Security Officer (DSO)] [Date] [System Owner] [Date] [Authorizing Official (AO)] [Date] Version 1.0 FOR OFFICIAL USE ONLY CIO/ITSP January

179 APPENDIX F: RULES OF BEHAVIOR OPM COMPUTER USER RESPONSIBILITIES As a user of OPM s computer systems, you are expected to understand and comply with the responsibilities outlined below. You will be held accountable for your actions when using these systems. If you violate OPM policy regarding these responsibilities, you may be subject to administrative action ranging from counseling to removal from the agency, as well as any criminal penalties or financial liability, depending on the severity of the misuse. Privacy While Using Government Equipment You do not have the right to privacy while using any Government equipment, including Internet or services. Furthermore, your use of Government office equipment, for whatever purpose, is not secure, private, or anonymous. While using Government office equipment, your use may be monitored or recorded. Protection of Software, Data, and Hardware You are not allowed to introduce any unauthorized software and data (including software and data protected by copyright, trademark, privacy laws, other proprietary data, or material with other intellectual property rights beyond fair use), hardware, or telecommunication devices or modify any configurations. You are not allowed to interconnect to other computer systems or networks without the authorization of OPM s chief information manager. Access to the Internet via the OPM network is authorized. In addition, you will protect all sensitive information residing in OPM computer systems, preventing unauthorized access, use, modification, disclosure, or destruction of that information. This includes records about individuals requiring protection under the Privacy Act, sensitive financial information, and information that cannot be released under the Freedom of Information Act. Disclosure of sensitive information, trade secrets, and intellectual property to unauthorized individuals is also prohibited. Service Restoration The availability of the computer systems is a matter of importance to you. You are responsible for assisting in any way that you can for restoring service in the event that the computer systems become non-operational. Priority is given to restoring the general support systems and the applications supporting OPM s mission-essential functions as defined in the agency s Continuity of Operations Plan (COOP). System Privileges You are given access to the computer systems based on a need to perform specific work at OPM. You are expected to work within the confines of the access allowed and are not to attempt to access systems or applications for which access is not authorized. Telecommuting The OPM Human Resources Handbook, Chapter 368, Telecommuting, contains the policy and procedures for authorizing telecommuting. In general, immediate supervisors approve, on a case-by-case basis, employee requests to telecommute. Telecommuters who access OPM s general support systems must adhere to all IT security policy and procedures that would apply if the individual was accessing OPM s systems in the office. Dial-in access for telecommuters or other users whose job functions may require it is authorized by the chief, Network Management Group. 175

180 Use of Government Office Equipment You will comply with the policies specified in the OPM Policy on Personal Use of Government Office Equipment. Use of Passwords You will create and use passwords as specified in the Information Security and Privacy Policy. You must keep your passwords confidential and not share them with anyone. Individual applications may have more stringent password requirements than the general policy requirements. 176

181 APPENDIX G: SAMPLE CONTRACT CLAUSE OPM IT Security Contract Clause for IT Contracts Information Technology Systems Security (Jan 2011) Summary Table: I. FISMA Compliance II. OPM IT Security and Privacy Policy & Procedure Compliance, OMB Policy and Procedure Compliance III. IT Security and PII Breach Protection and Notification IV. Personnel Security Requirements (Contractor Staff) V. IT Security and Privacy Awareness Training Prior to System Access VI. Specialized IT Security Awareness Training for Security Staff (Federal/Contractor) VII. Contractor System, Service Provider and Third-Party Provider Oversight/Compliance VIII. Cloud Computing IX. Multi-Factor Authentication Requirements for Application Logical Access X. HSPD-12 XI. Software Procurement Requirements - FDCC Compliance XII. FIPS Encryption Requirements XIII. Telework XIV. Wireless Computing Section 1.31 Definition of Information Security (JAN 2011) FISMA Compliance - Section 1.33 Information Technology Systems Security (JAN 2011) (a) The activities required by contract shall necessitate the Offeror s access to a Federal Automated Information System (AIS) or systems, as well as the implementation of new systems. Based upon the definitions contained in Federal Information Processing Standards Publication 199 (FIPS PUB 199), the Government has determined that Level LLL, applies to the sensitivity of the data contained in the AIS(s) and Level LLL, (applies to the operational criticality of the data processing capabilities of the AIS(s). (Note: FIPS PUB 199 is accessible on line at: (b) The Offeror s proposal must include: (1) A detailed outline (commensurate with the size and complexity of the requirements of the SOW) of its present and proposed Information Technology systems security program and demonstrate that it complies with the security requirements of the SOW, the Federal Information Security Management Act of 2002 (FISMA, Public Law , 44 U.S.C ); Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Systems and an acknowledgement of its understanding of the security requirements in the SOW. (Note: OMB Circular A-130, Appendix III is accessible on line at: (2) Similar information for any subcontract proposed. 177

182 Contractors shall ensure information security in fully integrated into IT systems and practiced by personnel for compliance to the following: As indicated in FAR Subpart 2.1, information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: 1. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; or destruction. 2. Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and 3. Availability, which means ensuring timely and reliable access to, and use of, information. Contractors and federal systems must adhere to the FISMA requirements as established by OPM to include the following: The Certification and Accreditation (C&A) process conforms with current NIST Guidance and follow NIST s 6-step Risk Management Framework as outlined in Special Publication rev1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Ensure compliance to NIST Guidance to rev1 (Feb 2010), rev3 (Aug 2009), A rev1 (June 2010). The Assessment and Authorization process is required for all federal, contractor and third-party service providers which is documented in the OPM Assessment and Authorization Guide (add link) issued in January 2011 in the form of OPM security templates and associated Authorization process checklist which must be completed for all systems. Includes standard OPM templates for authorization documents including; System Security Plan, FIPS 199 Security Categorization, Security Assessment Plan, and Contingency Plan Ensure Senior Agency Information Security Officer (SAISO) reviews earlier in the authorization process called Decision Points where SAISO concurrence is required. Follow NIST Risk Management Framework 6-step process: o Categorize Categorize your system as Low, Moderate, or High Impact (FIPS 199) o Select Select and Tailor your security controls for the system (SP rev3) o Implement Implement security controls and update the System Security Plan o Assess Develop Security Assessment Plan and assess security controls (800-53A rev1) o Authorize Submit authorization documents and receive authorization decision o Monitor Monitor security controls. This portion will be more fully developed after release of NIST guidance in this area and results of OPM Continuous Monitoring working group OPM IT Security and Privacy Policy & Procedure Compliance, OMB Policy and Procedure Compliance 178

