it security procedural guide: information security program ......2020/06/16 · cio-it...

Revision 3
U.S. General Services Administration
EXECUTIVE SUMMARY
The General Services Administration (GSA) agency-wide Assessment and Authorization (A&A) process is based on the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the A&A process as described in NIST Special Publication (SP) 800-37, Revision 2, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.”
This Information Security Program Plan (ISPP) was developed in order to provide stakeholders with the detailed information on what GSA considers inheritable common controls and who the responsible party is for implementing the control. NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” describes common controls and the responsibility for them as:
Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components—entities internal or external to the organizations where the systems or components reside.
The organization assigns responsibility for common controls to appropriate organizational officials (i.e., common control providers) and coordinates the development, implementation, assessment, authorization, and monitoring of the controls. The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of chief information officers, senior information security officers, the risk executive (function), authorizing officials, information owners/stewards, information system owners, and information system security officers.
The excerpt below from NIST SP 800-53 defines hybrid controls and provides examples:
Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. For example, an organization may choose to implement the Incident Response Policy and Procedures security control (IR- 1) as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific. Hybrid controls may also serve as predefined templates for further control refinement. Organizations may choose, for example, to implement the Contingency Planning security control (CP-2) as a predefined template for a generalized contingency plan for all organizational information systems with information system owners tailoring the plan, where appropriate, for system-specific uses.
This plan identifies control implementation status for all GSA-wide common controls and identifies hybrid controls where a GSA organization, platform, or general support system provides part of the control implementation.All Privacy controls are included in this plan whether they are common, hybrid, or system specific. Where appropriate, the plan references GSA policies and guides that provide further detail on control implementation.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
Number of Change
Initial Version – April 23, 2015
N/A Desai/Davis New Plan Document GSA enterprise-wide common and hybrid controls status and implementation guidance.
N/A
1 Klemens/ Dean
Revised guide to align with current format and style, edited, and updated guide based on current control processes.
Update GSA enterprise-wide common and hybrid controls status and implementation guidance.
Throughout
1 Feliksa/ Klemens
Revised guide to address Executive Order (EO) 13800 and the NIST Cybersecurity Framework. Updated control parameters and implementation details based on changes to GSA processes, procedures, and guides.
Comply with EO 13800. Update GSA enterprise-wide common and hybrid controls parameters and implementation details based on changes to GSA processes, procedures, and guides.
Throughout
1 Dean/ Klemens/ Normand
Changes to controls designated as common
Changes to GSA guidance on control parameters, implementation details, and Common Control designations
Throughout
IT Security Procedural Guide: Information Security Program Plan (ISPP), CIO-IT Security-18-90, Revision 3, is hereby approved for distribution.
X Bo Berlas
GSA Chief Information Security Officer
Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division (ISP), at [email protected].
U.S. General Services Administration i
Table of Contents
1 Introduction ................................................................................................................... 1
2 References ..................................................................................................................... 3
3 Security Controls ............................................................................................................ 5
3.1 Access Control (AC) .......................................................................................................................... 6 3.1.1 Access Control Policy and Procedures (AC-1) .................................................................................................. 6 3.1.2 Account Management | Dynamic Privilege Management (AC-2 (6)) .............................................................. 7 3.1.3 Use of External Information Systems (AC-20) .................................................................................................. 8 3.1.4 Use of External Information Systems | Limits On Authorized Use (AC-20 (1)) ................................................ 9 3.1.5 Use of External Information Systems | Portable Storage Devices (AC-20 (2)) ............................................... 10
3.2 Awareness and Training (AT) ......................................................................................................... 11 3.2.1 Security Awareness and Training Policy and Procedures (AT-1) .................................................................... 11 3.2.2 Security Awareness Training (AT-2) ............................................................................................................... 12 3.2.3 Security Awareness Training | Insider Threat (AT-2 (2)) ................................................................................ 13 3.2.4 Role-Based Security Training (AT-3)............................................................................................................... 13 3.2.5 Security Training Records (AT-4) .................................................................................................................... 14
3.3 Audit and Accountability (AU) ....................................................................................................... 15 3.3.1 Audit and Accountability Policy and Procedures (AU-1) ................................................................................ 15 3.3.2 Audit Storage Capacity (AU-4) ....................................................................................................................... 16 3.3.3 Audit Review, Analysis, and Reporting (AU-6) ............................................................................................... 17 3.3.4 Audit Review, Analysis, and Reporting | Process Integration (AU-6 (1)) ....................................................... 18 3.3.5 Audit Review, Analysis, and Reporting | Correlate Audit Repositories (AU-6 (3))......................................... 19 3.3.6 Audit Review, Analysis, and Reporting | Central Review and Analysis (AU-6 (4)) ......................................... 19 3.3.7 Audit Reduction and Report Generation (AU-7) ............................................................................................ 20 3.3.8 Audit Reduction and Report Generation | Automatic Processing (AU-7 (1)) ................................................ 21 3.3.9 Audit Record Retention (AU-11) .................................................................................................................... 22
3.4 Security Assessment and Authorization (CA)................................................................................. 22 3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1) ...................................................... 22 3.4.2 Plan of Action and Milestones (CA-5) ............................................................................................................ 23 3.4.3 Security Authorization (CA-6) ........................................................................................................................ 24 3.4.4 Continuous Monitoring (CA-7) ....................................................................................................................... 25 3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1)) .......................................................................... 27
3.5 Configuration Management (CM) .................................................................................................. 27 3.5.1 Configuration Management Policy and Procedures (CM-1) .......................................................................... 27 3.5.2 Baseline Configuration | Configure Systems, Components, Or Devices For High- Risk Areas (CM-2 (7)) ...... 29 3.5.3 Least Functionality | Authorized Software / Whitelisting (CM-7 (5)) ............................................................ 29 3.5.4 Information System Component Inventory | Automated Maintenance (CM-8 (2)) ...................................... 30 3.5.5 Information System Component Inventory | Automated Unauthorized Component Detection (CM-8 (3)) 31 3.5.6 Information System Component Inventory | No Duplicate Accounting of Components (CM-8 (5)) ............. 32 3.5.7 Information System Component Inventory | Centralized Repository (CM-8 (7)) .......................................... 33 3.5.8 User-Installed Software (CM-11) ................................................................................................................... 33
3.6 Contingency Planning (CP) ............................................................................................................. 34 3.6.1 Contingency Planning Policy and Procedures (CP-1) ..................................................................................... 34
3.7 Identification and Authentication (IA) ........................................................................................... 35 3.7.1 Identification and Authentication Policy and Procedures (IA-1).................................................................... 35
3.8 Incident Response (IR) ................................................................................................................... 36 3.8.1 Incident Response Policy and Procedures (IR-1) ............................................................................................ 36
