NOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.



Similar documents
NOTICE: This publication is available at:

AHS Vulnerability Scanning Standard

FedRAMP Standard Contract Language

NOTICE: This publication is available at:

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Overview. FedRAMP CONOPS

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

IT Compliance in Acquisition Checklist v3.5 Page 1 of 7

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

How To Improve Nasa'S Security

Office of Inspector General

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

Department of Homeland Security

How To Monitor Your Entire It Environment

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Evaluation of DHS' Information Security Program for Fiscal Year 2015

PII Compliance Guidelines

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

FREQUENTLY ASKED QUESTIONS

How To Audit The Mint'S Information Technology

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

United States Patent and Trademark Office

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

How To Get The Nist Report And Other Products For Free

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

Middle Class Economics: Cybersecurity Updated August 7, 2015

AHS Flaw Remediation Standard

In Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Information Security Program

Assessment and Authorization

Information Security for Managers

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Patch and Vulnerability Management Program

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

United States Department of Agriculture. Office of Inspector General

POSTAL REGULATORY COMMISSION

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Security Authorization Process Guide

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Department of Veterans Affairs VA Handbook Information Security Program

FISMA Compliance: Making the Grade

Security Control Standard

In Brief. Smithsonian Institution Office of the Inspector General

Information Security Network Connectivity Process

Continuous Monitoring

Checklist for Vulnerability Assessment

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Office of Inspector General

NARA s Information Security Program. OIG Audit Report No October 27, 2014

ASDI Full Audit Guideline Federal Aviation Administration

Strategic Plan Network Optimization & Transport Services

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

VA Office of Inspector General

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Information System Security Officer (ISSO) Guide

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Final Audit Report. Report No. 4A-CI-OO

2014 Audit of the Board s Information Security Program

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

INFORMATION TECHNOLOGY SECURITY POLICY Table of Contents

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Department of Commerce National Oceanic & Atmospheric Administration National Weather Service

Get Confidence in Mission Security with IV&V Information Assurance

Transcription:

Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-703 23 April 2013 Information Technology IT Security VULNERABILITY IDENTIFICATION, MITIGATION & REPORTING NOTICE: This publication is available at: http://www.nws.noaa.gov/directives/. OPR: ACIO (Sherry Richardson) Certified by: ACIO (Iftikhar Jamil) Type of Issuance: Routine SUMMARY OF REVISIONS: 2 ND paragraph of section 7, page 6 was removed due to error. NWS will comply with DOC CITR 16 as stated in the 1 st paragraph of section 7 page 6. _Signed 4/16/2013 Iftikhar Jamil Date NOAA Assistant Chief Information Officer for Weather

Table of Contents 1 Introduction...3 2 Scope....3 3 Responsible Parties...3 4 Performing Scans...3 5 Vulnerabilities Scans...4 5.1 Frequency...4 5.2 Initial Scans...4 5.3 Routines Scans...5 5.4 Internal Scans...5 5.5 External Scans...5 6 Mitigation Scans...5 7 Enforcing Remediation Timeframes...6 8 Patches...6 9 Reporting...6 10 Maintaining Accepted Vulnerability Records...7 11 References...7 2