183 Compliance to OPM IT Security and Privacy Handbook policy and procedures and OMB policy is required by contractor and federal staff and system users. Please reference the following link. Section 5.68 Privacy or Security Safeguards (AUG 1996) (FAR ) The Contractor shall not publish or disclose in any manner, without the Contracting Officer s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor s facilities, installations, technical capabilities, operations, documentation, records, and databases. If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party. IT Security and PII Breach Protection and Notification Protection of all federal and PII data is mandatory. If a breach or compromise of data occurs, all federal and contractor staff and service providers must report the breach immediately by contracting the OPM Situation Room. Section 1.35 Procedures for Reporting a Security Breach (JAN 2011) A breach of data, system access, etc. includes loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of information whether physical or electronic. As an agency, OPM is required to immediately report all potential security and data breaches -- whether they involve paper documents or electronic information. In order to meet this responsibility, OPM has established a new internal procedure for reporting the loss or possible compromise of any data, and this clause conforms to that procedure. OPM contractors must report any breach or potential breach to the OPM Situation Room and the Contracting Officer within 60 minutes of becoming aware of the risk regardless of the time or day of the week. Breaches should be reported, even if it is believed the breach is limited, small, or insignificant. OPM s IT security experts, who will determine when a breach needs additional focus and attention. The OPM Situation Room is available 24 hours per day, 365 days per year. Report the breach to the OPM Situation Room and the Contracting Officer either by phone or by ; however, be sure NOT to include PII in the . (1) OPM contractors must report a breach or potential security breach to the OPM Situation Room at: [email protected], (202) , Fax (202) (2) When notifying the Situation Room, please copy the Contracting Officer. (3) To get help with WinZip, please contact the OPM Help Desk at: [email protected], (202) , TTY (202)

184 (4) If you have questions regarding these procedures, contact the Contracting Officer. IT Security and Privacy Awareness Training Prior to System Access IT Security and Privacy Awareness Training must be completed by all federal and contractor personnel prior to gaining system access. This is a mandated annual requirement. Noncompliance will result for revocation of system access. Specialized IT Security Training for Security Staff (Contractor) IT Security contractor personnel are required to complete specialized IT Security based on the role-based requirements herein (add link). Contractor companies are required to report training completed to ensure competencies that address this training. Contractor Oversight - Contractor System, Service Provider and Third-Party Provider Compliance All contractor systems, service providers and third-party vendors must complete the IT OPM Offsite System Security Self-Assessment Survey and submit the assessments to their COTR and the CIO IT Security and Privacy Office for review and evaluation. This is a supplemental requirement and does not replace contract requirements under FISMA. The federal government has the authority to conduct site reviews for compliance validation. Full cooperation by contractor and third-party providers in required for audits and forensics. The OPM Offsite System Security Self-Assessment Survey is used to collect, review, and evaluate organizational and system information on IT components as part of the OPM Assessment and Authorization process. This Offsite System Security Self-Assessment Survey does not fulfill the requirements of the FISMA compliance, but rather is meant to provide only a high-level overview of the security concerns most relevant to the system or components addressed by this survey. The survey follows National Institute of Standards and Technology (NIST) security control categories addressing Management, Operational, and Technical controls. Cloud Computing Systems and applications utilizing Cloud Computing solutions must adhere to OPM security policy, NIST cloud computing guidelines and the requirements identified by the CIO Council in the following link. Continuous monitoring requirements and FISMA must be enforced for these technology solutions (See link to NIST SP). Software Procurement Requirements - FDCC Compliance The contractor shall certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC). This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista). For the Windows XP settings, see: htmlhttp://csrc.nist.gov/itsec/guidance_vista.html, and for the Windows Vista settings, see: 180

185 (a) The standard installation, operation, maintenance, update, and/or patching of software shall not alter the configuration settings from the approved FDCC configuration. The information technology should also use the Windows Installer Service for installation to the default program files directory and should be able to silently install and uninstall. (b) Applications designed for normal end users shall run in the standard user context without elevated system administration privileges FIPS Encryption Requirements Adherence to the NIST FIPS encryption requirements are necessary to protect federal and contractor data went transmitting between systems. See link for FIPS compliance guidelines. Access Control Requirements and Use of Multi-Factor Authentication for Logical Access Each contractor employee is required to utilize individual identification and authorization to access OPM IT systems. Using shared accounts to access OPM IT systems is strictly prohibited. OPM will disable accounts and access to OPM IT systems will be revoked and denied if carriers share accounts. Users of the systems will be subject to periodic auditing to ensure compliance to OPM Information Security and Privacy Policy (ISPP). In addition, contractors are required to comply with the following NIST security controls to include at a minimum: Access Control (AC) - Controls falling under the AC category ensure that proper restrictions are in place to limit access to authorized users with a need to know. OMB requires all applications to migrate to multi-factor authentication solutions which require the following compliance: NIST in NIST SP Revision 3, clearly identifies in Security Control IA-2, Identification and Authentication (Organizational Users), identifies that the use of multi-factor authentication is required. NIST also clearly identifies at what level of scrutiny the multifactor authentication should be implemented based on the system security impact level. The majority of this scrutiny revolves around network/local access and privilege/non-privileged accounts. The follow is a summary of those requirements by system impact level (insert link for the following): TABLE 1 IMPACT NIST R3, IA-2 CONTROL REQUIREMENTS L M H Multifactor required for Network Access using Privileged Accounts. Multifactor required for Network Access using Non-Privileged Accounts. Multifactor required for Local Access using Privileged Accounts. Multifactor required for Local Access using Non-Privileged Accounts. Relay-Resistant authentication mechanism for Privileged Accounts. Relay-Resistant authentication mechanism for Non-Privileged Accounts. NIST in NIST SP Revision 3, also identifies in Security Control IA-8, Identification and Authentication (Non-Organizational Users), identifies that the users not classified as Organizational Users need to be evaluated using the Electronic Authentication (e- Authentication) guidance provided in NIST SP Revision