U.S. General Services Administration ii
3.8.2 Incident Response Training (IR-2) .................................................................................................................. 37 3.8.3 Incident Response Testing (IR-3) ................................................................................................................... 39 3.8.4 Incident Response Testing | Coordination with Related Plans (IR-3 (2)) ....................................................... 40 3.8.5 Incident Handling (IR-4) ................................................................................................................................. 41 3.8.6 Incident Handling | Automated Incident Handling Processes (IR-4 (1)) ........................................................ 42 3.8.7 Incident Monitoring (IR-5) ............................................................................................................................. 43 3.8.8 Incident Reporting (IR-6)................................................................................................................................ 44 3.8.9 Incident Reporting | Automated Reporting (IR 6 (1)) .................................................................................... 48 3.8.10 Incident Response Assistance (IR-7) .............................................................................................................. 49 3.8.11 Incident Response Assistance | Automation Support for Availability of Information / Support (IR 7 (1)) .... 50 3.8.12 Incident Response Plan (IR-8) ........................................................................................................................ 51
3.9 Maintenance (MA) ......................................................................................................................... 52 3.9.1 System Maintenance Policy and Procedures (MA-1) ..................................................................................... 52
3.10 Media Protection (MP) .................................................................................................................. 53 3.10.1 Media Protection Policy and Procedures (MP-1) ........................................................................................... 53 3.10.2 Media Use (MP-7) .......................................................................................................................................... 54
3.11 Physical and Environmental Protection (PE) .................................................................................. 55 3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1) .......................................................... 55
3.12 Planning (PL) .................................................................................................................................. 56 3.12.1 Security Planning Policy and Procedures (PL-1) ............................................................................................. 56
3.13 Rules of Behavior (PL-4) ................................................................................................................. 57 3.13.1 Rules of Behavior | Social Media and Networking Restrictions (PL-4 (1)) ..................................................... 58 3.13.2 Information Security Architecture (PL-8) ....................................................................................................... 59
3.14 Program Management (PM) .......................................................................................................... 60 3.14.1 Information Security Program Plan (PM-1) ................................................................................................... 60 3.14.2 Senior Information Security Officer (PM-2) ................................................................................................... 62 3.14.3 Information Security Resources (PM-3) ......................................................................................................... 62 3.14.4 Plan of Action and Milestones Process (PM-4) .............................................................................................. 63 3.14.5 Information System Inventory (PM-5) ........................................................................................................... 64 3.14.6 Information Security Measures of Performance (PM-6) ............................................................................... 65 3.14.7 Enterprise Architecture (PM-7) ...................................................................................................................... 66 3.14.8 Critical Infrastructure Plan (PM-8) ................................................................................................................. 67 3.14.9 Risk Management Strategy (PM-9) ................................................................................................................ 68 3.14.10 Security Authorization Process (PM-10) ........................................................................................................ 69 3.14.11 Mission/Business Process Definition (PM-11) ............................................................................................... 70 3.14.12 Insider Threat Program (PM-12) .................................................................................................................... 70 3.14.13 Information Security Workforce (PM-13) ...................................................................................................... 71 3.14.14 Testing, Training, and Monitoring (PM-14) .................................................................................................... 72 3.14.15 Contacts with Security Groups and Associations (PM-15) ............................................................................. 73 3.14.16 Threat Awareness Program (PM-16) ............................................................................................................. 74
3.15 Personnel Security (PS) .................................................................................................................. 75 3.15.1 Personnel Security Policy and Procedures (PS-1) .......................................................................................... 75 3.15.2 Position Risk Designation (PS-2) .................................................................................................................... 76 3.15.3 Personnel Screening (PS-3) ............................................................................................................................ 77 3.15.4 Personnel Termination (PS-4) ........................................................................................................................ 78 3.15.5 Personnel Transfer (PS-5) .............................................................................................................................. 79 3.15.6 Access Agreements (PS-6) ............................................................................................................................. 80 3.15.7 Third-Party Personnel Security (PS-7) ............................................................................................................ 81 3.15.8 Personnel Sanctions (PS-8) ............................................................................................................................ 82
3.16 Risk Assessment (RA) ..................................................................................................................... 83 3.16.1 Risk Assessment Policy and Procedures (RA-1) ............................................................................................. 83 3.16.2 Risk Assessment (RA-3) .................................................................................................................................. 84 3.16.3 Vulnerability Scanning (RA-5) ........................................................................................................................ 85 3.16.4 Vulnerability Scanning | Update Tool Capability (RA-5 (1)) ........................................................................... 87
U.S. General Services Administration iii
3.16.5 Vulnerability Scanning | Update By Frequency / Prior to New Scan / When Identified (RA-5 (2)) ............... 88 3.16.6 Vulnerability Scanning | Privileged Access (RA-5 (5)) .................................................................................... 89
3.17 System and Services Acquisition (SA) ............................................................................................ 89 3.17.1 System and Services Acquisition Policy and Procedures (SA-1) ..................................................................... 89 3.17.2 Acquisition Process (SA-4) ............................................................................................................................. 90
3.17.2.1 Security Engineering Principles (SA-8) ....................................................................................................... 91 3.17.3 External Information System Services (SA-9) ................................................................................................. 92
3.18 System and Communications Protection (SC) ............................................................................... 93 3.18.1 System & Communications Protection Policy and Procedures (SC-1) ........................................................... 93 3.18.2 Denial of Service Protection (SC-5) ................................................................................................................ 94 3.18.3 Boundary Protection (SC-7) ........................................................................................................................... 95 3.18.4 Boundary Protection | Access Points (SC-7 (3)) ............................................................................................. 96 3.18.5 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5)) ....................................................... 97 3.18.6 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5)) ....................................................... 97 3.18.7 Boundary Protection | Prevent Split Tunneling for Remote Devices (SC-7 (7)) ............................................. 98 3.18.8 Boundary Protection | Prevent Unauthorized Exfiltration (SC-7 (10)) .......................................................... 99 3.18.9 Mobile Code (SC-18) ...................................................................................................................................... 99
