Applicability to Contractors and ... - National Archives



NARA IT Security Requirements Language: Unclassified Information SystemsNATIONAL ARCHIVES AND RECORDS ADMINISTRATIONFebruary 13, 2017Version 1.2Version ControlDocument versionDescription of contents/revisionsEditorDate1.0NARA standard IT security contractual requirements for unclassified information documentedWilliam Fumey4/18/161.1Minor updatesWilliam Fumey12/1/161.2Added reference to OMA A-130, TIC 2.0 compliance, IPv6 requirementsWilliam Fumey2/13/17Table of Contents TOC \o "1-2" \h \z \u Applicability to Contractors and Subcontractors PAGEREF _Toc468369274 \h 4NARA Security Policy Requirement PAGEREF _Toc468369275 \h 4Cloud Computing PAGEREF _Toc468369276 \h 9Security Review Requirement PAGEREF _Toc468369277 \h 9Interconnection Security Agreement (ISA) PAGEREF _Toc468369278 \h 10Required Protections for NARA Systems Hosted in Non-NARA Data Centers PAGEREF _Toc468369279 \h 10Supply Chain Risk Management PAGEREF _Toc468369280 \h 13Personal Identification Verification (PIV) Credential Compliance PAGEREF _Toc468369281 \h 15Applicability to Contractors and SubcontractorsThe below requirements apply to all contractors and subcontractors, including cloud service providers ("CSPs"), and personnel of contractors, subcontractors, and CSPs that may access, collect, store, process, maintain , use, share, retrieve, disseminate, transmit, or dispose of NARA Information. These requirements establish and implement specific NARA security requirements applicable to the reference contract. NARA Security Policy RequirementAll hardware, software, and services provided under this contract must be compliant with NARA 804 IT Systems Security Policy and associated policies, procedures & standards, and ensure the confidentiality, integrity, and availability of the NARA Information under this contract. Contractor shall develop and maintain a System Security Plan, Security Assessment Report and Plan of Action & Milestones that reflects the security posture of the system. Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal information Security Management Act of 20 14 ("FISMA"), Privacy Act of 1 974, E-Government Act of 2002, National Institute of Standards and Technology ("'N I ST") Special Publications ("SP") including NIST SP 800-37, 800-53, and 800-60 Volumes I and II, Federal Information Processing Standards ("FIPS") Publications 140-2, 199, and 200, Office of Management and Budget (OMB) Circular A-130, OM B Memoranda, Federal Risk and Authorization Management Program ("'FedRAMP"), NARA IT Security Standards, including NARA Order 2640.2, as amended. These requirements include but are not limited to:Limiting access to NARA Information and Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise;Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of NARA Information and Information Systems;Creating, protecting, and retaining Information System audit records, reports, and supporting documentation to enable reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful , unauthorized, or inappropriate activity related to any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information and/or NARA Information ;Maintaining authorizations to operate for any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information;Performing continuous monitoring on any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information;Establishing and maintaining baseline configurations and inventories of any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, including hardware , software, firmware, and documentation , throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed information Systems;Ensuring appropriate contingency planning has been performed;Identifying the users, processes acting on behalf of users, or devices of any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, and authenticating and verifying the identities of such users, processes, or devices, using multifactor authentication or H SPD-1 2 compliant authentication methods where required;Establishing an operational incident handling capability for any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information that includes adequate preparation , detect ion, analysis, containment, recovery , and user response activities, and tracking, documenting, and reporting incidents to appropriate officials and authorities within Contractor's organization and NARA ;Performing periodic and timely maintenance on any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, and providing effective controls on tools, techniques, mechanism s, and personnel used to conduct such maintenance ;Protecting media for any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, including paper, digital and electronic media; limiting access to NARA Information to authorized users ; and sanitizing or destroying Information System media containing NARA Information before disposal, release or reuse of such media ;Limiting physical access to any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, equipment , and physical facilities housing such Information Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer (''CO"), and protecting the physical facilities and support infrastructure for such Information Systems;Screening individuals prior to authorizing access to any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information to ensure compliance with NARA Security standards;Assessing the risk to NARA Information in any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with NARA policy and ensuring the timely removal of assets no longer supported by the Contractor;Assessing the security controls of any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls;Monitoring. controlling , and protecting information transmitted or received by any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; andIdentifying, reporting , and correcting security flaws in any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in responseContractor shall not process, store, or transmit NARA Information with any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information without first obtaining an Authority to Operate ('”ATO") for each Information System. The ATO shall be signed by the Authorizing Official for NARA responsible for maintaining the security, confidentiality, integrity, and availability of the NARA Information under this contract. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or maintenance of any NARA Information System, unless a waiver has been granted by the by the CO.When requested by the NARA CO or COR, or other NARA official as described below, in connection with NARA's efforts to ensure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality , integrity, and availability of NARA Information , Contractor shall provide NARA, including the Office of Inspector General ("OIG") and Federal law enforcement components, (1 ) access to any and all information and records, including electronic information , regarding any information system used for, involved with, or allowing, the processing, storing, or transmitting of NARA Information, and (2) physical access to Contractor's facilities, installations , systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data reviews by NARA or agents acting on behalf of NARA, and such access shall be provided within 72 hours of the request. Additionally, Contractor shall cooperate with NARA's efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of NARA Information. The use of Contractor-owned laptops or other portable digital or electronic media to process or store NARA Information is prohibited until Contractor provides a letter to the NARA CO, and obtains the CO's approval, certifying compliance with the following requirements:Media must be encrypted using a N IST FIPS 140-2 approved product ;Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-d ate;Where applicable, media must utilize antivirus software and a host-based firewall mechanism ;Contractor must log all computer-readable data extracts from databases holding NARA Information and verify that each extract including such data has been erased within 90 days of extraction or that its use is still required. All NARA Information is sensitive information unless specifically designated as non -sensitive by NARA; and,A Rules of Behavior ("ROB") form must be signed by users. These rules must address, at a minimum, authorized and official use, prohibition against unauthorized users and use, and the protection of NARA In formation. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contractor-owned laptops or other portable digital or electronic media.Contractor-owned removable media containing NARA Information shall not be removed from NARA facilities without prior approval of the NARA CO or COR.When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with NARA security requirements.Contractor must keep an accurate inventory of digital or electronic media used in the performance of NARA contracts.Contractor must remove all NARA Information from Contractor media and return all such information to NARA within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to NARA in a format and form acceptable to NARA. The removal and return of all NARA Information must be accomplished in accordance with NARA IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all NARA Information.NARA, at its discretion, may suspend Contractor's access to any NARA Information, or terminate the contract, when NARA suspects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident, where NARA determines that either event gives cause for such action. The suspen sion of access to NARA Information may last until such time as NARA, in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to NARA, and that upon request by the CO, Contractor must immediately return all NARA Information to NARA, as well as any media upon which NARA Information resides, at Contractor's expense.Cloud ComputingCloud Computing means an Information System having the essential characteristics described in NIST SP 800-145, The NIST Definition of Cloud Computing. Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or Hybrid Cloud.The Contractor may not utilize the Cloud system of any Cloud Service provider unless:The Cloud system and CSP have been evaluated and approved by a 3PAO certified under FedRAMP and Contractor has provided the most current Security Assessment Report ("SAR") to the NARA Contracting Officer for consideration as part of the Contractor's overall System Security Plan, and any subsequent SARs within 30 days of issuance, and has received an ATO from the NARA Authorizing Official responsible for maintaining the security confidentiality, integrity, and availability of the NARA Information under contract; or,If not certified under FedRAMP, the Cloud System and CSP have received an ATO signed by the NARA Authorizing Official responsible for maintaining the security, confidentiality, integrity, and availability of the NARA Information under the contract.The Contractor must ensure that the CSP allows NARA to access and retrieve any NARA Information processed, stored or transmitted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the request. To ensure that NARA can fully and appropriately search and retrieve NARA Information from the Cloud system, access shall include any schemas, meta-data, and other associated