1. Introduction This policy prescribes the minimum methodology used in the routine vulnerability identification and mitigation process for National Oceanic & Atmospheric Administration (NOAA), National Weather Service (NWS) systems. Routine, credential vulnerability scanning is required for all NWS accredited systems and is authorized under the NOAA/NWS Information Technology Security Program. NWS Information Technology Security Officers (ITSO) and Information System Security Officers (ISSOs) are responsible for ensuring that network vulnerability scans are conducted on all systems under their control to correct misconfigurations and reduce vulnerabilities to an acceptable level commensurate with Department of Commerce (DOC), NOAA, and NWS policy. Routine scanning is conducted and deficiencies mitigated as part of the continuous monitoring process to ensure the security of NWS systems and data. By establishing and maintaining compliance with this policy, risks and costs to both NOAA and NWS can be reduced. The objectives of this policy are to assure that: All accredited systems are routinely scanned and vulnerabilities are corrected in a timely manner in accordance with NOAA and NWS policy; NWS has implemented a standard process that all scanning personnel are following; and Vulnerability scanning and eradication has minimal impact on operational systems. 2. Scope This policy applies to all NWS systems that fall under the purview of the NWS IT Security program as defined by the Federal Information Security Management Act of 2002 (FISMA) or are supported by a Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA). 3. Responsible Parties The responsible party for the security scanning of the NWS systems is the Information System Security Officer (ISSO) who reports to the System Owner (SO) or designate. However, the SO may designate the System Administrator (SA) to conduct the scan with oversight from the ISSO. In all cases, the ISSO is ultimately responsible for ensuring that security related vulnerability scans are conducted on a routine basis. Vulnerabilities are corrected in accordance with an approved change management process defined in the approved System Security Plan. For vulnerabilities that cannot be corrected because of technical or programmatic obstacles, ensure an approval process is in place authorized by the SO and Authorizing Official (AO) that assumes the risk for the vulnerabilities not being mitigated. 4. Performing Scans If possible, vulnerability scans should be performed during periods of reduced usage. These times are traditionally not during business hours for production systems. However, for 24/7 operations that is not practical. The time frame that the scans are to be performed on production 3

systems must be negotiated between the SO, SA, and the ISSO. The NOAA Computer Incident Response Team (NCIRT) is notified via the NOAA Form 47-43 about scheduled scans and provided the IP address of the scanner. 5. Vulnerability Scans There are many types of vulnerability scans but they fall into three basic groups; Initial, Routine, and Mitigation. 5.1. Frequency ISSOs or SAs perform routine scanning and reports are issued for remediation. SAs are responsible for remediating vulnerabilities in a timely manner. If the vulnerabilities cannot be remediated within a reasonable time period a report is sent to the SO recommending compensatory measures to protect the network. Scanning may be conducted at any time, but generally will occur in the following frequencies: Initial: o Certification o Discovery As needed Routine o Internal Vulnerability Scans: Quarterly o CyberScope Scans: Monthly o External Scan: Semi-Annually Mitigation o As needed to verify correction 5.2. Initial Scans Initial scans are local, credentialed scans and include Certification scans and Discovery scans. Prior to bringing any new system into production mode, all systems should be scanned by performing an automated initial certification scan. If it is not technically feasible to scan a system prior to bringing it into a production system, then a checklist covering basic security points should be completed by the scanning party with the cooperation of the system owner prior to connecting it to the production system. The system will then be subjected to an automated certification scan immediately after it is connected in the production environment. Certification scans should show compliance with the United States Government Configuration Baseline (USGCB) standard where applicable or the appropriate DOC, Commerce Information Technology Requirements. Discovery scans are usually the first scan that is conducted on a network. It establishes the inventory, the operating systems, and the baseline configurations. Since scanning is a process, the 4