3.19 System and Information Integrity (SI) .......................................................................................... 100 3.19.1 System & Information Integrity Policy & Procedures (SI-1) ......................................................................... 100 3.19.2 Flaw Remediation (SI-2) ............................................................................................................................... 101 3.19.3 Flaw Remediation | Automated Flaw Remediation Status (SI-2 (2)) ........................................................... 103 3.19.4 Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions (SI-2(3)) .................. 103 3.19.5 Malicious Code Protection (SI-3) ................................................................................................................. 104 3.19.6 Malicious Code Protection | Central Management (SI-3 (1)) ...................................................................... 105 3.19.7 Malicious Code Protection | Automatic Updates (SI-3 (2)) ......................................................................... 106 3.19.8 Malicious Code Protection | Nonsignature-Based Detection (SI-3 (7)) ....................................................... 107 3.19.9 Information System Monitoring (SI-4) ......................................................................................................... 107 3.19.10 Information System Monitoring | Automated Tools for Real-Time Analysis (SI-4 (2)) ................................ 109 3.19.11 Information System Monitoring | Inbound and Outbound Communications Traffic (SI-4 (4)) ................... 110 3.19.12 Information System Monitoring | System-Generated Alerts (SI-4 (5)) ........................................................ 110 3.19.13 Information System Monitoring | Analyze Traffic / Covert Exfiltration (SI-4 (18)) ...................................... 111 3.19.14 Information System Monitoring | Host-Based Devices (SI-4 (23))............................................................... 112 3.19.15 Security Alerts, Advisories, and Directives (SI-5) ......................................................................................... 113 3.19.16 Software, Firmware, and Information Integrity (SI-7) ................................................................................. 114 3.19.17 Software, Firmware, and Information Integrity | Integrity (SI-7 (1)) ........................................................... 114 3.19.18 Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7 (7)) .......... 115 3.19.19 Memory Protection (SI-16) .......................................................................................................................... 116
4 Privacy Controls ......................................................................................................... 116
4.1 Authority and Purpose (AP) ......................................................................................................... 116 4.1.1 Authority to Collect (AP-1) ........................................................................................................................... 116 4.1.2 Purpose Specification (AP-2) ........................................................................................................................ 117
4.2 Accountability, Audit, and Risk Management (AR) ...................................................................... 118 4.2.1 Governance and Privacy Program (AR-1) ..................................................................................................... 118 4.2.2 Privacy Impact and Risk Assessment (AR-2) ................................................................................................ 119 4.2.3 Privacy Requirements for Contractors and Service Providers (AR-3) .......................................................... 120 4.2.4 Privacy Monitoring and Auditing (AR-4) ...................................................................................................... 121 4.2.5 Privacy Awareness and Training (AR-5) ....................................................................................................... 122 4.2.6 Privacy Reporting (AR-6) .............................................................................................................................. 123 4.2.7 Privacy Enhanced System Design and Development (AR-7) ........................................................................ 124 4.2.8 Accounting of Disclosures (AR-8) ................................................................................................................. 124
4.3 Data Quality and Integrity (DI) ..................................................................................................... 125 4.3.1 Data Quality (DI-1) ....................................................................................................................................... 125 4.3.2 Data Quality | Validate PII (DI-1 (1)) ............................................................................................................ 126
U.S. General Services Administration iv
4.3.3 Data Quality | Re-Validate PII (DI-1 (2)) ....................................................................................................... 127 4.3.4 Data Integrity and Data Integrity Board (DI-2)............................................................................................. 128 4.3.5 Data Integrity and Data Integrity Board | Publish Agreements on Website (DI-2 (1)) ................................ 129
4.4 Data Minimization and Retention (DM) ...................................................................................... 130 4.4.1 Minimization of Personally Identifiable Information (DM-1) ...................................................................... 130 4.4.2 Minimization of Personally Identifiable Information | Locate/Remove/Redact/ Anonymize PII (DM-1 (1)) 131 4.4.3 Data Retention and Disposal (DM-2) ........................................................................................................... 131 4.4.4 Data Retention and Disposal | System Configuration (DM-2 (1)) ................................................................ 132 4.4.5 Minimization of PII Used in Testing, Training, and Research (DM-3)........................................................... 133 4.4.6 Minimization of PII used in Testing, Training, and Research | Risk Minimization Techniques (DM-3 (1)) .. 134
4.5 Individual Participation and Redress (IP) ..................................................................................... 135 4.5.1 Consent (IP-1) .............................................................................................................................................. 135 4.5.2 Consent | Mechanisms Supporting Itemized or Tiered Consent (IP-1 (1)) .................................................. 136 4.5.3 Individual Access (IP-2) ................................................................................................................................ 136 4.5.4 Redress (IP-3) ............................................................................................................................................... 137 4.5.5 Complaint Management (IP-4) .................................................................................................................... 138 4.5.6 Complaint Management | Response Times (IP-4 (1)) .................................................................................. 139
4.6 Security (SE) ................................................................................................................................. 140 4.6.1 Inventory of Personally Identifiable Information (SE-1) .............................................................................. 140 4.6.2 Privacy Incident Response (SE-2) ................................................................................................................. 141
4.7 Transparency (TR) ........................................................................................................................ 141 4.7.1 Privacy Notice (TR-1).................................................................................................................................... 141 4.7.2 Privacy Notice | Real-Time or Layered Notice (TR-1 (1)) ............................................................................. 143 4.7.3 System of Records Notices and Privacy Act Statements (TR-2) ................................................................... 143 4.7.4 System of Records Notices and Privacy Act Statements | Public Website Publication (TR-2 (1)) ............... 144 4.7.5 Dissemination of Privacy Program Information (TR-3) ................................................................................ 145
4.8 Use Limitation (UL) ...................................................................................................................... 146 4.8.1 Internal Use (UL-1) ....................................................................................................................................... 146 4.8.2 Information Sharing with Third Parties (UL-2) ............................................................................................. 146
Appendix A: Acronyms ...................................................................................................... 148
Table 1-1: CSF Functions and Categories/Unique Identifiers ................................................... 1
Table 3-1: Definitions of Key Terms ........................................................................................ 5
U.S. General Services Administration 1
1 Introduction
Information security is vital to the General Services Administration’s (GSA) infrastructure and systems, and their effective performance and protection is a key component of GSA’s overall security program. Proper management of information technology systems is essential to ensure the confidentiality, integrity and availability of the data transmitted, processed or stored by GSA information systems.