186 The OPM, OCIO, ITSP reiterates NIST s guidance on the use of multifactor authentication, especially for those systems with a security categorization of MODERATE and HIGH for security objectives CONFIDENTIALITY and/or INTEGRITY; and that processes sensitive information such as Personally Identifiable Information (PII), financial information and critical assets. HSPD-12 Credentialing Standards Compliance to the Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12 is mandatory. As stated in the memorandum (insert link) which provides final government-wide credentialing standards to be used by all Federal departments and agencies in determining whether to issue or revoke personal identity verification (PIV) cards to their employees and contractor personnel, including those who are non-united States citizens. These standards replace the interim standards issued in December The authority is section 2.3(b) of Executive Order of June 30, In addition to the requirements in this memorandum, credentialing determinations are also subject to the requirements of Homeland Security Presidential Directive (HSPD) 12 and issuances developed by the National Institute of Standards and Technology (NIST) and OMB. The purpose of this section is to provide minimum standards for initial eligibility for a PIV card. If an individual who otherwise meets these standards is found: 1) unsuitable for the competitive civil service under 5 CFR part 731,2) ineligible for access to classified information under E.O , or 3) disqualified from appointment in the excepted service or from working on a contract, the unfavorable decision is a sufficient basis for non-issuance or revocation of a PIV card. Full compliance to the requirements under HSPD-12 must be adhered to prior to granting access to IT systems and related data. Section 5.67 Personal Identity Verification of Contractor Personnel (SEP 2007) (FAR ) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M and Federal Information Processing Standards Publication (FIPS PUB) Number 201. The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. Teleworking Protection of federal data (paper and electronic) and PII is required while teleworking and full compliance to the guidance in the telework pledge and requirements document (See link) is mandatory. Ensuring users have secure VPN access is required with use of your PIV credential and card reader for system access. Insert Instruction Link: Use Outlook Web Access to download OPM s teleworking software enabled with Personal Identity Verification (PIV) technology. The 182

187 download provides an installation package. Contractors must run the installation and perform a firsttime configuration of your Citrix XenApp account to complete the following: (1) Installation instructions for the PIV software. (2) Configuration instructions for Citrix XenApp. (3) A Quick Guide for using PIV to telework on an everyday basis Cybersecurity Compliance Ensure security of on-line transactions, data and systems to include the protections against the following: Sophisticated threats against the sensitive and confidential data of our citizens, industries and government. Continued expansion and availability of this data via online transactions significantly increases the potential losses (financial and non-financial) associated with identity theft, fraud, intellectual property leakage, and privacy breach. Securing these transactions and creating a trusted online environment as identified as a critical National priority with the release of the President s Cyberspace Policy Review (See link). Wireless Computing Contractors must ensure compliance to ensure data protection with use of OPM-approved wireless technologies and prevent compliances such as the following: OPM will enable wireless network connectivity on OPM-issued laptops only. Relevant security risks must be mitigated to include: 1. Intercepted communications via unsecured access points. 2. Allowing ad hoc connectivity for OPM Laptops exposes laptops to malicious attacks from shared wireless network users. 3. Wireless encryption technology does not currently meet federal encryption standards. Compensating Controls must be adhered to: 1. Direct all OPM laptop wireless connectivity through OPM s VPN to mitigate risks Contractor Personnel Security Requirements (Jan 2008) - Supplemental (a) The U.S. Office of Management and Budget (OMB) Memorandum M-05-24, referenced in paragraph (a) of FAR , Personal Identity Verification of Contractor Personnel, is available on-line at (b) The Government may require security clearances for performance of this contract. The Contractor must obtain these clearances before beginning work on the contract (OPM will not allow Contractor employees without clearance in any of its facilities). The Contractor must obtain these clearances by using the e-qip system. If satisfactory security arrangements cannot be made with the Contractor, the required services must be obtained from other sources. (c) The level of classified access required will be indicated on DD-254 or other appropriate form incorporated into each request requiring access to classified information. 183

188 Contractors are required to have background investigations for suitability if they occupy positions of trust (e.g., systems administration) even if they do NOT have access to classified information. (d) Necessary facility and/or staff clearances must be in place prior to start of work on the contract (e) Contractors are responsible for the security, integrity and appropriate authorized use of their systems interfacing with the Government and or used for the transaction of any and all Government business. The Government, through the Government's Contracting Officer, may require the use or modification of security and/or secure communications technologies related to Government systems access and use. (f) The Government, at its discretion, may suspend or terminate the access and/or use of any or all Government access and systems for conducting business with any/or all Contractors when a security or other electronic access, use or misuse issue gives cause for such action. The suspension or termination may last until such time as the Government determines that the situation has been corrected or no longer exists. 184