initial discovery scan establishes the foundation for the scanning program for that network or system. Future scans will be conducted based on modifications to the initial scans which could include the exclusion of IPs that are not applicable or have acceptable vulnerabilities or the addition of new IPs. 5.3. Routine Scans Routine scans are conducted weekly, monthly, quarterly or semi-annually based on the data collected in the initial discovery scan. There are Internal Scans (which include CyberScope) and External Scans. 5.4. Internal Scans All internal scans are scanned from a point on the system s network segment (i.e., inside the firewall) to identify vulnerabilities that could be exploited by a knowledgeable insider or a hacker that has penetrated the perimeter defense. The results of this scan are compared against a baseline to identify new vulnerabilities and submitted quarterly in a report to the NOAA Security Operations Center (SOC). Vulnerability scans are primarily corrected through a robust patching program. A USGCB scan is a focused, internal scan that is based on predetermined configuration settings of certain operating systems and browsers. The Office of Management and Budget (OMB) requires that a USGCB scan and a vulnerability scan be conducted monthly and submitted via CyberScope. The SOC TSC has a specific CyberScope policy and repository dedicated to CyberScope scanning and submission. CyberScope scans are required on the 24 th of each month after patch Tuesday so that the scan results submitted to OMB will reflect the latest patch deployment. 5.5. External Scans External scans are non-credentialed perimeter scans that provide a comprehensive view of network vulnerabilities that could be exploited by an external hacker. All perimeter external devices managed by NWS should be scanned externally (e.g., from outside the firewall) at least twice a year and after any configuration changes to the perimeter device. If non-nws personnel manage the external perimeter protection devices then they are responsible for the security of the devices and NWS is not required to scan them. Since external scans for NWS systems involve testing the perimeter device, ensure the all configurations are backed up and all necessary parties (ITSO, SO, ISSO, ISP, Firewall Administrator, etc.) have prior notification. External scans are focused on misconfigurations in perimeter devices and public facing web servers that could allow an attacker to penetrate the network or deface or deny access to systems. 6. Mitigation Scans Mitigation scans are the subsequent actions conducted as a result of the deficiencies discovered in the scans. They are conducted after the scan data has been provided to the SA/NA and the 5

identified vulnerabilities have been corrected. Mitigation scans may be conducted as a separate action or may be included in the next routine scan, depending on the sensitivity of the system and the criticality of the vulnerability. The SA/NA should communicate mitigation actions to the SO and ISSO. The ISSO saves this response for reference. Mitigation actions that cannot be implemented during the scanning cycle period should be POA&M items. If the SO, SA/NA, and ISSO cannot agree on acceptance or mitigation, the decision of which action to perform will be made by the AO or designee. The ISSO and SA/NA are responsible for the mitigation of vulnerabilities to include organizing the action between other involved parties, if applicable. 7. Enforcing Remediation Timeframes The SO, SA, and ISSO will ensure that remediation time frames for routine scanning and correction of identified vulnerabilities are followed. Failure to comply with remediation time frames for identifying and correcting deficiencies is a violation of DoC/NOAA/NWS policy and may result in loss of authorization to operate the system. CITR 16 states, Vulnerabilities shall be remediated within 30 days of discovery for FIPS 199 High Impact systems, 60 days for Moderate Impact systems, and 90 days for Low Impact systems. 8. Patches A large aspect of the scanning process is to verify that NWS systems have the appropriate, current patches installed. If possible, system administrators should apply patches in a nonproduction environment before they are applied to production servers to ensure that the patches do not affect the existing production applications. Document patch updates through the system s configuration management process. Routine scanning and patching is a vital component of a mature IT security program. 9. Reporting Scan reports will be provided in the standard format as required by NOAA SOC TSC. Monthly: CyberScope Quarterly: Vulnerability Monthly reports are submitted to the SOC for the Cyberscope scans and quarterly for vulnerability scans. 10. Maintaining Accepted Vulnerability Records The SO and the ISSOs maintain documentation approved by the AO of accepted vulnerabilities for each scanned system. 6

11. References: - Office of Management and Budget Memorandum 04-25, FY 2004 Reporting Instructions for Federal Information Security Management Act - Office of Management and Budget Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for Windows Operation Systems - Office of Management and Budget Memorandum 07-18, Ensuring New Acquisitions Include Common Security Configurations - Office of Management and Budget Memorandum 08-22, Guidance on the Federal Desktop Core Configuration (FDCC) - Office of Management and Budget Memorandum 10-15 FY 2010, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management - NIST SCAP Publications http://scap.nist.gov/publications/index.html - U.S. Department of Commerce IT Security Program Policy and Minimum Implementation Standards - U.S. Department of Commerce CyberScope Reporting Services http://home.commerce.gov/cio/itsitnew/cm/doc_cyberscope_reporting_services.ht ml - NOAA 212-1300, Information Technology Security Manual - CITR 016 Vulnerability Scanning and Patch Management, January 25, 2012 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information