Executive Order (EO) 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” requires all agencies to use “The Framework for Improving Critical Infrastructure Cybersecurityy (the Framework) developed by NIST or any successor document to manage the agency’s cybersecurity risk.” This National Institute of Standards and Technology (NIST) document is commonly referred to as the Cybersecurity Framework (CSF).
The five core CSF Functions are:
Identify (ID): Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect (PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The CSF functions, category unique identifiers, and category descriptions are listed in Table 1-1.
Table 1-1: CSF Functions and Categories/Unique Identifiers
CSF Function
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
ID.BE – Business Environment
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
ID.GV - Governance The policies, procedures, and processes to manage and monitor the
organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
CSF Function
ID.RM - Risk Management Strategy
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
ID.SC – Supply Chain Risk Management
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks
DETECT (DE)
DE.AE - Anomalies and Events
Anomalous activity is detected and the potential impact of events is understood.
DE.CM - Security Continuous Monitoring
The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
DE.DP - Detection Processes
Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
PROTECT (PR)
PR.AC - Identity Management, Authentication and Access Control
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AT - Awareness and Training
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.
PR.DS - Data Security
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
PR.IP - Information Protection Processes and Procedures
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
PR.MA - Maintenance
Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
PR.PT - Protective Technology
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
RESPOND (RS)
Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
RS.CO - Communications
Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
RS.AN - Analysis Analysis is conducted to ensure effective response and support recovery
activities.
RS-MI - Mitigation Activities are performed to prevent expansion of an event, mitigate its effects,
and resolve the incident.
CSF Function
RECOVER (RC)
Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
RC.IM - Improvements
Recovery planning and processes are improved by incorporating lessons learned into future activities.
RC.CO - Communications
Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).
The CSF complements, and does not replace, GSA’s risk management process and cybersecurity program. GSA uses NIST’s Risk Management Framework (RMF) as its foundation for managing information system risk. More detailed information on how the CSF relates to GSA’s use of the NIST RMF is contained in GSA IT Security Procedural Guide 06-30, “Managing Enterprise Risk.”
1.1 Purpose
The purpose of this Information Security Program Plan (ISPP) is to provide information on GSA’s security program by describing the common and hybrid controls where the GSA enterprise or a capability managed at the enterprise level implements either all (common) or part (hybrid) of the control requirements. The ISPP provides details regarding these controls, including each control’s implementation status, control type, and implementation information/guidance for Federal and Contractor operated systems.
1.2 Scope
Security controls/enhancements from NIST SP 800-53, Revision 4 included in this plan are:
Common controls - where the GSA enterprise provides the entire control;
Hybrid controls - where the GSA enterprise provides a part of the control;
Security Training and Awareness (AT) controls;
Program Management (PM) controls; and
Privacy controls.
The implementation guidance provided in this plan is applicable to GSA Federal Employees, contractors and vendors of GSA, who operate, manage, maintain, and protect GSA information systems (Federal and Contractor systems) and data.
2 References
Note: GSA updates its IT security policies and procedural guides on independent cycles which may introduce conflicting guidance until revised documents are developed. In addition, many of
the references listed are updated by external organizations which can lead to inconsistencies with GSA policies and guides. When conflicts or inconsistencies are noticed, please contact [email protected] for guidance.