189 APPENDIX H: OPM DEFINED SECURITY CONTROL PARAMETERS NIST ISPP Name L M H Requirement OPM Assignment # Ref # AC Access X X X The organization develops, disseminates, Reviewed annually, updated as Control Policy and reviews/updates [Assignment: determined necessary. and organization-defined frequency] Procedures AC Account X X X The organization manages information On an annual basis. Management system accounts, including: Reviewing accounts [Assignment: AC-2 (2) AC-2 (3) AC- 6(1) AC- 6(2) Account Management Account Management organization-defined frequency]. X X The information system automatically terminates temporary and emergency accounts after [Assignment: organizationdefined time period for each type of account]. X X The information system automatically disables inactive accounts after [Assignment: organization-defined time period] Least Privilege X X The organization explicitly authorizes access to [Assignment: organization-defined list of security functions (deployed in hardware, software, and firmware) and security-relevant information] Least Privilege X X The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined list of security functions or security-relevant information], use non-privileged accounts, or roles when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. AC Unsuccessful Login Attempts X X X The information system enforces a limit of [Assignment 1: organization-defined number] consecutive invalid login attempts by a user during a [Assignment 2: organization-defined time period]; and Automatically terminate temporary and emergency accounts after no more than 7 calendar days. 35 calendar days of inactivity. Security functions establishing system accounts, configuring access authorizations, account or device permission modifications and user privileges, to authorized personnel. Security functions including but not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, modifying device configurations, etc. Assignment 1: Three (3). Assignment 2: N/A. Selection: Locks the account. Assignment 3: Until released by an administrator. AC Concurrent Sessions X Automatically [Selection: locks the account/node for an [Assignment 3: organization-defined time period]]; The information system limits the number of concurrent sessions for each system account to [Assignment: organizationdefined number]. One. 185

190 NIST ISPP Name L M H Requirement OPM Assignment # Ref # AC Session Lock X X The information system prevents further 15 minutes or less. 11 access to the system by initiating a session lock after [Assignment: organizationdefined time period] of inactivity or upon AC- 17(5) AC- 17(7) Remote Access Remote Access receiving a request from a user X X The organization monitors for unauthorized remote connections to the information system [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered. X X The organization ensures that remote sessions for accessing [Assignment 1: organization-defined list of security functions and security-relevant information] employ [Assignment 2: organization defined additional security measures] and are audited. Continuously. Assignment 1: Security functions including but not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, modifying device configurations, etc. AC- 17(8) AC- 18(2) Remote Access Wireless Access X X The organization disables [Assignment: organization-defined networking protocols within the information system deemed to be nonsecure] except for explicitly identified components in support of specific operational requirements. X The organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered. Assignment 2: Additional security measures (e.g., twofactor authentication). Nonsecure protocols such as telnet, SSH v.1, FTP, HTTP, SNMP v.1 At least semi-annually. AC- 19 AC Access Control for Mobile Devices Publicly Accessible Content X X X The organization: Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. X X X The organization: Reviews the content on the publicly accessible organizational information system for nonpublic information [Assignment: organizationdefined frequency] National Institute of Standards and Technology (NIST) guidance ( , ) as well as device specific procedures and measures, including sanitization and/or destruction procedures (e.g., formatting or re-imaging digital storage) when applicable. At least annually. 186

191 NIST ISPP Name L M H Requirement OPM Assignment # Ref # AT Security X X X The organization develops, disseminates, Reviewed annually, updated as Awareness and and reviews/updates [Assignment: determined necessary. Training organization-defined frequency] Policy and Procedures AT Security X X X The organization provides basic security At least annually. Awareness awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and [Assignment: AT Security Training AT Security Training Records AU Audit and Accountability Policy and Procedures AU Auditable Events organization-defined frequency] thereafter. X X X The organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter. X X X The organization: Retains individual training records for [Assignment: organization-defined time period]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] X X X The organization: (a) Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment 1: organization-defined list of auditable events]; At least annually thereafter. One year for auditing and reporting purposes. Reviewed annually, updated as determined necessary. Assignment 1: Apply checklists and configuration guides from which provide recommended lists of auditable events. See policy for a list of possible events. AU- 2(3) AU- 3(1) Auditable Events Content of Audit Records (d) Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment 2: organization-defined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event]. X X The organization reviews and updates the list of auditable events [Assignment: organization-defined frequency]. X X The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. Assignment 2: Information system owners will determine, based on a risk assessment, additional auditable events. At least annually. Provide the capability to include more detailed audit log information by type, location, or subject when required to support investigations. 187

192 NIST ISPP # Ref # AU Content of 3(2) Audit Records Name L M H Requirement OPM Assignment X The organization centrally manages the content of audit records generated by [Assignment: organization-defined information system components]. Individual components throughout the system. AU Response to Audit Processing Failures AU- 5(1) Response to Audit Processing Failures X X X The information system: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. X The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of maximum audit record storage capacity. Continue logging by overwriting the oldest audit records. 80% AU- 5(2) Response to Audit Processing Failures AU Audit Review, Analysis, and Reporting AU- 8(1) AU- 11 AU- 12 X The information system provides a real-time alert when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. X X X The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reporting Time Stamps X X The information system synchronizes internal information system clocks [Assignment 1: organization-defined frequency] with [Assignment 2: organization-defined authoritative time source] Audit Record Retention Audit Generation X X X The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. X X X The information system: Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]. The ability to log events. At a frequency equivalent to the Federal Information Processing Standard (FIPS) 199 security categorization. Assignment 1: Automatically Assignment 2: Authoritative network time protocol (NTP) servers According to records disposition schedules established in Office of Personnel Management's (OPM) Records Management Handbook. Individual components throughout the system. 188

193 NIST ISPP # Ref # AU Audit 12(1) Generation Name L M H Requirement OPM Assignment X The information system compiles audit records from [Assignment: organizationdefined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Assignment: Individual components throughout the system where logging is possible Assignment: Less than 1 second of National Institute of Standards and Technology (NIST) atomic clock servers. CA Security Assessment and Authorization Policies and Procedures CA Security Assessments CA- 2(2) Security Assessments CA Plan of Action and Milestones CA Security Authorization CA Continuous Monitoring CM Configuration Management Policy and Procedures X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: Assesses the security controls in the information system [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. X The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection: indepth monitoring; malicious user testing; penetration testing; red team exercises; [Assignment: organization-defined other forms of security testing]]. X X X The organization: Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. X X X The organization: Updates the security authorization [Assignment: organizationdefined frequency]. X X X Reporting the security state of the information system to appropriate organizational officials [Assignment: organization-defined frequency]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. At least every two years. At least annually. In-depth monitoring, malicious user testing, penetration testing, vulnerability scanning, or other forms of testing as designated and approved by the Information System Security Officer (ISSO), Designated Security Officer (DSO), System Owner (SO), and SAISO. Quarterly for low and moderate systems, and monthly for high systems At least every three (3) years or when there is a significant change to the system At least annually. Reviewed annually, updated as determined necessary. 189

