UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

Transcription

1 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE /28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive establishes mandatory requirements and assigns roles and responsibilities to facilitate the implementation of the Agency s C&A policy. II. III. IV. (RESERVED) (RESERVED) REFERENCES DM , Certification and Accreditation of Information Systems DM , Chapter 11, Part 1, Certification and Accreditation Methodology Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and Information Systems FSIS Directive , Managing Information Technology (IT) Resources FSIS Directive , Employee Responsibilities and Conduct National Institute of Standards and Technology (NIST), Internal Report (IR) 7298, Glossary of Key Information Security Terms NIST Special Publication (SP) , An Introduction to Computer Security: The NIST Handbook NIST SP , Revision 1, Guide for Developing Security Plans for Federal Information Systems NIST SP , Risk Management Guide for Information Technology Systems NIST SP , Revision 1, Contingency Planning Guide for Federal Information Systems NIST SP , Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP , Security Guide for Interconnecting Information Technology Systems NIST SP , Revision 3, Recommended Security Controls for Federal Information Systems and Organizations DISTRIBUTION: Electronic; All Field Employees OPI: OCIO Enterprise Management Division

2 NIST SP A, Guide for Assessing the Security Controls in Federal Information Systems NIST SP , Revision 1, Performance Measurement Guide for Information Security NIST SP , Revision 2, Security Considerations in the System Development Life Cycle Public Law , Privacy Act of 1974 Public Law , Title III, E-Government Act of 2002 V. ABBREVIATIONS The following appear in their shortened form in this directive: ATO C&A CIO CO DAA FISMA ISSO ISSP ISSPM IT NIST SP OCIO POA&M TCCB Authority to Operate Certification and Accreditation Chief Information Officer Certifying Official Designated Approving Authority Federal Information Security Management Act Information Systems Security Officer Information Systems Security Program Information Systems Security Program Manager Information Technology National Institute of Standards and Technology Special Publication Office of the Chief Information Officer Plan of Action and Milestones Technical Change Control Board VI. POLICY It is FSIS policy to ensure information security controls are in place to protect FSIS information systems and data in compliance with Public Law , Title III, E- Government Act of 2002; Public Law , Privacy Act of 1974, as amended; and USDA regulations. VII. DEFINITIONS A. Accreditation. The official management decision given by a senior Agency official to authorize operation of an information system and to explicitly accept the risk to Agency operations (examples: mission, functions, image, or reputation), Agency assets, or individuals, based on the implementation of an agreed upon set of security controls. B. Certification. A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Page 2

3 FSIS DIRECTIVE C. CO. A senior manager who assumes the role of an independent technical liaison for all stakeholders involved in the C&A process and is an objective third party, independent of the system developers. The CO provides a comprehensive evaluation of the system, including technical and non-technical controls, to determine if the system is configured with the proper security controls in place. D. Continuous Monitoring. The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: and metrics. 1. Development of a strategy to regularly evaluate selected controls 2. Recording and evaluating relevant events and the effectiveness of the enterprise in dealing with those events. 3. Recording changes to controls or changes that affect risks. 4. Publishing the current security status to enable information-sharing decisions involving the enterprise. E. DAA. A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. F. Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, storage, or disposition of information. An information system must have logical boundaries around a set of processes, communications, storage, and the boundaries must: 1. Be under the same direct management control. 2. Have the same function or mission objective. 3. Have essentially the same operational and security needs. 4. Reside in the same general operating environment. G. ISSO. The person responsible for the day-to-day security of a specific IT system including physical security, personnel security, incident handling, and security awareness training, and education. The ISSO, in conjunction with the TCCB also identifies pending system or environmental changes that may necessitate recertification and re-accreditation of the system. For developmental systems, the ISSO serves as the principal technical advisor to the program manager for all security-related issues. Page 3 9/28/11

4 H. ISSPM. An individual responsible for the information assurance of a program, organization, system or enclave. I. IT. Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which requires the use of such equipment or requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources. J. Penetration Testing. A test methodology in which assessors, using all available documentation (examples: system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. K. POA&M. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. L. Red Team Exercise. An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization. M. Security Control Assessment. The testing and evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. N. Significant Change. A change that alters the mission, operating environment, or basic vulnerabilities of the information system. O. System Owner. Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and final disposition of an information system. P. System User. An individual authorized to utilize FSIS IT resources. Page 4

5 FSIS DIRECTIVE VIII. BACKGROUND A. FISMA was passed by Congress and signed into law by the President as Public Law , Title III, E-Government Act of The goals of FISMA include development of a comprehensive framework to protect the Government s information, operations, and assets. FISMA assigns specific responsibilities to Federal agencies, NIST, and the Office of Management and Budget in order to strengthen IT system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information security risks to an acceptable level. All information systems within FSIS require C&A prior to the system becoming operational. The C&A process is a vital component of the overall security program. B. OCIO certifies and accredits information systems in accordance with NIST SP , NIST SP Revision 3, Departmental regulations, and Agency procedures. NIST SP provides the guidelines for the security C&A of the information systems. NIST SP Revision 3 outlines the controls to be addressed for C&A. IX. REQUIREMENTS In order to adhere to NIST SP and NIST SP , Revision 3 standards, FSIS has established and is responsible for the following C&A requirements: A. Security Assessments and Certification. 1. Develop a security assessment plan that includes the scope of the assessment as follows: assessment. a. The security controls and control enhancements under b. The assessment procedures to be used to determine security control effectiveness. responsibilities. c. The assessment environment, team, and roles and 2. Assess all information system security controls during the initial security accreditation. 3. Integrate security certification as a key factor in security accreditation decisions and into the information system development life cycle. 4. Conduct the information system security controls assessment annually or when there is a major change to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Page 5 9/28/11