Federal Laws, Regulations, Publications:
5 USC 552a, “Privacy Act of 1974 Privacy Act of 1974”
44 USC 31, “Records Management by Federal Agencies”
EO 13556, “Controlled Unclassified Information”
EO 13800, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”
HSPD-12, “Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors”
OMB Circular A-123, “Management’s Responsibility for Enterprise Risk Management and Internal Control”
OMB Circular A-130, “Managing Information as a Strategic Resource”
OMB M-06-16, “Protection of Sensitive Agency Information”
OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”
OMB M-07-12, “Preparing for and Responding to a Breach of Personally Identifiable Information”
Public Law 113–283, “Federal Information Security Modernization Act of 2014’’
FIPS Publications:
FIPS PUB 140-2, “Security Requirements for Cryptographic Modules”
FIPS PUB 199, “Standards for Security Categorization of Federal Information and Information Systems”
FIPS-PUB 200, “Minimum Security Requirements for Federal Information and Information Systems”
FIPS PUB 201-2, “Personal Identity Verification (PIV) of Federal Employees and Contractors”
NIST Publications:
NIST Cybersecurity Framework, “Framework for Improving Critical Infrastructure Cybersecurity”
NIST SP 800-18, Revision 1, “Guide for Developing Security Plans for Federal Information Systems”
NIST SP 800-37, Revision 2, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”
NIST SP 800-53A, Revision 4, “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”
NIST SP 800-60, Volume 1, Revision 1, “Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories”
NIST SP 800-60, Volume 2, Revision 1, “Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories”
NIST SP 800-61, Revision 2, “Computer Security Incident Handling Guide”
NIST SP 800-115, “Technical Guide to Information Security Testing and Assessment”
NIST SP 800-128, “Guide for Security-Focused Configuration Management of Information Systems”
NIST SP 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”
NIST SP 800-160, Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure”
GSA Directives, Policies, and Procedures:
GSA Order OAS P 1820.1, “GSA Records Management Program”
GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy”
GSA Order CIO 2100.3, “Mandatory Information Technology (IT) Security Training Requirement for Agency and Contractor Employees with Significant Security Responsibilities”
GSA Order CIO 2104.1, “General Rules of Behavior”
GSA Order CIO 2110.4, “GSA Enterprise Architecture Policy”
GSA Order CIO 2130.2, “GSA Enterprise IT Governance”
GSA Order ADM 2181.1, “Homeland Security Presidential Directive-12, Personal Identity Verification and Credentialing, and Background Investigations for Contractors”
GSA Order ADM 2400.1, “Insider Threat Program”
GSA Order ADM P 9732.1, “Personnel Security and Suitability Program Handbook”
GSA Order HRM 9751.1, “Maintaining Discipline”
All CIO-IT Security Procedural or Technical Guides referenced in this document are available on the GSA IT Security Procedural Guides or Technical Guides InSite pages.
3 Security Controls
Table 3-1 provides definitions with examples of key terms used within this plan.
Table 3-1: Definitions of Key Terms
Key Term Definition Example
Common Control Security controls that can be inherited from GSA OCISO and/or any other GSA Service/Staff Office by one or more GSA or Vendor/Contractor information systems.
For Federal Systems, GSA implements the Access Control Policy and Procedures (AC- 1) security control as a common control provided by GSA OCISO.
Key Term Definition Example
Hybrid* Security controls where one part can be inherited from GSA OCISO, a general support system or platform, a GSA Service/Staff Office and another part requires system-specific implementation.
For Vendor/Contractor System, GSA implements the Access Control Policy and Procedures (AC-1) security control as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific.
System Specific Control Security controls that require system- specific implementation and are the primary responsibility of information system owners and their respective authorizing officials.
For Vendor/Contractor Systems, the Denial of Service Protection (SC-5) security control is a system-specific control, since implementation is primarily the responsibility of Vendor/Contractor System owners.
Federal System (i.e., Agency System)
An information system in GSA’s inventory processing or containing GSA or Federal information where the infrastructure and/or applications are NOT wholly operated, administered, managed, and maintained by a Contractor.
Enterprise Infrastructure Operations (EIO) is a major information system that is owned by GSA and operated internally by GSA employees and contractors.
Vendor/Contractor System
An information system in GSA’s inventory processing or containing GSA or Federal information where the infrastructure and applications are wholly operated, administered, managed, and maintained by a contractor in non-GSA facilities.
An application that processes GSA data but is not owned by GSA. The system is located at a Vendor/Contractor’s facility and is operated and managed by the Vendor/Contractor.
*Note: Controls noted as Implemented and Hybrid within this plan indicate that only the Common part of the Hybrid control is implemented. System Owners are still responsible for ensuring the implementation of the system specific part of the control. Hybrid controls are only considered fully implemented when both the Common and System Specific parts are implemented.
3.1 Access Control (AC)
The organization:
a. Develops, documents, and disseminates to [personnel with IT security responsibilities as defined in GSA CIO Order 2100.1]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current: 1. Access control policy [annually, as part of CIO 2100.1, GSA IT Security Policy]; and 2. Access control procedures [biennially].
AC-1 Control Summary Information
Federal System Common Control Implementation
Part a 1. The GSA access control policy is defined in the GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance regarding access control for GSA systems. This policy is disseminated GSA-wide via GSA’s InSite centralized agency web site.
2. Access control procedures are documented in CIO-IT Security-01-07, “IT Security Procedural Guide: Access Control.” This guide is disseminated GSA-wide via GSA’s InSite centralized agency web site.
Part b 1. The GSA OCISO is responsible for reviewing and updating CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing and updating CIO-IT Security-01-07 biennially.
Federal System System-Specific Expectation: None, common control.
Vendor/Contractor System Control Expectation: Vendors/contractors may defer to the GSA policy and guide or implement their own access control policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).
3.1.2 Account Management | Dynamic Privilege Management (AC-2 (6))
The information system implements the following dynamic privilege management capabilities: [CDM and enterprise endpoint and network security tools].
AC-2 (6) Control Summary Information
Implementation Status:
AC-2 (6) Control Summary Information
Planned
System Specific Control
AC-2(6) Control Implementation Federal System Common Control Implementation
GSAs robust security fabric and multi-level security tools and technologies at the server, workstation and network layers provide the following management capabilities.
Workstation and Server Endpoint Security Measures o Next Gen AV - Cylance and Cylance Protect o Application whitelisting - Bit9 o Endpoint Security - FireEye HX, a multi-level defense solution that includes signature-based, and
behavioral based engines and intelligence-based indicators of compromise; include MalwareGuard, a Machine Learning based protection engine on FireEye/Mandiant IOCs.
o PIV authentication to the network and privileged accounts o Cisco Umbrella - DNS Secure Internet Gateway solution
Network/Enterprise Security Measures o FireEye Email Threat Prevention - Real time email attachment executable sandboxing and URL analysis.