data artifacts.Security Review RequirementThe Government may elect to conduct periodic reviews to ensure that the security requirements contained in this contract are being implemented and enforced. The Contractor shall afford NARA, including the organization of NARA Information Services, the Office of the Inspector General, authorized Contracting Officer’s Representative (COR), and other government oversight organizations, access to the Contractor’s facilities, installations, operations, documentation, databases and personnel used in the performance of this contract. The Contractor will contact the NARA Chief Information Security Officer to coordinate and participate in the review and inspection activity of government oversight organizations external to the NARA. Access shall be provided to the extent necessary for the government to carry out a program of inspection, investigation, and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of NARA data or the function of computer systems operated on behalf of NARA, and to preserve evidence of computer crime.Interconnection Security Agreement (ISA)The following Interconnection Security Agreement Requirements are applicable if the service being supplied requires a connection to a non-NARA, Contractor system, or NARA system of different sensitivity.Interconnection Security Agreement RequirementsInterconnections between NARA and non-NARA IT systems shall be established only through controlled interfaces and via approved service providers. Connections with other Federal agencies shall be documented based on interagency agreements; memoranda of understanding, service level agreements or interconnect service agreements.Required Protections for NARA Systems Hosted in Non-NARA Data CentersThe following Required Protections for NARA Systems Hosted in Non-NARA Data Centers are applicable for contracts with information systems which are hosted, operated, maintained, and used on behalf of NARA at non-NARA facilities. Contractors are fully responsible and accountable for ensuring compliance with all Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) and related NARA security control requirements (to include configuration guides, hardening guidance, NARA Security Policy, Procedures, and Architectural guidance). Please note that all of the subsections from Security Authorization to Log Retention are included in this requirement.Security Authorization A Security Authorization of any infrastructure directly in support of the NARA information system shall be performed as a general support system (GSS) prior to NARA occupancy to characterize the network, identify threats, identify vulnerabilities, analyze existing and planned security controls, determine likelihood of threat, analyze impact, determine risk, recommend controls, perform remediation on identified deficiencies, and document the results. The Security Authorization shall be performed in accordance with the NARA IT Systems Security Policy and the controls provided by the hosting provider shall be equal to or stronger than the FIPS 199 security categorization of the NARA information system.At the beginning of the contract, and annually thereafter, the contractor shall provide the results of an independent assessment and verification of security controls. The independent assessment and verification shall apply the same standards that NARA applies in the Security Authorization Process of its information systems. Any deficiencies noted during this assessment shall be provided to the COR for entry into the NARA Plan of Action and Milestone (POA&M) management process. The contractor shall use the NARA POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies shall be corrected within the timeframes dictated by the NARA POA&M Management Process. Contractor procedures shall be subject to periodic, unannounced assessments by NARA officials. The physical aspects associated with contractor activities shall also be subject to such assessments.On a periodic basis, NARA, including the NARA Office of Inspector General, may choose to evaluate any or all of the security controls implemented by the contractor under these requirements. Evaluation could include, but is not limited to vulnerability scanning. NARA reserves the right to conduct audits at its discretion. With ten working days’ notice, at the request of the Government, the contractor shall fully cooperate and facilitate in a Government-sponsored security control assessment at each location wherein NARA information is processed or stored, or information systems are developed or operated. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) determined by NARA in the event of a security incident.Enterprise Security Architecture The contractor shall utilize and adhere to the NARA IT Security Architecture in accordance with applicable laws and NARA policies to the satisfaction of the NARA COR. Continuous Monitoring The contractor shall participate in NARA’ Continuous Monitoring Strategy and methods or shall provide a Continuous Monitoring capability that NARA determines acceptable. At a minimum, the contractor shall implement the following processes:Asset ManagementVulnerability ManagementConfiguration ManagementMalware ManagementLog IntegrationSecurity Information Event Management (SIEM) IntegrationPatch ManagementSpecific Protections Specific protections that shall be provided by the contractor include, but are not limited to the following:Security Operations The Contractor shall operate a Security Operations Center (SOC) to provide the security services described below. The Contractor shall support regular reviews with the NARA Information Services?office to coordinate and synchronize