FSIS DIRECTIVE 1306.3



Similar documents
UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Minimum Security Requirements for Federal Information and Information Systems

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

Standards for Security Categorization of Federal Information and Information Systems

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NOTICE: This publication is available at:

CMS Policy for Configuration Management

HHS Information System Security Controls Catalog V 1.0

BPA Policy Cyber Security Program

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Information Security for Managers

Office of Inspector General

NASA Information Technology Requirement

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

POSTAL REGULATORY COMMISSION

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

NASA Information Technology Requirement

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

Final Audit Report -- CAUTION --

CTR System Report FISMA

Information Security Program Management Standard

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

In Brief. Smithsonian Institution Office of the Inspector General. Smithsonian Institution Information Security Program

2012 FISMA Executive Summary Report

Review of the SEC s Systems Certification and Accreditation Process

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Final Audit Report. Report No. 4A-CI-OO

Subject: Information Technology Configuration Management Manual

APHIS INTERNET USE AND SECURITY POLICY

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Get Confidence in Mission Security with IV&V Information Assurance

FedRAMP Standard Contract Language

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Guide for the Security Certification and Accreditation of Federal Information Systems

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

DEPARTMENTAL REGULATION

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Privacy Impact Assessment

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Office of Inspector General

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

CIOP CHAPTER Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS. Section Purpose

Audit of the Department of State Information Security Program

Dr. Ron Ross National Institute of Standards and Technology

Compliance Risk Management IT Governance Assurance

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Privacy Impact Assessment (PIA)

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Policy on Information Assurance Risk Management for National Security Systems

NOTICE: This publication is available at:

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

NASA OFFICE OF INSPECTOR GENERAL

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Department of Homeland Security Management Directives System MD Number: Issue Date: 03/01/2003 DHS USAGE

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System

DIVISION OF INFORMATION SECURITY (DIS)

CIT End User Device Policy

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

September 2005 Report No FDIC s Information Technology Configuration Management Controls Over Operating System Software

Network Infrastructure - General Support System (NI-GSS) Privacy Impact Assessment (PIA)

U.S. Department of Education. Office of the Chief Information Officer

FISMA Implementation Project

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Supporting FISMA and NIST SP with Secure Managed File Transfer

POLICY ON WIRELESS SYSTEMS

Security Control Standard

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Security Controls Assessment for Federal Information Systems

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

IT SYSTEM LIFE-CYCLE AND PROJECT MANAGEMENT

Transcription:

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS I. PURPOSE This directive establishes Agency CM requirements and responsibilities for information systems. II. CANCELLATION This directive cancels FSIS Directive 1306.3, Configuration Management (CM) of Security Controls for Information Systems dated 11/15/10. III. REASON FOR REISSUANCE This directive is completely revised to update references and specific security controls required by the National Institute of Standards and Technology (NIST). IV. REFERENCES DM 3520-000, Chapter 4, Configuration Management DM 3520-001, Chapter 4, Part 1, CM Policy & Responsibilities Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and Information Systems FSIS Directive 1300.7, Managing Information Technology (IT) Resources FSIS Directive 1310.3, Technical Change Control Board (TCCB) FSIS Directive 4735.3, Employee Responsibilities and Conduct NIST Internal Report (IR) 7298, Revision 1, Glossary of Key Information Security Terms NIST Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations Public Law 93-579, Privacy Act of 1974 Public Law 104-106, Clinger Cohen Act of 1996 Public Law 107-347, Title III, E-Government Act of 2002 V. ABBREVIATIONS The following appear in their shortened form in this directive: CCB CIO CM EA Change Control Board Chief Information Officer Configuration Management Enterprise Architecture DISTRIBUTION: Electronic; All Field Employees OPI: OCIO Enterprise Management Division