Automatically integrates with ALL GSA HX nodes to verify exposures of any detected ETP signatures across HX nodes.
o FireEye Managed Defense - Active sweeps and hunts across GSA endpoints against FireEye IOCs and anomalous activity.
o Web Application Firewalls
Additional Planned Mitigations o CyberArk - privileged managed solution
The combination of tools and capabilities as identified above form a layered defense that effectively meets the requirement for dynamic privileged management capabilities.
Vendor/Contractor System Control Expectation: Vendors/contractors are required to comply with the control statement.
3.1.3 Use of External Information Systems (AC-20)
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems.
AC-20 Control Summary Information
AC-20 Control Implementation Federal System Common Control Implementation
Part a CIO Order 2100.1 and CIO-IT Security-06-30 identify the conditions under which external information systems can be accessed via an Interconnection Security Agreement (ISA).
Part b CIO Order 2100.1 and CIO-IT Security-06-30 whether organizational information can be processed, stored, or transmitted to external systems, GSA’s rules of behavior (RoB) govern the terms and conditions.
Federal System System-Specific Expectation: System Owners, ISSOs, and ISSMs must document the terms and conditions in ISAs and RoBs.
3.1.4 Use of External Information Systems | Limits On Authorized Use (AC-20 (1))
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
a. Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
b. Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
AC-20(1) Control Summary Information
AC-20(1) Control Implementation Federal System Common Control Implementation
Part a CIO Order 2100.1 and CIO-IT Security-06-30 identify the requirement, via an ISA, for verification that adequate security controls are in place to use an external information system.
Part b CIO Order 2100.1 and CIO-IT Security-06-30 require a signed ISA be approved by GSA and the external system’s organization in order to access the information system.
Federal System System-Specific Expectation: System Owners, ISSOs, and ISSMs must document in collaboration with the external information system the security controls and facilitate signing of an ISA.
3.1.5 Use of External Information Systems | Portable Storage Devices (AC-20 (2))
The organization [restricts] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
Federal System Common Control Implementation
CIO 2100.1 and CIO-IT Security-06-32, “Media Protection,” state that GSA restricts the use of digital storage devices, including portable devices, to devices provided by GSA or provided by organizations approved by GSA on GSA information systems. All portable storage must be encrypted with a FIPS 140-2 certified encryption module.
3.2 Awareness and Training (AT)
3.2.1 Security Awareness and Training Policy and Procedures (AT-1)
The organization:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current: 1. Security awareness and training policy [annually, as part of CIO 2100.1, GSA IT
Security Policy]; and 2. Security awareness and training procedures [biennially].
AT-1 Control Summary Information
Part a 1. The GSA security awareness training policy is defined in the GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance regarding security awareness training for GSA employees and contractors. This policy is disseminated GSA-wide via GSA’s InSite centralized agency web site.
2. Security awareness training procedures are documented in the CIO-IT Security-05-029, “Security and Privacy Awareness and Role Based Training Program.” This guide is disseminated GSA-wide via GSA’s InSite centralized agency web site.
Part b 1. The GSA OCISO is responsible for reviewing and updating CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing and updating CIO-IT Security 05-29 biennially.
Vendor/Contractor System Control Expectation: Vendors/contractors may defer to the GSA policy and guide or implement their own security awareness and training policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO) and concurrence from the CISO.
3.2.2 Security Awareness Training (AT-2)
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users; b. When required by information system changes; and c. [Annually] thereafter.
AT-2 Control Implementation Federal System Common Control Implementation
Part a New GSA personnel (i.e. contractors and federal employees) are required to read and acknowledge GSA’s “General IT Rules of Behavior” within 90 days of receiving network access. Process details, including enforcement actions, can be found on the OCISO Wiki.
Part b OCISO ISP coordinates multiple activities and campaigns year-round to raise cybersecurity awareness: various phishing campaigns against different user groups with an increased focus on VIPs and privileged
users; email campaigns reminding people of tax scams or a new cyber threats, and lastly, our "IT Security and Privacy Awareness" refresher course offered thru OLU.
Part c OCISO ISP coordinates multiple activities and campaigns year-round to raise cybersecurity awareness, including the annual "IT Security and Privacy Awareness" refresher course offered thru OLU.
Vendor/Contractor System Control Expectation: Vendors/contractors with GSA email accounts receive the same training as GSA employees and contractors. Vendor/contractors that access GSA information systems but do not have a GSA ENT account need a method of satisfying this control. This group of personnel must have explicit authorization to access a GSA information system without an ENT account.
3.2.3 Security Awareness Training | Insider Threat (AT-2 (2))
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
AT-2(2) Control Enhancement Summary Information
AT-2(2) Control Implementation Federal System Common Control Implementation
GSA Order ADM 2400.1A, “Insider Threat Program,” describes GSA’s roles, responsibilities, and policy regarding its insider threat program (ITP). ITP personnel, under the Associate Administrator for Mission Assurance, are responsible for ensuring insider threat information and training is provided at a minimum annually.
3.2.4 Role-Based Security Training (AT-3)
The organization provides role-based security-related training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and c. [Annually] thereafter.
Part a OCISO ISP manages training for personnel holding roles with significant security responsibilities. These roles are listed in "IT Security Procedural Guide: Security and Privacy Awareness and Role- Based Training Program CIO-IT Security-05-29." ISSMs/ISSOs/AOs receive role-based training within 6-months of their role assignment. Privileged Users possessing a Short Name Account are required to acknowledge the "Rules of Behavior for Privileged Users" before obtaining that account, then annually after that.
Part b Organizational and/or system changes may justify additional security training. When this occurs, OCIO ISP will coordinate the offering or identify adequate training content.
Part c Personnel holding significant security responsibilities receive role-based training every year.