194 NIST ISPP # Ref # CM Baseline 2(1) Configuration Name L M H Requirement OPM Assignment X X The organization reviews and updates the baseline configuration of the information system: (a) [Assignment 1: organization-defined frequency]; Assignment 1: Annually. Assignment 2: Significant changes to the current operating environment. CM- 2(4) CM- 2(5) Baseline Configuration Baseline Configuration CM Configuration Change Control CM- 3(1) Configuration Change Control (b) When required due to [Assignment 2: organization-defined circumstances]. X X The organization: Develops and maintains [Assignment: organization-defined list of software programs not authorized to execute on the information system]. X The organization: Develops and maintains [Assignment: organization-defined list of software programs authorized to execute on the information system]. X X The organization: Coordinates and provides oversight for configuration change control activities through [Assignment 1: organization-defined configuration change control element (e.g., committee board)] that convenes [Selection: (one or more): [Assignment 2: organization-defined frequency]; [Assignment 3: organizationdefined configuration change conditions]]. X The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify designated approval authorities; (c) Highlight approvals that have not been received by [Assignment: organizationdefined time period]; (d) Inhibit change until designated approvals are received; and (e) Document completed changes to the information system. A list of unapproved software. A list of approved software. Outlined in the Configuration Management Policy. Within designated response times. CM- 5(2) Access Restrictions for Change X The organization conducts audits of information system changes [Assignment: organization-defined frequency] and when indications so warrant to determine whether unauthorized changes have occurred. At least weekly. CM- 5(3) Access Restrictions for Change X The information system prevents the installation of [Assignment: organizationdefined critical software programs] that are not signed with a certificate that is recognized and approved by the organization. Critical software programs and/or modules such as patches, service packs, and where applicable, device drivers. 190

195 NIST ISPP Name L M H Requirement OPM Assignment # Ref # CM Configuration X X X The organization: Establishes and The National Checklist Program Settings documents mandatory configuration settings (National Institute of Standards for information technology products and Technology (NIST) SP 800- employed within the information system 70), or OPM developed secure using [Assignment: organization-defined configuration baselines security configuration checklists] that (approved by the Chief reflect the most restrictive mode consistent Information Officer (CIO), Chief with operational requirements Information Security Officer CM- 6(2) Configuration Settings CM Least Functionality CM- 7(1) CM- 7(2) Least Functionality Least Functionality CM Information System Component Inventory X The organization employs automated mechanisms to respond to unauthorized changes to [Assignment: organizationdefined configuration settings]. X X X The organizational configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services]. X X The organization reviews the information system [Assignment: organization-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services. X The organization employs automated mechanisms to prevent program execution in accordance with [Selection (one or more): list of authorized software programs; list of unauthorized software programs; rules authorizing the terms and conditions of software program usage]. X X X The organization develops, documents, and maintains an inventory of information system components that: Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]. (CISO), or designees). All configurable devices. Specific functions, ports, protocols, or services such as Domain Name System (DNS), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Internet Relay Chat (IRC), Network Basic Input Output System (Netbios), Simple Mail Transfer Protocol (SMTP), and Structured Query Language (SQL) in order to provide only those capabilities that are essential. At least annually. A list of authorized software programs. Where applicable: hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, the component network name and network address. 191

196 NIST ISPP # Ref # CM Information 8(3) System Component Inventory CM- 8(4) Information System Component Inventory CP Contingency Planning Policy and Procedures CP Contingency Plan Name L M H Requirement OPM Assignment X The organization: (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and (b) Disables network access by such components/devices or notifies designated organizational officials. X The organization includes in property accountability information for information system components, a means for identifying by [Selection (one or more): name; position; role] individuals responsible for administering those components. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] X X X The Organization: (b) Distributes copies of the contingency plan to [Assignment 1: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements]; Near real-time. Role, position, or name. Reviewed annually, updated as determined necessary. Assignment 1: Key contingency personnel and other related organizational elements or entities. Assignment 2: At least annually; CP- 2(3) Contingency Plan CP Contingency Training CP Contingency Plan Testing and Exercises (d) Reviews the contingency plan for the information system [Assignment 2: organization-defined frequency] (f) Communicates contingency plan changes to [Assignment: organizationdefined list of key contingency personnel (identified by name and/or by role) and organizational elements]. X The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. X X X The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency]. X X X The organization: Tests and/or exercises the contingency plan for the information system [Assignment 1: organization-defined frequency] using [Assignment 2: organization-defined tests and/or exercises] to determine the plan's effectiveness and the organization's readiness to execute the plan. Assignment 3: Key contingency personnel and other related organizational elements or entities. 12 hours At least annually. Assignment 1: At least annually. Assignment 2: Office of Personnel Management (OPM) defined and information system specific tests and exercises such as checklist, walkthrough/tabletop, simulation, parallel, full interrupt. 192

197 NIST ISPP Name L M H Requirement OPM Assignment # Ref # CP Alternate X X The organization: Establishes an alternate 12 hrs. Processing processing site including necessary Site agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period consistent with recovery time objectives] when the primary processing capabilities are unavailable. CP Telecommunic X X The organization establishes alternate 12 hrs. ations Services telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are CP Information System Backup unavailable. X X X The organization: (a) Conducts backups of user-level information contained in the information system [Assignment 1: organization-defined frequency consistent with recovery time and recovery point objectives]; (b) Conducts backups of system-level information contained in the information system [Assignment 2: organization-defined frequency consistent with recovery time and recovery point objectives]; Assignment 1: Periodically (Low), weekly (Moderate), and daily (High) for file shares on the network; end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers. Assignment 2: Periodically (Low), weekly (Moderate), and daily (High). CP- 9(1) CP- 10(3) Information System Backup Information System Recovery and Reconstitution (c) Conducts backups of information system documentation including security-related documentation [Assignment 3: organization-defined frequency consistent with recovery time and recovery point objectives]. X X The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. X X The organization provides compensating security controls for [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known state]. Assignment 3: Periodically (Low), weekly (Moderate), and daily (High) for file shares on the network; end users are responsible for backup and recovery functions for desktops, notebooks, and hand-held computers. At least annually (recommend quarterly for High and semiannually for Moderate). Circumstances that can inhibit recovery and reconstitution to a known state (e.g., baselines not kept or backups not performed). 193