the security posture of the contractor hosting facility with that of the NARA Data Centers. The SOC personnel shall provide 24x7x365 staff to monitor the network and all of its devices. The contractor staff shall also analyze the information generated by the devices for security events, respond to real-time events, correlate security device events, and perform continuous monitoring. It is recommended that the contractor staff shall also maintain a trouble ticket system in which incidents and outages are recorded. In the event of an incident, the contractor facility SOC shall adhere to the incident response puter Incident Response Services The Contractor shall provide Computer Incident Response Team (CIRT) services. The contractor shall adhere to the standard Incident Reporting process as determined by NARA and shall develop a NARA-specific incident response plan that adheres to NARA policy and procedure for reporting incidents. The contractor shall conduct Incident Response Exercises to ensure all personnel are familiar with the plan. The contractor shall notify the NARA IT Security Management Division of any incident in accordance with the Incident Response Plan and work with NARA throughout the incident duration.Firewall Management and Monitoring The Contractor shall provide firewall management services that include the design, configuration, implementation, maintenance, and operation of all firewalls within the hosted infrastructure in accordance with NARA architecture and security policy. The contractor shall provide all maintenance to include configuration, patching, rule maintenance (add, modify, delete), and comply with NARA’ configuration management / release management requirements when changes are required. Firewalls shall operate 24x7x365. If an abnormality or anomaly is identified, the contractor shall notify the appropriate NARA point of contact in accordance with the incident response plan.Intrusion Detection Systems and Monitoring The Contractor shall provide the design, configuration, implementation, and maintenance of the sensors and hardware that are required to support the NIDS solution. The contractor is responsible for creating and maintaining the NIDS rule sets. The NIDS solution should provide real-time alerts. These alerts and other relevant information shall be located in a central repository. The NIDS shall operate 24x7x365. If an abnormality or anomaly is identified, the contractor shall notify the appropriate NARA point of contact in accordance with the incident response plan.Physical and Information Security and Monitoring The Contractor shall provide a facility using appropriate protective measures to provide for physical security. The contractor shall maintain a process to control physical access to NARA IT assets. NARA IT Assets shall be monitored 24x7x365. A summary of unauthorized access attempts shall be reported to the appropriate NARA security office.Vulnerability Assessments The Contractor shall provide all information from any managed device to NARA, as requested, and shall assist, as needed, to perform periodic vulnerability assessments of the network, operating systems, and applications to identify vulnerabilities and propose mitigations. Vulnerability assessments shall be included as part of compliance with the continuous monitoring of the system. Anti-malware (e.g., virus, spam) The Contractor shall design, implement, monitor and manage to provide comprehensive anti-malware service. The contractor shall provide all maintenance for the system providing the anti-malware capabilities to include configuration, definition updates, and comply with NARA’ configuration management / release management requirements when changes are required. If an abnormality or anomaly is identified, the contractor shall notify the appropriate NARA point of contact in accordance with the incident response plan.Patch Management The Contractor shall perform and provide patch management services. The contractor shall push patches that are required by vendors and the NARA system owner. This is to ensure that the infrastructure and applications that directly support the NARA information system are current in their release and that all security patches are applied. Core applications, the ones NARA utilizes to fulfill their mission, shall be tested by NARA. However, the contractor shall be responsible for deploying patches as directed by NARA. It is recommended that all other applications (host-based intrusion detection system (HIDS), network intrusion detection system (NIDS), Anti-malware, and Firewall) shall be tested by the contractor prior to deployment in a test environment.Log Retention Log files for all infrastructure devices, physical access, and anti-malware should be retained online for 180 days and offline for three years.Trusted Internet ConnectionThe Contractor shall provide a Trusted Internet Connection 2.0 compliant interconnection architecture and support continued compliance with OMB requirements.IPv6 requirementsContractor shall comply with Federally mandated IPv6 requirements.Supply Chain Risk Management The Contractors supplying the Government hardware and software shall provide the manufacture’s name, address, state and/or domain of registration, and the Data Universal Numbering System (DUNS) number for all components comprising the hardware and software. If subcontractors or subcomponents are used, the name, address, state and/or domain of registration and DUNs number of those suppliers must also be provided.Subcontractors are subject to the same general requirements and standards as prime contractors. Contractors employing subcontractors shall perform due diligence to ensure that these