NASA Information Technology Requirement



Similar documents
NASA Information Technology Requirement

IT Security Handbook. Security Awareness and Training

FSIS DIRECTIVE

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Personally Identifiable Information (PII) Breach Response Policy

Minimum Security Requirements for Federal Information and Information Systems

IT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data

Get Confidence in Mission Security with IV&V Information Assurance

BPA Policy Cyber Security Program

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Standard Operating Procedure

NASA OFFICE OF INSPECTOR GENERAL

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

U.S. Department of Energy Washington, D.C.

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Information Security and Privacy Policy Handbook

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

Baseline Cyber Security Program

U.S. Department of Energy Washington, D.C.

Final Audit Report. Report No. 4A-CI-OO

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Standards for Security Categorization of Federal Information and Information Systems

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

IT Security Handbook. Planning: Information System Security Plan Template, Requirements, Guidance and Examples

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Office of Inspector General

NOTICE: This publication is available at:

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Final Audit Report -- CAUTION --

Review of the SEC s Systems Certification and Accreditation Process

NARA s Information Security Program. OIG Audit Report No October 27, 2014

How To Improve Nasa'S Security

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Policy on Information Assurance Risk Management for National Security Systems

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Name ofsystem/application: CRM-Correspondence Management Program Office: Office ofthe Executive Secretariat

U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT INFORMATION TECHNOLOGY SECURITY POLICY. HUD Handbook REV4.1

Guide for the Security Certification and Accreditation of Federal Information Systems

Information Security for Managers

2012 FISMA Executive Summary Report

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Department of Veterans Affairs VA Handbook Information Security Program

CIOP CHAPTER Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS. Section Purpose

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Information System Security Officer (ISSO) Guide

ORDER National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ:

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

SECURITY ASSESSMENT AND AUTHORIZATION

FedRAMP Standard Contract Language

HHS Information System Security Controls Catalog V 1.0

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

FISMA Implementation Project

Information System Security Officer (ISSO) Guide

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

OPM System Development Life Cycle Policy and Standards. Table of Contents

CTR System Report FISMA

NISTIR 7359 Information Security Guide For Government Executives

NOTICE: This publication is available at:

DHS Sensitive Systems Policy Directive 4300A

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Information Resource Management Directive USAP Information Security Risk Management

EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment

DEPARTMENTAL REGULATION

Audit of the Department of State Information Security Program

Dr. Ron Ross National Institute of Standards and Technology

NIST Special Publication Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

How To Write A Contract For Software Quality Assurance

Security Authorization Process Guide

Security Control Standard

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Transcription:

NASA Information Technology Requirement NITR 2810-17 Effective Date: November 12, 2008 Expiration Date: May 16, 2011 System Maintenance Policy and Procedures Responsible Office: Office of the Chief Information Officer

PREFACE Table of Contents P.l PURPOSE P.2 APPLICABILITY P.3 AUTHORITY P.4 APPLICABLE DOCUMENTS P.S MEASUREMENT AND VERIFICATION P.6 CANCELLATION 1.0 REQUIREMENT 1.1 System Maintenance Policy 1.2 Procedures APPENDIX A. Definitions APPENDIX B. Acronyms Distribution: NODIS 1

PREFACE P.I PURPOSE a. To provide the NASA infonnation system maintenance policies and procedures to meet the current National Institute of Standards and Technology (NIST) requirements. P.2 APPLICABILITY a. This NITR applies to unclassified infonnation systems at NASA Headquarters and Centers, including Component Facilities and Technical and Service Support Centers. To the extent specified in their respective contracts or agreements, it applies to the NASA Jet Propulsion Laboratory, other contractors, grant recipients, or parties to agreements for information systems that they use or operate on behalf ofthe Agency or that support the operations and assets ofthe Agency. P.3 AUTHORITY a. Reference Paragraph P.3, NPR 281O.IA. P.4 APPLICABLE DOCUMENTS a. NPR 281 O.IA, Security of Infonnation Technology b. Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization offederal Information and Infonnation Systems. c. NIST SP 800-100, Information Security Handbook: A Guide to Managers. d. NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Infonnation Systems. e. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Infonnation Systems. f. NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Infonnation Systems. P.S MEASUREMENT AND VERIFICATION a. Annual certification of the Agency Common Security Control MA-I, System Maintenance Policies and I;>rocedures. b. Annual assessment of the Agency MA-I common security control by the Infonnation System Owner (ISO) as part ofthe system Continuous Monitoring requirements P.6 CANCELLATION a. The next version ofnpr 2810.1 cancels this NITR. nation Officer 2