198 NIST ISPP # Ref # CP Information 10(4) System Recovery and Reconstitution IA Identification and Authentication Policy and Procedures IA- 2(8) IA- 2(9) Identification and Authentication Identification and Authentication IA Device Identification and Authentication IA Identifier Management Name L M H Requirement OPM Assignment X The organization provides the capability to reimage information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrityprotected disk images representing a secure, operational state for the components. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts. X The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to non-privileged accounts. X X The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection. X X X The organization manages information system identifiers for users and devices by: (c) Preventing reuse of user or device identifiers for [Assignment 1: organizationdefined time period]; Established recovery time objectives (RTO). Reviewed annually, updated as determined necessary. Authentication mechanisms that require challenges (e.g., Transport Layer Security (TLS)), and time synchronous or challenge-response one-time authenticators. Authentication mechanisms that require challenges (e.g., Transport Layer Security (TLS)), and time synchronous or challenge-response one-time authenticators. Network switches / routers, servers, workstations, laptops, printers, other peripheral devices - smart phones, tablet PCs, etc. Assignment 1: Permanently; Assignment 2: 30 calendar days of inactivity. IA Authenticator Management (d) Disabling the user identifier after [Assignment 2: organization-defined time period of inactivity]. X X X The organization manages information system authenticators for users and devices by: Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type] One (1) day minimum and 60 day maximum. 194

199 NIST ISPP # Ref # IA Authenticator 5(1) Management IA- 5(3) Authenticator Management IR Incident Response Policy and Procedures IR Incident Response Training IR Incident Response Testing and Exercises IR Incident Reporting Name L M H Requirement OPM Assignment X X X The information system for password-based authentication: (a) Enforces a minimum password complexity of [Assignment 1: organizationdefined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least a [Assignment 2: organization-defined number of changed characters] when new passwords are created; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment 3: organization-defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment 4: organization-defined number] generations. X X The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: Provides refresher training [Assignment: organization-defined frequency]. X X The organization tests and/or exercises the incident response capability for the information system [Assignment 1: organization-defined frequency] using [Assignment 2: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results. X X X The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]. Assignment 1: Password complexity of: At least 8 characters for nonprivileged accounts; and at least 12 characters for privileged accounts; and 3 of the following 4 attributes: Uppercase letters (A-Z); Lower case letters (a-z); Numbers (0-9); Special characters $, %, &, *, +, =, *,?, {}, [], <>, :, ). Assignment 2: One (1) changed character; Assignment 3: FDCC 1 day minimum and 60 day maximum; Assignment 4: twenty-four (24) Note: Exceptions exist. HSPD-12 smartcards and other PKI authenticators Reviewed annually, updated as determined necessary. At least annually. Assignment 1: At least annually Assignment 2: Scenario-based exercises Immediately (no more than 30 minutes after becoming aware of the incident). 195

200 NIST ISPP Name L M H Requirement OPM Assignment # Ref # IR Incident X X X The organization: Assignment 1: The Chief Response Plan (b) Distributes copies of the incident Information Officer (CIO), response plan to [Assignment 1: System Owners (SO), organization-defined list of incident Information System Security response personnel (identified by name Officers (ISSO), Designated and/or by role) and organizational Security Officers (DSO), and elements]; additional staff as necessary. MA System Maintenance Policy and Procedures MA Timely Maintenance MP Media Protection Policy and Procedures (c) Reviews the incident response plan [Assignment 2: organization-defined frequency]; (e) Communicates incident response plan changes to [Assignment 3: organizationdefined list of incident response personnel (identified by name and/or by role) and organizational elements]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X The organization obtains maintenance support and/or spare parts for [Assignment 1: organization-defined list of securitycritical information system components and/or key information technology components] within [Assignment 2: organization-defined time period] of failure. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. MP Media Access X X X The organization restricts access to [Assignment 1: organization-defined types of digital and non-digital media] to [Assignment 2: organization-defined list of authorized individuals] using [Assignment 3: organization-defined security measures]. Assignment 2: At least annually; Assignment 3: The CIO, CISO, SOs, ISSOs, DSOs, and other impacted staff. Reviewed annually, updated as determined necessary. Assignment 1: Critical information system components and/or key information technology components defined by SOs. Assignment 2: 72 hours Reviewed annually, updated as determined necessary. Assignment 1: Information in printed form or on digital media removed from the information system. Assignment 2: Authorized users. MP Media Marking X X The organization: Exempts [Assignment 1: organization-defined list of removable media types] from marking as long as the exempted items remain within [Assignment 2: organization-defined controlled areas]. Assignment 3: Formal documented procedures. Assignment 1: Portable digital and non digital media. Assignment 2: A secure environment (locked room either accessible by manual key, key fob, electronic physical access card, or cipher lock). 196