standards are met.The Government shall be notified when a new contractor/subcontractor/service provider is introduced to the supply chain, or when suppliers of parts or subcomponents are changed.Contractors shall provide, implement, and maintain a Supply Chain Risk Management Plan that addresses internal and external practices and controls employed to minimize the risk posed by counterfeits and vulnerabilities in systems, components, and software. The Plan shall describe the processes and procedures that will be followed to ensure appropriate supply chain protection of information system resources developed, processed, or used under this contract. The Supply Chain Risk Management Plan shall address the following elements:How risks from the supply chain will be identified, What processes and security measures will be adopted to manage these risks to the system or system components, andHow the risks and associated security measures will be updated and monitored.The Supply Chain Risk Management Plan shall remain current through the life of the contract or period of performance. The Supply Chain Risk Management Plan shall be provided to the Contracting Officer Representative (COR) 90 days post award.The Contractor acknowledges the Government's requirement to assess the Contractors Supply Chain Risk posture. The Contractor understands and agrees that the Government retains the right to cancel or terminate the contract, if the Government determines that continuing the contract presents an unacceptable risk to national security.The Contractor shall disclose, and the Government will consider, relevant industry standards certifications, recognitions and awards, and acknowledgments.The Contractor shall provide only new equipment unless otherwise expressly approved, in writing, by the Contracting Officer (CO). Contractors shall only provide Original Equipment Manufacturers (OEM) parts to the Government. In the event that a shipped OEM part fails, all replacement parts must be OEM parts. The Contractor shall be excused from using new OEM (i.e. “grey market,” previously used) components only with formal Government approval. Such components shall be procured from their original genuine source and have the components shipped only from manufacturers authorized shipment points.For software products, the contractor shall provide all OEM software updates to correct defects for the life of the product (i.e. until the “end of life.”). Software updates and patches must be made available to the government for all products procured under this contract.Contractors shall employ formal and accountable transit, storage, and delivery procedures (i.e., the possession of the component is documented at all times from initial shipping point to final destination, and every transfer of the component from one custodian to another is fully documented and accountable) for all shipments to fulfill contract obligations with the Government. All records pertaining to the transit, storage, and delivery will be maintained and available for inspection for the lessor of the term of the contract, the period of performance, or one calendar year from the date the activity occurred.These records must be readily available for inspection by any agent designated by the US Government as having the authority to examine them.This transit process shall minimize the number of times en route components undergo a change of custody and make use tamper-proof or tamper-evident packaging for all shipments. The supplier, at the Government’s request, shall be able to provide shipping status at any time during transit.The Contractor is fully liable for all damage, deterioration, or losses incurred during shipment and handling, unless the damage, deterioration, or loss is due to the Government. The Contractor shall provide a packing slip which shall accompany each container or package with the information identifying the contract number, the order number, a description of the hardware/software enclosed (Manufacturer name, model number, serial number), and the customer point of contact. The contractor shall send a shipping notification to the intended government recipient or contracting officer. This shipping notification shall be sent electronically and will state the contract number, the order number, a description of the hardware/software being shipped (manufacturer name, model number, serial number), initial shipper, shipping date and identifying (tracking) number.Personal Identification Verification (PIV) Credential ComplianceIf the Contract is for products, systems, services, hardware, or software that enables access to controlled facilities and information systems, the below PIV Credential Compliance requirement applies. Personal Identification Verification (PIV) Credential Compliance RequirementProcurements for products, systems, services, hardware, or software involving controlled facility or information systems shall be PIV-enabled by accepting HSPD-12 PIV credentials as a method of identity verification and authentication. Procurements for software products or software developments shall be compliant by PIV by accepting PIV credentials as the common means of authentication for access for federal employees and contractors.PIV-enabled information systems must demonstrate that they can correctly work with PIV credentials by responding to the cryptographic challenge in the authentication protocol before granting access.If a system is identified to be non-compliant with HSPD-12 for PIV credential enablement, a remediation plan for achieving HSPD-12 compliance shall be required for review, evaluation, and approval by the CISO. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download