Federal System System-Specific Expectation: If the System Owner of a Federal System decides additional training is necessary for personnel holding significant security responsibilities within their system, they'll need to offer that training to satisfy this control. Otherwise, this control is fully inheritable. .
Vendor/Contractor System Control Expectation: If the System Owner of a Vendor/Contractor System decides additional training is necessary for personnel holding significant security responsibilities within their system, they'll need to offer that training to satisfy this control. Otherwise, this control is fully inheritable.
3.2.5 Security Training Records (AT-4)
The organization:
b. Retains individual training records for [three years].
Part a OCSIO manages training records for GSA employees and contractors who take basic security awareness training. Completion records are kept in GSA OLU. If OLU is not used, spreadsheets are used to document training status.
Part b OLU records are kept for at least three years. Any records kept in Google Sheets will be kept for at least three years.
Federal System System-Specific Expectation: System Owners are required to maintain training records for any system specific role based training provided to users of the information system.
Vendor/Contractor System Control Expectation: In addition to GSA-provided training, vendors/contractors are required to track and retain the completion of security training that is provided to their employees.
3.3 Audit and Accountability (AU)
3.3.1 Audit and Accountability Policy and Procedures (AU-1)
The organization:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current: 1. Audit and accountability policy [annually, as part of CIO 2100.1, GSA IT Security
Policy]; and 2. Audit and accountability procedures [biennially].
AU-1 Control Summary Information
AU-1 Control Implementation Federal System Common Control Implementation
Part a 1. The GSA audit and accountability policy is defined in the GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance regarding auditing and accountability for GSA employees and contractors. This policy is disseminated GSA-wide via GSA’s InSite centralized agency web site.
2. Audit and accountability procedures are documented in GSA IT Security Procedural Guide: CIO-IT Security-01-08, “Audit and Accountability.” The procedures facilitate the implementation of the audit policy and associated controls. This guide is disseminated GSA-wide via GSA’s InSite centralized agency web site.
Vendor/Contractor System Control Expectation: Vendors/contractors may defer to the GSA policy and guide or implement their own audit and accountability policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).
3.3.2 Audit Storage Capacity (AU-4)
The organization allocates audit record storage capacity in accordance with [GSA policies and guidance: audit log sizes are documented in applicable GSA IT Security Technical Guides and Standards (i.e., hardening and technology implementation guides) available on the IT Security Technical Guides and Standards webpage].
AU-4 Control Enhancement Summary Information
Not Implemented
Not applicable
Audit storage capacity is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system specific control implementation guidance is available in the SecTools SSP.
3.3.3 Audit Review, Analysis, and Reporting (AU-6)
The organization:
a. Reviews and analyzes information system audit records [daily when security related events are forwarded to the Enterprise Logging Platform for automated analysis and correlation, otherwise on a periodic basis (specific period recommended by the GSA S/SO or Contractor and approved by the GSA AO)] for indications of [GSA S/SO or Contractor recommended inappropriate or unusual activity as approved by the GSA AO]; and
b. Reports findings to [Information System Security Manager, Information System Security Officer, System Owner (e.g., System Program Manager, System Project Manager), Custodians, as designated and approved by the GSA AO, via a dashboard when security related events are forwarded to the Enterprise Logging Platform, otherwise via manual reporting mechanisms].
Part a Audit review and analysis is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
Part b Audit reporting is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
3.3.4 Audit Review, Analysis, and Reporting | Process Integration (AU-6 (1))
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-6(1) Control Enhancement Summary Information
AU-6(1) Control Implementation Federal System Common Control Implementation
The integration of audit review, analysis, and reporting is a control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system specific control implementation guidance is
available in the SecTools SSP.
3.3.5 Audit Review, Analysis, and Reporting | Correlate Audit Repositories (AU-6 (3))
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
Correlation of audit repositories to gain organization-wide situational awareness is a common control provided by GSA’s SecTools FISMA system. Details on the common control implementation are available in the SecTools SSP.
3.3.6 Audit Review, Analysis, and Reporting | Central Review and Analysis (AU-6 (4))
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
Federal System Control Type:
Central review and analysis of audit records from multiple system components is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
3.3.7 Audit Reduction and Report Generation (AU-7)
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the- fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records.
Part a On-demand audit review, analysis, and reporting is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
Part b Maintaining the original content and time order of events is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
3.3.8 Audit Reduction and Report Generation | Automatic Processing (AU-7 (1))
The information system provides the capability to process audit records for events of interest based on: [
Source IP
Destination IP
Account Names
Event Type].
Automatic process of audit records for events of interest is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
3.3.9 Audit Record Retention (AU-11)
The organization retains audit records online for [archived for a period of not less than 180 days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Audit record retention is a hybrid control shared with GSA’s SecTools FISMA system. Details on the common control implementation is available in the SecTools SSP.
3.4 Security Assessment and Authorization (CA)
3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1)
The organization:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [annually, as part of CIO 2100.1, GSA IT Security Policy]; and
2. Security assessment and authorization procedures [biennially].
CA-1 Control Summary Information
CA-1 Control Implementation Federal System Common Control Implementation
Part a 1. The GSA security assessment and authorization policy is defined in the GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance regarding assessing and authorizing systems for GSA. This policy is disseminated GSA-wide via GSA’s InSite centralized agency web site.
2. Security assessment and authorization procedures are documented in GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk.” Additional security and assessment guides for specific types of systems have been developed and are referenced in CIO- IT Security-06-30. The procedures in these guides facilitate the security assessment and authorization of all GSA systems. The guides are disseminated GSA-wide via GSA’s InSite centralized agency web site.
Vendor/Contractor System Control Expectation: Vendors/contractors must adhere to GSA’s policy and guide regarding the security assessment and authorization of GSA systems.
