UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)



Similar documents
FSIS DIRECTIVE

BPA Policy Cyber Security Program

Review of the SEC s Systems Certification and Accreditation Process

Minimum Security Requirements for Federal Information and Information Systems

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Final Audit Report. Report No. 4A-CI-OO

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

NOTICE: This publication is available at:

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Handbook Information Security Program

Standards for Security Categorization of Federal Information and Information Systems

Compliance Risk Management IT Governance Assurance

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Information Security for Managers

POSTAL REGULATORY COMMISSION

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

How To Check If Nasa Can Protect Itself From Hackers

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Office of Inspector General

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Security Control Standard

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

2012 FISMA Executive Summary Report

Office of Inspector General

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

NASA OFFICE OF INSPECTOR GENERAL

Publication 805-A Revision: Certification and Accreditation

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

EPA Classification No.: CIO P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

National Information Assurance Certification and Accreditation Process (NIACAP)

CYBER SECURITY PROCESS REQUIREMENTS MANUAL

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

Guide for the Security Certification and Accreditation of Federal Information Systems

Audit of the Department of State Information Security Program

Overview. FedRAMP CONOPS

Security Certification & Accreditation of Federal Information Systems A Tutorial

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

APHIS INTERNET USE AND SECURITY POLICY

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

SMITHSONIAN INSTITUTION

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

NOTICE: This publication is available at:

INFORMATION PROCEDURE

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Final Audit Report -- CAUTION --

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System

Get Confidence in Mission Security with IV&V Information Assurance

FedRAMP Standard Contract Language

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

The U.S. Department of Education s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2014 FINAL AUDIT REPORT

NASA Information Technology Requirement

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

System Security Certification and Accreditation (C&A) Framework

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Security Controls Assessment for Federal Information Systems

Dr. Ron Ross National Institute of Standards and Technology

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Office of Inspector General Corporation for National and Community Service

IT Security Risk Management: A Lifecycle Approach

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

CTR System Report FISMA

Fiscal Year 2007 Federal Information Security Management Act Report

Security Control Standard

Policy on Information Assurance Risk Management for National Security Systems

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

In Brief. Smithsonian Institution Office of the Inspector General

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer

How To Audit The Mint'S Information Technology

FISMA Implementation Project

Information Technology Security Certification and Accreditation Guidelines

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Department of Homeland Security

National Training Standard for System Certifiers

Security Authorization Process Guide

Department of Defense INSTRUCTION

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

2014 Audit of the Board s Information Security Program

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

NIST Special Publication Version 2.0 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

Information System Security Officer (ISSO) Guide

Information Resource Management Directive The USAP Security Assessment & Authorization Program

Risk Management Guide for Information Technology Systems. NIST SP Overview

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Transcription:

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive establishes mandatory requirements and assigns roles and responsibilities to facilitate the implementation of the Agency s C&A policy. II. III. IV. (RESERVED) (RESERVED) REFERENCES DM 3555-000, Certification and Accreditation of Information Systems DM 3555-001, Chapter 11, Part 1, Certification and Accreditation Methodology Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and Information Systems FSIS Directive 1300.7, Managing Information Technology (IT) Resources FSIS Directive 4735.3, Employee Responsibilities and Conduct National Institute of Standards and Technology (NIST), Internal Report (IR) 7298, Glossary of Key Information Security Terms NIST Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems NIST SP 800-30, Risk Management Guide for Information Technology Systems NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations DISTRIBUTION: Electronic; All Field Employees OPI: OCIO Enterprise Management Division

NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems NIST SP 800-55, Revision 1, Performance Measurement Guide for Information Security NIST SP 800-64, Revision 2, Security Considerations in the System Development Life Cycle Public Law 93-579, Privacy Act of 1974 Public Law 107-347, Title III, E-Government Act of 2002 V. ABBREVIATIONS The following appear in their shortened form in this directive: ATO C&A CIO CO DAA FISMA ISSO ISSP ISSPM IT NIST SP OCIO POA&M TCCB Authority to Operate Certification and Accreditation Chief Information Officer Certifying Official Designated Approving Authority Federal Information Security Management Act Information Systems Security Officer Information Systems Security Program Information Systems Security Program Manager Information Technology National Institute of Standards and Technology Special Publication Office of the Chief Information Officer Plan of Action and Milestones Technical Change Control Board VI. POLICY It is FSIS policy to ensure information security controls are in place to protect FSIS information systems and data in compliance with Public Law 107-347, Title III, E- Government Act of 2002; Public Law 93-579, Privacy Act of 1974, as amended; and USDA regulations. VII. DEFINITIONS A. Accreditation. The official management decision given by a senior Agency official to authorize operation of an information system and to explicitly accept the risk to Agency operations (examples: mission, functions, image, or reputation), Agency assets, or individuals, based on the implementation of an agreed upon set of security controls. B. Certification. A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Page 2