201 NIST ISPP Name L M H Requirement OPM Assignment # Ref # MP Media Storage X X The organization: Physically controls and Assignment 1: Information securely stores [Assignment 1: system media, both paper and organization-defined types of digital and electronic. non-digital media] within [Assignment 2: organization-defined controlled areas] Assignment 2: Controlled areas. using [Assignment 3: organization-defined security measures]. Assignment 3: Approved resources, techniques, equipment, and procedures for the information system's highest security category defined by FIPS 199. MP Media Assignment 1: Digital and nondigital Transport media. MP- 6(2) MP- 6(3) Media Sanitization Media Sanitization PE Physical and Environmental Protection Policy and Procedures PE Physical Access Authorization PE Physical Access Control X X The organization: Protects and controls [Assignment 1: organization-defined types of digital and non-digital media] during transport outside of controlled areas using [Assignment 2: organization-defined security measures]. X X The organization tests sanitization equipment and procedures to verify correct performance [Assignment: organizationdefined frequency]. The organization sanitizes portable, removable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined list of circumstances requiring sanitization of portable, removable storage devices]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: Reviews and approves the access list and authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access. X X X The organization: (f) Inventories physical access devices [Assignment 1: organization-defined frequency]; (g) Changes combinations and keys [Assignment 2: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated. Assignment 2: Approved resources, techniques, equipment, and procedures for the information system's highest security category defined by FIPS 199. Annually. When devices are first purchased, prior to initial use; Prior to re-issuing a device; When the organization loses a positive chain of custody for the device; and When a device has reached its end-of-life, and is decommissioned. Reviewed annually, updated as determined necessary. At least monthly. Assignment 1: At least annually. Assignment 2: At least annually. 197

202 NIST ISPP Name L M H Requirement OPM Assignment # Ref # PE Monitoring X X X The organization: Reviews physical access Quarterly. Physical logs [Assignment: organization-defined Access frequency]. PE Access X X X The organization: Reviews visitor access Quarterly. Records records [Assignment: organization-defined PE Emergency Shutoff PE Temperature and Humidity Controls frequency]. X X The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel. X X X The organization: (a) Maintains temperature and humidity levels within the facility where the information system resides at [Assignment 1: organization-defined acceptable levels]; A location near the information system or information system component. Assignment 1: Acceptable levels per the system equipment specifications (or temperatures of f and relative humidity of 50% +/- 10%). PE Delivery and Removal PE Alternate Work Site PL Security Planning Policy and Procedures PL System Security Plan PS Personnel security policy and procedures PS Position Categorization PS Personnel Screening (b) Monitors temperature and humidity levels [Assignment 2: organization-defined frequency]. X X X The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. X X The organization: Employs [Assignment: organization-defined management, operational, and technical information system security controls] at alternate work sites. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: Reviews the security plan for the information system [Assignment: organization-defined frequency]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: Reviews and revises position risk designations [Assignment: organization-defined frequency]. X X X The organization: Rescreens individuals according to [Assignment: organizationdefined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. Assignment 2: At acceptable intervals per the system requirements, or continuously. Information system-related items (hardware and firmware). An equivalent level of security protection equal to the highest rated information or information system accessed. Reviewed annually, updated as determined necessary. At least annually and submits the updated SSP to the CISO office. Reviewed annually, updated as determined necessary. At least annually. Change in position risk designation, new position with higher risk designation, or other according to HSPD-12 requirements. 198

203 NIST ISPP Name L M H Requirement OPM Assignment # Ref # PS Personnel X X X The organization reviews logical and Assignment 1: Appropriate Transfer physical access authorizations to actions such as: Closing old information systems/facilities when accounts and establishing new personnel are reassigned or transferred to accounts; Changing system other positions within the organization and access authorizations; Ensuring initiates [Assignment 1: organizationdefined transfer or reassignment actions] information system-related the return of all OPM within [Assignment 2: organization-defined property (e.g., keys, time period following the formal transfer identification cards, building action]. passes); and Ensuring that appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems. Assignment 2: Within 24 hrs PS Access Agreements RA Risk Assessment Policy and Procedures RA Risk Assessment X X X The organization: Reviews/updates the access agreements [Assignment: organization-defined frequency]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The organization: (b) Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment 1: organization-defined document]]; (c) Reviews risk assessment results [Assignment 2: organization-defined frequency]; (d) Updates the risk assessment [Assignment 3: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. At least annually. Reviewed annually, updated as determined necessary. Assignment 1: the Security Assessment Report. Assignment 2: At least annually and submitted to the CISO office. Assignment 3: At least annually. 199

204 NIST ISPP Name L M H Requirement OPM Assignment # Ref # RA Vulnerability X X X The organization: Assignment 1: At least quarterly Scanning (a) Scans for vulnerabilities in the for high systems and semiannually for other systems. information system and hosted applications [Assignment 1: organization-defined frequency and/or randomly in accordance Assignment 2: In accordance with organization-defined process] and with the Office of Personnel when new vulnerabilities potentially Management (OPM) Risk affecting the system/applications are Assessment Procedure. identified and reported; (d) Remediates legitimate vulnerabilities [Assignment 2: organization-defined response times] in accordance with an organizational assessment of risk; Note: Risk must be assessed for all vulnerabilities identified during scanning. The remediation timeline applies to vulnerabilities that OPM plans to address, and does not apply to proven false positives and vulnerabilities that will be accepted. RA- 5(2) RA- 5(5) RA- 5(7) Vulnerability Scanning Vulnerability Scanning Vulnerability Scanning X X X The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when significant new vulnerabilities are identified and reported. The organization includes privileged access authorization to [Assignment: organizationidentified information system components] for selected vulnerability scanning activities to facilitate more thorough scanning. The organization employs automated mechanisms [Assignment: organizationdefined frequency] to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials. Weekly System devices (network components, servers, workstations, etc.) and databases. Real-time. SA System and Services Acquisition Policy and Procedures SA Supply Chain Protection X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X The organization protects against supply chain threats by employing: [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy. Reviewed annually, updated as determined necessary. The use of information technology procurement procedures and approved federal acquisition contracts 200