6 5. Use the current year s security certification assessment results to meet the annual FISMA assessment requirement. 6. Employ an independent certification agent or certification team to conduct the initial and 3-year assessments of the information system security controls. (NOTE: Independent agents are not required for annual assessments.) 7. Produce a security assessment report that documents the results of the assessment and provide the results in writing, to the authorizing official or authorizing official s designated representative. 8. Provide as part of the security control assessment, in-depth monitoring, malicious user testing, penetration testing, and red team exercises. B. Information System Connections. 1. Authorize all connections from the information system to the other information systems outside of the accreditation boundary through the use of system connection agreements. Monitor and control system connections continuously by verifying enforcement of security requirements. 2. Assess risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the Agency and external to the Agency. Risk considerations include information systems sharing the same networks. 3. Document for each connection, the interface characteristics, security requirements, and the nature of the information communicated. C. POA&M. 1. Develop and update POA&M to guide the correction of deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the information system. 2. Use the Agency s information system for documenting remedial actions (examples: planning and implementation) to track the POA&M. 3. Update the existing plan of action and milestones based on findings from the security controls assessments, security impact analyses, and continuous monitoring activities. D. Security Accreditation. operation. 1. Authorize (accredit) the information system for processing before Page 6

7 FSIS DIRECTIVE Update the authorization at least every 3 years or when there is a significant change to the information system. 3. Ensure security accreditation is approved and signed by the DAA. E. Continuous Monitoring. 1. Monitor the information system security controls. Continuous monitoring activities include: a. Configuration management and control of information system components. system. b. Security impact analysis of changes to the information c. Ongoing assessment of security controls. d. Regularly reporting on the information system s status with regard to C&A and continuous monitoring efforts. 2. Establish the selection criteria and subsequently select a subset of the security controls employed within the information system for annual assessment. 3. Establish the schedule for control monitoring to ensure adequate coverage of security controls and resources is achieved. 4. Employ an independent assessor to monitor the security controls in the information system on an ongoing basis. X. RESPONSIBILITIES The roles and responsibilities to satisfy the C&A security controls follow: A. OCIO. 1. Promotes and supports C&A policy throughout the Agency. 2. Works closely with authorizing officials and their designated representatives to ensure an Agencywide security program is effectively implemented. 3. Ensures required C&As are accomplished in a timely and costeffective manner. 4. Centralizes reporting of all security-related activities. Page 7 9/28/11

8 B. DAA. 1. Ensures the operation of an information system is at an acceptable level of risk to Agency operations, assets, or individuals. 2. Assumes accountability for the risks associated with operating an information system. C. CO. 3. Appoints the information system owner. 1. Conducts security certification or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. 2. Recommends corrective actions to reduce or eliminate vulnerabilities in the information system. 3. Provides an independent assessment of the information system security plan prior to initiating the security assessment activities. 4. Ensures that the plan provides a set of security controls for the information system that adequately meets all applicable security requirements. D. System Owners. 1. Determine the procurement, development, integration, modification, or operation and maintenance of an information system. 2. Develop and maintain the information system security plan. 3. Ensure the information system is deployed and operated according to the agreed upon security requirements. 4. Ensure system users and support personnel receive the requisite security training (example: instruction in rules of behavior). 5. Establish access rights and types of access privileges. 6. Ensure detailed operating procedures are developed at the system or general support system level that satisfies the C&A security controls. Page 8

9 FSIS DIRECTIVE E. ISSPM. 1. Assist in the certification and accreditation of all agency IT systems. 2. Participate in Certification Teams providing guidance, testing security controls and assisting in the preparation of the final C&A package, as required. 3. Monitor and electronically track using Plans of Action and Milestones (POAM) the C&A progress on IT systems and report progress to agency CIO, including all systems under ATO to ensure that deficiencies are corrected in a timely manner. 4. Identify system changes that require re-accreditation in conjunction with the Agency TCCB. F. ISSO. 5. Participate in the preparation of ATO packages, as required. 1. Serves as the principal technical advisor and is responsible to the CO, information system owner, or ISSPM for ensuring that the appropriate operational security posture is maintained for an information system or program. 2. Maintains the day-to-day security operations of the information systems including: a. Physical security. b. Personnel security. c. Incident handling. d. Security awareness training and education. 3. Provides assistance on an as needed basis to: a. Assist in the development of the information system security policy and ensures compliance with that policy on a routine basis. b. Work closely with information system owners. c. Develop and update information system security plans. d. Manage and control changes to information systems. e. Assess the security impact of changes. Page 9 9/28/11

10 XI. PENALTIES AND DISCIPLINARY ACTIONS FOR NON-COMPLIANCE FSIS Directive sets forth the FSIS policies, procedures, and standards on employee responsibilities and conduct relative to the use of computers and telecommunications equipment. In addition, FSIS Directive outlines the disciplinary action that FSIS may take when policies are violated. XII. ADDITIONAL INFORMATION A. USDA departmental directives are located at FSIS directives and notices are located on InsideFSIS at B. For additional information about C&A, contact the FSIS Information System Security Program at Page 10