FSIS DIRECTIVE 1306.2 C. CO. A senior manager who assumes the role of an independent technical liaison for all stakeholders involved in the C&A process and is an objective third party, independent of the system developers. The CO provides a comprehensive evaluation of the system, including technical and non-technical controls, to determine if the system is configured with the proper security controls in place. D. Continuous Monitoring. The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: and metrics. 1. Development of a strategy to regularly evaluate selected controls 2. Recording and evaluating relevant events and the effectiveness of the enterprise in dealing with those events. 3. Recording changes to controls or changes that affect risks. 4. Publishing the current security status to enable information-sharing decisions involving the enterprise. E. DAA. A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. F. Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, storage, or disposition of information. An information system must have logical boundaries around a set of processes, communications, storage, and the boundaries must: 1. Be under the same direct management control. 2. Have the same function or mission objective. 3. Have essentially the same operational and security needs. 4. Reside in the same general operating environment. G. ISSO. The person responsible for the day-to-day security of a specific IT system including physical security, personnel security, incident handling, and security awareness training, and education. The ISSO, in conjunction with the TCCB also identifies pending system or environmental changes that may necessitate recertification and re-accreditation of the system. For developmental systems, the ISSO serves as the principal technical advisor to the program manager for all security-related issues. Page 3 9/28/11

H. ISSPM. An individual responsible for the information assurance of a program, organization, system or enclave. I. IT. Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which requires the use of such equipment or requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources. J. Penetration Testing. A test methodology in which assessors, using all available documentation (examples: system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system. K. POA&M. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. L. Red Team Exercise. An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization. M. Security Control Assessment. The testing and evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. N. Significant Change. A change that alters the mission, operating environment, or basic vulnerabilities of the information system. O. System Owner. Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and final disposition of an information system. P. System User. An individual authorized to utilize FSIS IT resources. Page 4

FSIS DIRECTIVE 1306.2 VIII. BACKGROUND A. FISMA was passed by Congress and signed into law by the President as Public Law 107-347, Title III, E-Government Act of 2002. The goals of FISMA include development of a comprehensive framework to protect the Government s information, operations, and assets. FISMA assigns specific responsibilities to Federal agencies, NIST, and the Office of Management and Budget in order to strengthen IT system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information security risks to an acceptable level. All information systems within FSIS require C&A prior to the system becoming operational. The C&A process is a vital component of the overall security program. B. OCIO certifies and accredits information systems in accordance with NIST SP 800-37, NIST SP 800-53 Revision 3, Departmental regulations, and Agency procedures. NIST SP 800-37 provides the guidelines for the security C&A of the information systems. NIST SP 800-53 Revision 3 outlines the controls to be addressed for C&A. IX. REQUIREMENTS In order to adhere to NIST SP 800-37 and NIST SP 800-53, Revision 3 standards, FSIS has established and is responsible for the following C&A requirements: A. Security Assessments and Certification. 1. Develop a security assessment plan that includes the scope of the assessment as follows: assessment. a. The security controls and control enhancements under b. The assessment procedures to be used to determine security control effectiveness. responsibilities. c. The assessment environment, team, and roles and 2. Assess all information system security controls during the initial security accreditation. 3. Integrate security certification as a key factor in security accreditation decisions and into the information system development life cycle. 4. Conduct the information system security controls assessment annually or when there is a major change to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. Page 5 9/28/11

5. Use the current year s security certification assessment results to meet the annual FISMA assessment requirement. 6. Employ an independent certification agent or certification team to conduct the initial and 3-year assessments of the information system security controls. (NOTE: Independent agents are not required for annual assessments.) 7. Produce a security assessment report that documents the results of the assessment and provide the results in writing, to the authorizing official or authorizing official s designated representative. 8. Provide as part of the security control assessment, in-depth monitoring, malicious user testing, penetration testing, and red team exercises. B. Information System Connections. 1. Authorize all connections from the information system to the other information systems outside of the accreditation boundary through the use of system connection agreements. Monitor and control system connections continuously by verifying enforcement of security requirements. 2. Assess risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the Agency and external to the Agency. Risk considerations include information systems sharing the same networks. 3. Document for each connection, the interface characteristics, security requirements, and the nature of the information communicated. C. POA&M. 1. Develop and update POA&M to guide the correction of deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the information system. 2. Use the Agency s information system for documenting remedial actions (examples: planning and implementation) to track the POA&M. 3. Update the existing plan of action and milestones based on findings from the security controls assessments, security impact analyses, and continuous monitoring activities. D. Security Accreditation. operation. 1. Authorize (accredit) the information system for processing before Page 6