FISMA ISSPM IT NIST SP OCIO OMB SSP Federal Information Security Management Act Information Systems Security Program Manager Information Technology National Institute of Standards and Technology Special Publication Office of the Chief Information Officer Office of Management and Budget System Security Plan VI. POLICY It is FSIS policy to ensure information security controls are in place to protect FSIS information systems and data in compliance with Public Law 107-347, Title III, E-Government Act of 2002; Public Law 93-579, Privacy Act of 1974, as amended; and USDA regulations. VII. DEFINITIONS A. Baseline. An approved system configuration established at a discrete point in time that represents a set of reviewed and approved products or controls. The baseline serves as the basis for further development and can be changed only through formal change control procedures. B. CM. A process of reviewing and controlling the components of an IT system to ensure that they are well-defined and cannot be changed without proper justification and full knowledge of the consequences. CM ensures that the hardware, software, communications services, and documentation for a system can be accurately determined at any time. C. EA. A comprehensive framework used to manage and align an organization s IT assets, people, operations, and projects with its goals and objectives. D. Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, storage, or disposition of information. A system must have logical boundaries around a set of processes, communications, and storage, and the boundaries must: 1. Be under the same direct management control. 2. Have the same function or mission objective. 3. Have essentially the same operational and security needs. 4. Reside in the same general operating environment. E. IT. Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: 1. Requires the use of such equipment. Page 2

FSIS DIRECTIVE 1306.3 REVISION 1 2. Requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. (NOTE: The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.) F. System Owner. An official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. G. System User. An individual authorized to utilize FSIS IT resources. VIII. BACKGROUND A. FISMA was passed by Congress and signed into law by the President as Public Law 107-347, Title III, E-Government Act of 2002. The goals of FISMA include development of a comprehensive framework to protect the Government s information, operation, and assets. FISMA assigns specific responsibilities to Federal agencies, NIST and OMB in order to strengthen IT system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information security risks to an acceptable level. B. NIST SP 800-53, Revision 3 outlines the controls addressed by CM. The selection and employment of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization. Security controls are the management, operational, and technical safeguards, or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. C. OCIO CM provides the processes, tools, and reports used by the Agency to record and update changes to software systems, processes, and hardware. These changes include information versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. IX. CM REQUIREMENTS To adhere to the NIST SP 800-53, Revision 3 standards, FSIS has established and is responsible for the following requirements: A. Baseline Configuration. 1. Establish, document, and maintain a current baseline configuration of the information system. 2. Ensure the baseline configuration of the information system is consistent with the USDA and FSIS EA. 3. Update the baseline configuration of the information system as an integral part of information system component installations. 4. Review and update the baseline configuration of the information system: a. At least annually. Page 3 12/13/12

b. When required, significant changes, corrective actions, or vulnerabilities that are identified with current baseline must go through the Agency configuration control board process defined in the Change Control Board directive. and upgrades. c. As an integral part of information system component installations 5. Employ automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. This is only applicable to HIGH systems. (NOTE: The categorization of HIGH, MODERATE, or LOW is defined in FIPS PUB 199.) 6. Retain older versions of baseline configuration as deemed necessary to support baseline rollback. 7. Develop and maintain a defined list of active programs authorized to be executed on the information system as defined in the SSP. 8. Employ a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system. 9. Maintain a baseline configuration for development and test environments that is managed separately from the operational baseline configuration. This is only applicable to HIGH systems. B. Configuration Change Control. 1. Determine, authorize, document, and control changes to information systems that are configuration controlled. system. system. 2. Retain and review records of configuration-controlled changes to the 3. Audit activities associated with configuration changes to the information 4. Coordinate and provide oversight for configuration change control activities through the Agency or system configuration control board as defined in the CCB Charter or as needed by change requests. 5. On HIGH systems only: a. Document proposed changes. b. Notify appropriate approval authorities. c. Highlight approvals not received. d. Inhibit change until necessary approvals are received. e. Document completed changes. Page 4