205 NIST ISPP # Ref # SA Trustworthines 13 s SC System and Communicatio ns Protection Policy and Procedures SC Denial of Service Protection SC- 7(4) SC- 7(8) SC- 9(1) Boundary Protection Boundary Protection Transmission Confidentiality SC Network Disconnect SC Collaborative Computing Devices Name L M H Requirement OPM Assignment X The organization requires that the information system meets [Assignment: organization-defined level of trustworthiness]. X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X X The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list]. X X The organization: Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]. X The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices. X X The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by [Assignment: organization-defined alternative physical measures]. X X The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organizationdefined time period] of inactivity. X X X The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]. A level of trustworthiness (determined through acquisition, security engineering principles, security function isolation, risk assessment, Security Assessment and Authorization, and continuous monitoring) equivalent to the FIPS 199 security categorization and acceptable to the Authorizing Official, SAISO, and CIO. Reviewed annually, updated as determined necessary. National Institute of Standards and Technology (NIST) SP Rev. 1 and US-CERT (United States Computer Emergency Readiness Team) Guidelines. At least annually (or when changes to the system traffic flow occur). All outbound internal communications traffic to the Internet. Alternative physical measures (e.g., physical access controls, conduit, etc.). 15 minutes. Authorized administrator access, such as maintenance or troubleshooting. 201

206 NIST ISPP Name L M H Requirement OPM Assignment # Ref # SC Public Key X X The organization issues public key Appropriate certificate policy. Infrastructure certificates under an [Assignment: Certificates organization-defined certificate policy] or obtains public key certificates under an appropriate certificate policy from an approved service provider. SC Fail in Known X State The information system fails to a [Assignment: organization-defined knownstate] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. Assignment 1: An identified state as documented in the System Security Plan. Assignment 2: System integrity. For instance, an information system may fail to an access denied or closed state upon any type of failure of the system or system component preserving system integrity in failure; however, this may not be appropriate for an automated system that controls entry and exit points. SI System and Information Integrity Policy and Procedures SI- 2(2) Flaw Remediation SI Malicious Code Protection SI Information System Monitoring X X X The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]. X X The organization employs automated mechanisms [Assignment: organizationdefined frequency] to determine the state of information system components with regard to flaw remediation. X X X The organization: Configures malicious code protection mechanisms to: - Perform periodic scans of the information system [Assignment 1: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; - [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment 2: organization-defined action]] in response to malicious code detection; X X The organization: Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks. Reviewed annually, updated as determined necessary. Periodically (semi-weekly for servers, monthly for workstations, and quarterly for network resources) and on demand. Assignment 1: At least weekly. Selection and Assignment 2: Send alert to administrator; and quarantine or eradicate malicious code (e.g., viruses, worms, Trojan horses). Risk-based objectives. 202

207 NIST ISPP # Ref # SI Information 4(5) System Monitoring SI Security Alerts, Advisories, and Directives SI Security Functionality Verification SI- 7(1) Software and Information Integrity Name L M H Requirement OPM Assignment X X The information system provides near realtime alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators]. X X X The organization: Disseminates security alerts, advisories, and directives to [Assignment: organization-defined list of personnel (identified by name and/or by role)]. X The information system verifies the correct operation of security functions [Selection (one or more): upon system startup and restart, upon command by user with appropriate privilege, periodically every [Assignment: organization-defined timeperiod]] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered. X X The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency] integrity scans of the information system. SI Error Handling X X The information system: Generates error messages that provide information necessary for corrective actions without revealing [Assignment: organizationdefined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries. PM Information Security Program Plan X X X The organization: Reviews the organization-wide information security program plan [Assignment: organizationdefined frequency]. Perimeter router and firewalls generate audit records when network traffic is blocked in accordance to configuration policy and/or ACLs, IDS detects and reports suspicious activity or an attack signature is detected, etc. System Owners (SO), Information System Security Officers (ISSO), and Designated Security Officers (DSO), OPM users, etc. Upon: System startup; Restart and upon command by users with appropriate privilege, system shut-down; and System restarting. At least annual. Sensitive or potentially harmful information such as account numbers, social security numbers (SSNs), credit card numbers, system configuration information, etc. Reviewed annually, updated as determined necessary. 203

208 APPENDIX I: NIST SP , Rev. 3; Removed or Not Selected Control Family No. Control Name Status Access Control AC-9 Previous Logon (Access) Notification Not selected for any baseline Access Control AC-12 Session Termination Withdrawn Access Control AC-13 Supervision and Review Access Control Withdrawn Access Control AC-15 Automated Marking Withdrawn Access Control AC-16 Security Attributes Not selected for any baseline Access Control AC-21 User-Based Collaboration and Information Sharing Not selected for any baseline Awareness and AT-5 Contacts with Security Groups and Associations Not selected for any Training baseline Audit and AU-13 Monitoring for Information Disclosure Not selected for any Accountability baseline Audit and AU-14 Session Audit Not selected for any Accountability baseline Security CA-4 Security Certification Withdrawn Assessment and Authorization Contingency CP-5 Contingency Plan Update Withdrawn Planning Physical and Environmental PE-19 Information Leakage Not selected for any baseline Protection Planning PL-3 System Security Plan Update Withdrawn Risk Assessment RA-4 Risk Assessment Update Withdrawn System and SA-14 Critical Information System Components Not selected for any Services baseline Acquisition System and Communications Protection System and Communications Protection System and Communications Protection System and Communications Protection System and Communications Protection System and Communications Protection System and Communications Protection System and Communications Protection SC-6 Resource Priority Not selected for any baseline SC-11 Trusted Path Not selected for any baseline SC-16 Transmission of Security Attributes Not selected for any baseline SC-25 Thin Nodes Not selected for any baseline SC-26 Honeypots Not selected for any baseline SC-27 Operating System-Independent Applications Not selected for any baseline SC-29 Heterogeneity Not selected for any baseline SC-30 Virtualization Techniques Not selected for any baseline 204

209 Control Family No. Control Name Status System and Communications Protection System and Communications Protection System and Communications Protection System and Information Integrity Program Management SC-31 Covert Channel Analysis Not selected for any baseline SC-33 Transmission Preparation Integrity Not selected for any baseline SC-34 Non-Modifiable Executable Programs Not selected for any baseline SI-13 Predictable Failure Prevention Not selected for any baseline PM (ALL) Program Management Control Family New Control Family 205

210 UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Chief Information Officer 1900 E Street, NW Washington, DC CIO-03