FSIS DIRECTIVE 1306.2 2. Update the authorization at least every 3 years or when there is a significant change to the information system. 3. Ensure security accreditation is approved and signed by the DAA. E. Continuous Monitoring. 1. Monitor the information system security controls. Continuous monitoring activities include: a. Configuration management and control of information system components. system. b. Security impact analysis of changes to the information c. Ongoing assessment of security controls. d. Regularly reporting on the information system s status with regard to C&A and continuous monitoring efforts. 2. Establish the selection criteria and subsequently select a subset of the security controls employed within the information system for annual assessment. 3. Establish the schedule for control monitoring to ensure adequate coverage of security controls and resources is achieved. 4. Employ an independent assessor to monitor the security controls in the information system on an ongoing basis. X. RESPONSIBILITIES The roles and responsibilities to satisfy the C&A security controls follow: A. OCIO. 1. Promotes and supports C&A policy throughout the Agency. 2. Works closely with authorizing officials and their designated representatives to ensure an Agencywide security program is effectively implemented. 3. Ensures required C&As are accomplished in a timely and costeffective manner. 4. Centralizes reporting of all security-related activities. Page 7 9/28/11

B. DAA. 1. Ensures the operation of an information system is at an acceptable level of risk to Agency operations, assets, or individuals. 2. Assumes accountability for the risks associated with operating an information system. C. CO. 3. Appoints the information system owner. 1. Conducts security certification or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. 2. Recommends corrective actions to reduce or eliminate vulnerabilities in the information system. 3. Provides an independent assessment of the information system security plan prior to initiating the security assessment activities. 4. Ensures that the plan provides a set of security controls for the information system that adequately meets all applicable security requirements. D. System Owners. 1. Determine the procurement, development, integration, modification, or operation and maintenance of an information system. 2. Develop and maintain the information system security plan. 3. Ensure the information system is deployed and operated according to the agreed upon security requirements. 4. Ensure system users and support personnel receive the requisite security training (example: instruction in rules of behavior). 5. Establish access rights and types of access privileges. 6. Ensure detailed operating procedures are developed at the system or general support system level that satisfies the C&A security controls. Page 8

FSIS DIRECTIVE 1306.2 E. ISSPM. 1. Assist in the certification and accreditation of all agency IT systems. 2. Participate in Certification Teams providing guidance, testing security controls and assisting in the preparation of the final C&A package, as required. 3. Monitor and electronically track using Plans of Action and Milestones (POAM) the C&A progress on IT systems and report progress to agency CIO, including all systems under ATO to ensure that deficiencies are corrected in a timely manner. 4. Identify system changes that require re-accreditation in conjunction with the Agency TCCB. F. ISSO. 5. Participate in the preparation of ATO packages, as required. 1. Serves as the principal technical advisor and is responsible to the CO, information system owner, or ISSPM for ensuring that the appropriate operational security posture is maintained for an information system or program. 2. Maintains the day-to-day security operations of the information systems including: a. Physical security. b. Personnel security. c. Incident handling. d. Security awareness training and education. 3. Provides assistance on an as needed basis to: a. Assist in the development of the information system security policy and ensures compliance with that policy on a routine basis. b. Work closely with information system owners. c. Develop and update information system security plans. d. Manage and control changes to information systems. e. Assess the security impact of changes. Page 9 9/28/11

XI. PENALTIES AND DISCIPLINARY ACTIONS FOR NON-COMPLIANCE FSIS Directive 1300.7 sets forth the FSIS policies, procedures, and standards on employee responsibilities and conduct relative to the use of computers and telecommunications equipment. In addition, FSIS Directive 4735.3 outlines the disciplinary action that FSIS may take when policies are violated. XII. ADDITIONAL INFORMATION A. USDA departmental directives are located at http://www.ocio.usda.gov/. FSIS directives and notices are located on InsideFSIS at http://inside.fsis.usda.gov/. B. For additional information about C&A, contact the FSIS Information System Security Program at FSIS_Information_Security@fsis.usda.gov. Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information