3.4.2 Plan of Action and Milestones (CA-5)
The organization: a. Develops a plan of action and milestones for the information system to document the
organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [at least quarterly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Part a POA&Ms are required upon the initial A&A of a system based on the Security Assessment Report prepared when the system is assessed. CIO-IT Security-06-30, “Managing Enterprise Risk,” provides additional details about when and how specific vulnerabilities must be included in a system’s POA&M. CIO-IT Security-09-44, “Plan of Action and Milestones,” provides additional on GSA’s POA&M management process. OCISO ISP tracks that POA&Ms are implemented during an initial A&A of a system.
Part b Both CIO-IT Security-06-30 and CIO-IT Security-09-44 identify the need to update POA&Ms at least quarterly and the types of activities that would produce results requiring a POA&M be created. OCISO ISP monitors that POA&Ms are updated by conducting quarterly reviews to determine if subsequent findings and actions are being performed.
Federal System System-Specific Expectation: FISMA System ISSOs in collaboration with System Owners and other system personnel are responsible for creating initial POA&Ms and updating them as milestones or POA&M actions are completed, and at least on a quarterly basis. Subsystems do not have their own POA&M, their POA&Ms are integrated with the FISMA system’s POA&M.
Vendor/Contractor System Control Expectation: Vendors/contractors must adhere to GSA’s policy and guide regarding POA&Ms.
3.4.3 Security Authorization (CA-6)
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [as specified in CIO-IT Security-06-30 and GSA's other Assessment and Authorization processes identified therein].
Part a The GSA OCISO, Services/Staff Offices, and other organizations, identify the authorizing official for all GSA information systems.
Part b The GSA OCISO IST and ISP Divisions ensure that all GSA information systems are authorized in accordance with CIO Order 2100.1 and CIO-IT Security-06-30 and other A&A processes defined therein, before being put into operational production.
Part c CIO Order 2100.1 and CIO-IT Security-06-30 require authorizations to be updated in accordance with the timelines defined in CIO-IT Security-06-30 and GSA’s other A&A process guides. As specified in CIO-IT Security-06-30, authorizations are updated at least every three years or upon significant changes. Systems in ongoing authorization undergo biannual performance metric monitoring which fulfills the update requirement.
Federal System System-Specific Expectation: System owners, ISSOs, ISSMs, and system personnel are responsible for updating their security authorization and submitting it to the OCISO in accordance with the timelines defined in CIO-IT Security-06-30 and GSA’s other A&A process guides.
Vendor/Contractor System Control Expectation: Vendors/contractors must adhere to GSA’s policy and guides regarding the authorization of GSA systems.
3.4.4 Continuous Monitoring (CA-7)
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [metrics as defined in CIO-IT Security-12-66] to be monitored; b. Establishment of [monthly] for monitoring and [annually] for assessments supporting
such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous
monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Information
System Security Manager, Information System Security Officer, System Owners, Acquisitions/Contracting Officers, Custodians;] [monthly].
Part a GSA OCISO has established continuous monitoring performance metrics to be monitored in CIO-IT Security-12-66, “Information Security Continuous Monitoring (ISCM) Strategy and Ongoing Authorization (OA) Program.”
Part b GSA OCISO has established monthly and annual monitoring and assessment requirements in CIO-IT Security-12-66.
Part c GSA OCISO requires systems to complete an annual FISMA Self-Assessment (unless a full assessment has been completed) in addition to the use of Continuous Diagnostics and Mitigation (CDM) and other Enterprise Security Management tools to continually assess the security status of systems.
Part d GSA OCISO requires systems to complete an annual FISMA Self-Assessment (unless a full assessment has been completed) in addition to the use of Continuous Diagnostics and Mitigation (CDM) and other Enterprise Security Management tools to continually assess the security status of systems.
Part e GSA leverages its deployment of CDM and other Enterprise Security Management tools, their dashboards, and reports to correlate findings and analysis of them with OCISO and system personnel.
Part f System owners, ISSOs, ISSMs, and system personnel are responsible for addressing findings from annual assessments and GSA’s CDM and other Enterprise Security Management tools in accordance with CIO-IT Security-06-30 and CIO-IT Security-17-80, “Vulnerability Management Process.”
Part g GSA leverages its deployment of CDM and other Enterprise Security Management tools, their
dashboards, and reports to inform personnel with security responsibilities for systems the status of their systems in accordance with CIO-IT Security-06-30 and CIO-IT Security-17-80, “Vulnerability Management Process.”
Federal System System-Specific Expectation: System owners, ISSOs, ISSMs, and system personnel are responsible for responding to findings from assessment activities and monitoring tools in accordance with CIO-IT Security-06-30, CIO-IT Security-17-80, and CIO-IT Security-12-66 (for systems in Ongoing Authorization).
Vendor/Contractor System Control Expectation: Vendors/contractors must adhere to GSA’s policy and guides regarding continuous monitoring of GSA systems.
3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1))
The organization employs assessors or assessment teams with [S/SO or Contractor recommended and AO approved level of independence] to monitor the security controls in the information system on an ongoing basis.
CA-7(1) Control Summary Information
CA-7(1) Control Implementation Federal System Common Control Implementation
GSA OCISO personnel performing continuous monitoring assessments using CDM and other Enterprise Security Management tools meet the level of independence GSA requires (i.e., do not have a conflict of interest for the systems being monitored).
Vendor/Contractor System Control Expectation: Vendors/contractors must adhere to GSA’s policy and guide regarding independence of personnel performing continuous monitoring activities.
3.5 Configuration Management (CM)
The organization:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current: 1. Configuration management policy [annually, as part of CIO 2100.1, GSA IT
Security Policy]; and 2. Configuration management procedures [biennially].
CM-1 Control Summary Information
CM-1 Control Implementation Federal System Common Control Implementation
Part a 1. The GSA configuration management policy is defined in the GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance regarding the configuration management of GSA systems. This policy is disseminated GSA-wide via GSA’s InSite centralized agency web site

it security procedural guide: information security program ......2020/06/16 · cio-it...

Documents