1.0 REQUIREMENT 1.1 System Maintenance Policy 1.1.1 A formal maintenance policy shail be developed, reviewed atmuaily and updated as needed. 1.1.2 The maintenance policy shall be consistent with applicable laws, Executive Orders, directives, regulations and guidance. 1.1.3 The maintenance policy shail include: a. Information about the purpose and scope as well as the roles and responsibilities of individuals responsible for actions. b. Details ofthe implementation. c. A configuration management process that includes Configuration Control Board (CCB) change control for tracking, managing, and approving any maintenance activity that results in hardware or software changes to the system. d. A list ofthe specific systems to which the policy applies. e. Procedures for scheduling maintenance that comply with the contingency planning policy. f. A limit on maintenance persolmel to the smallest possible number. g. Allowing only authorized maintenance persolmel to perform maintenance on NASA information systems and have the appropriate access authorizations. h. That maintenance tools brought in specifically for diagnostic/repair actions ofmoderate or High category information system for be approved, controiled, maintained, and monitored. 1. Scheduling, controlling, tracking, and documenting all preventative and regular maintenance. 1.1.4 The maintenance policy shall include the following requirements: a. Maintenance personnel must obtain written approval from the ISO for each maintenance activity or repair before they perfonn it. b. A report of any significant system changes will be sent to the Center Infonnation Technology Security Manager (ITSM). 1.2 Procedures 1.2.1 The Center ChiefInfonnation Officer (CIO) shall: a. Establish a Center maintenance policy that implements the above Agency policy. b. Maintain oversight of the maintenance policy implementation by the Center ISOs. 1.2.2 The Infonnation System Owner (ISO) shall implement the organization's system maintenance policy and use them to assess the system's Maintenance security controls. 1.2.3 The Senior Agency Infonnation Security Officer (SAISO) shall: 3

a. Annually review, and update as required, the System Maintenance Policy and Procedures as pati of the atmual review of the MA-l control as an Agency common control providing management oversight to assure policy currency and compliance. h. Annually celiify the MA-l Agency common control to assure it satisfies the purpose, scope, and compliance requirements for system maintenance. 4

APPENDIX A. Definitions Term Certification Common Control Configuration Control Continuous Monitoring Hybrid Security Control Infonnation System (Also referred to as IT System) Infonnation System Owner Definition A fonnal process for testing components or systems against a specified set of security requirements. Certification is normally perfonned by an independent reviewer, rather than one involved in building the system. Certification is more often costeffective for complex or high-risk systems. A security control that is inherited by an infonnation system Process for controlling modifications to hardware, finnware, software, and documentation to ensure the infonnation system is protected against improper modifications prior to, during, and after system implementation. [CNSS Inst. 4009] Refers to a phase ofthe Cetiification and Accreditation Process ofinfonnation Systems. It consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose ofthis phase is to provide oversight and monitoring of the security controls in the infonnation system on an ongoing basis and to infonn the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle ofthe infonnation system. A security control that is part common control and part systemspecific control A discrete set ofinformation resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of infonnation in accordance with defined procedures, whether automated or manual. [OMB Circular A-130, Appendix III] An agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an infonnation system. Responsible for the development and maintenance of the system security plan and ensures the system is deployed and operated according to the security requirements. 5

Term Security Category Senior Agency Infonnation Security Officer Security Controls Site Control or Site Common Control Infonnation System Definition The characterization of infonnation or an infonnation system based on an assessment ofthe potential impact that a loss of confidentiality, integrity, or availability of such information or infonnation system would have on organizational operation, organizational assets, individuals, other organizations, and the Nation. [FIPS 199 as amended bynist SP 800-53] Official responsible for carrying out the ChiefInformation Officer responsibilities under FISMA and serving as the Chief Il1fonnation Officer's primary liaison to the agency's authorizing officials, infonnation system owners, and infonnatiol1 system security officers. [44 U.S.C., Sec. 3544] Synonymous with ChiefInfonnation Secnrity Officer (CISO) The management, operational, and teclmical controls (i.e., safeguards or countenneasures) prescribed for an infonnation system which, taken together, satisfy the specified security requirements and adequately protect the confidentiality, integrity, and availability of the system and its infonnation. An inherited security control from a common site that usually applies to multiple infonnation systems. Example is when more than one system is operating from a common data center (site) and infonnation system owners are required to use that sites' security controls, e.g. site access control, site power, etc. A discrete set of information resources organized for the coi1ection, processing, maintenance, use, sharing, dissemination, or disposition of infoffilation in accordance with defined procedures, whether automated or manual. [OMB Circular A-l30, Appendix III] (Also referred to as IT System) 6

APPENDIX B. Acronyms CCB Configuration Control Board CIO Chief Information Officer CM Configuration Management FIPS Federal Information Processing Standards ISO Information System Owner IT Infonnation Teclmology ITSM Infonl1ation Teclmology SecUlity Manager NIST National Institute ofstandards and Technology NITR NASA Infonnation Technology Requirement NPR NASA Procedural Requirements OCIO Office ofthe Chief Information Officer SAISO Senior Agency Infonnation Security Officer SP Special Publication 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information