FSIS DIRECTIVE 1306.3 REVISION 1 6. Test, validate, and document changes to the information system before implementing the changes on the operational system. C. Security Impact Analysis. 1. Analyze changes to the information system for potential security impacts prior to implementation as part of the change approval process. 2. Analyze new software for security flaws in a separate test environment before installation in an operational environment. This is only applicable to HIGH systems. D. Access Restrictions for Change. 1. Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 2. Employ automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. This is only applicable to HIGH systems. 3. Conduct audits of information system changes at least annually as defined in the SSP and when indications so warrant, to determine whether unauthorized changes have occurred. This is only applicable to HIGH systems. 4. Prevent the installation of software programs as defined in the SSP that are not signed with a certificate that is recognized and approved by the organization. This is only applicable to HIGH systems. E. Configuration Settings. 1. Establish mandatory configuration settings for IT products employed within the information system using baselines from the NIST National Checklist Program (NCP) as modified by the Department. (NOTE: Where baselines are not available, contact the vendor for recommendations.) 2. Implement configuration settings. 3. Identify, document, and approve exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements. 4. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. 5. Employ automated mechanisms to: a. Centrally manage, apply, and verify configuration settings. This is only applicable to HIGH systems. b. Respond to unauthorized changes to baselines. This is only applicable to HIGH systems. Page 5 12/13/12

6. Incorporate detection of unauthorized, security-relevant configuration changes into the organization s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. F. Least Functionality. 1. Configure information systems to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, or services as defined in the SSP. 2. Review information systems at least monthly to identify and eliminate unnecessary functions, ports, protocols, or services. 3. Employ automated mechanisms to prevent program execution in accordance with the SSP. This is only applicable to High systems. G. Information System Component Inventory. 1. Develop, document, and maintain a current inventory of information system components and ownership information that: a. Accurately reflect the current information system. b. Is consistent with the authorization boundary. reporting. c. Is at the level of granularity deemed necessary for tracking and d. Includes information deemed necessary to achieve effective property accountability (examples: item, barcode, manufacturer, type, name, serial number, version number, logical location, configuration, or more at component discretion). officials. e. Is available for review and audit by designated organization 2. Update the information system component inventory as an integral part of component installations, removals, and information system updates. 3. Employ automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of information system components. This is only applicable to HIGH systems. 4. Employ automated mechanisms at least monthly to detect the addition of unauthorized components and devices into the information system and disable network access by such components and devices or notify designated organizational officials. This is only applicable to HIGH systems. 5. Include in property accountability the following information for information system components. This is only applicable to HIGH systems. a. A means for identification by a minimum of position and role. Page 6

FSIS DIRECTIVE 1306.3 REVISION 1 components. b. Individuals responsible for administering the information system 6. Verify that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system. H. Configuration Management Plan. Develop, document, and implement a configuration management plan for the information system that: 1. Addresses roles, responsibilities, and CM processes and procedures. 2. Defines the configuration items for the information system and when in the system development life cycle, places these configuration items under CM. 3. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items. X. RESPONSIBILITIES A. OCIO. The CIO supports and promotes the CM policy throughout the Agency. B. ISSPM: 1. Ensures collaboration among organizational entities. 2. Ensures compliance of the CM controls. C. Security Operations Center and Service Desk Application Support Branch: 1. Ensures all maintenance adheres to the CM policy. 2. Ensures the integrity of information systems and provides effective controls on the tools, techniques, mechanisms, and personnel used. D. Divisions and Branches: 1. Assist with supporting and implementing the systems configuration. 2. Ensure CM processes are implemented and maintained. E. System Owners. 1. Approve change requests prior to submitting them to the Technical Change Control Board. 2. Identify and eliminate unnecessary ports and services. controls. 3. Develop detailed operating procedures to satisfy appropriate CM security Page 7 12/13/12

F. System Users. All employees, contractors, other Federal agencies, state and local governments, and authorized private organizations or individuals who use FSIS IT resources must: policy. 1. Be knowledgeable of the CM policy and the obligations that go with this 2. Ensure their duties are performed in accordance with this policy. XI. PENALTIES AND DISCIPLINARY ACTIONS FOR NON- COMPLIANCE FSIS Directive 1300.7 sets forth FSIS policies, procedures, and standards on employee responsibilities and conduct relative to the use of computers and telecommunications equipment. In addition, FSIS Directive 4735.3 outlines the disciplinary action that FSIS may take when policies are violated. XII. ADDITIONAL INFORMATION A. USDA departmental directives are located at http://www.ocio.usda.gov/. FSIS directives and notices are located on InsideFSIS at http://inside.fsis.usda.gov/. B. For additional information about CM, contact the FSIS Information Security Program at FSIS_Information_Security@fsis.usda.gov. Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information