General Services Administration (GSA) Enterprise ...

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

8.0 BSS RISK MANAGEMENT PLAN [L.30.2.7, M.2.2, G.5.6]

8.1 Introduction [G.5.6]

Level 3's EIS Business Support Systems (BSS) Risk Management Framework

Plan addresses system security in accordance with EIS RFP Section G.5.6.

8.2 BSS Risk Management Framework Plan [G.5.6.1, G.5.6.2]

Level 3 ensures security requirements are met for the BSS which will be defined

in the BSS System Security Plan (BSS SSP), at a

and will

support Government security and authorization efforts. Level 3 also supports the

Government's efforts to verify that these standards are being met. Level 3 is committed

to maintaining the security, integrity and availability of its services, networks and

customer data transported via Level 3 services. Level 3

. The responsibilities of

these security departments are to identify and correct vulnerabilities that affect the

. Level 3 believes that early detection and analysis of security threats and exposures that impact the network is critical to providing a consistent assessment of the security level being provided. The EIS BSS risk management framework supports the following goals:

x

In order to develop an effective and relevant security control selection that will ensure that Level 3 is able to meet Confidentiality, Integrity and Available objectives in the EIS BSS environment, we have established the BSS Risk Management Framework (RMF) with guidance from the the following documentation:

x Federal Information Security Management Act (FISMA) of 2002; (44 U.S.C. Section 301. Information security)

x Federal Information Security Modernization Act of 2014; (to amend Chapter 35 of 44 U.S.C.)

Vol. 2 Management RFP No. QTA0015THA3003 (page count unlimited)

8-1

Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

x FIPS PUB 199, "Standards for Security Categorization of Federal Information and Information Systems." Dated February 2004.

x FIPS PUB 200, "Minimum Security Requirements for Federal Information and Information Systems." Dated March 2006.

x NIST SP 800-18 Revision 1, "Guide for Developing Security Plans for Federal Information Systems." Dated February 2006.

x NIST SP 800-30 Revision 1, "Guide for Conducting Risk Assessments." Dated September 2012.

x NIST SP 800-34 Revision 1, "Contingency Planning Guide for Information Technology Systems." Dated May 2010.

x NIST SP 800-37 Revision 1, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach." Dated February 2010.

x NIST SP 800-40 Revision 3, "Guide to Enterprise Patch Management Technologies." Dated July 2013.

x NIST SP 800-47, "Security Guide for Interconnecting Information Technology Systems." Dated August 2002.

x NIST Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations." Dated April 2013.

x NIST Special Publication 800-53A, Revision 4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans." Dated December 2014.

x NIST SP 800-60 Revision 1, "Guide for Mapping Types of Information and Information Systems to Security Categories." Dated August 2008.

x NIST SP 800-60 Revision 1, "Guide for Mapping Types of Information and Information Systems to Security Categories." Dated August 2008.

x NIST SP 800-160 "Systems Security Engineering." Draft dated May 2014.

Vol. 2 Management RFP No. QTA0015THA3003 (page count unlimited)

8-2

Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

x NIST SP 800-161 "Supply Chain Risk Management Practices for Federal Information Systems and Organizations." Dated April 2015.

x NIST SP 800-171, "Protecting Controlled Unclassified Information in the Nonfederal Information Systems and Organizations." Dated June 2015.

x DODI 8510.01 "Risk Management Framework (RMF) for DOD Information Technology (IT)." Dated 12 March 2014.

The Level 3 Security Compliance organization is responsible for the design, maintenance and enforcement of the security framework and other security initiatives within Level 3 Communications. The Security Compliance organization is led by the Chief Information Security Officer (CISO). The Security Compliance organization supports the governance of Tier 1 functions described in NIST 800-37.

From the EIS BSS perspective, NIST 800-37 .

The Level 3 procurement organization is also integrated into this layer to ensure that risk management constructs are incorporated into the procurement/supply chain.

Within the EIS BSS risk management construct, there are multiple Level 3 organizations supporting relative NIST 800-37

Vol. 2 Management RFP No. QTA0015THA3003 (page count unlimited)

8-3

Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Following NIST 800-37 guidance, a representative Level 3 EIS BSS Tiered Risk Management pyramid diagram is provided in Figure 8.2-1.

Figure 8.2-1. Level 3 Tiered Risk Management Approach.

RMF plans evolve, and this document summarizes the status of Level 3's plan as

of

, recapped in Figure 8.2-2. At a high level,

we are

Our security organization

Vol. 2 Management RFP No. QTA0015THA3003 (page count unlimited)

8-4

Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

is engaged, assisting in the first risk analysis and assessment (RA-3), and is maintaining the BSS SSP following the guidance of NISP SP 800-18 Rev.1.

Figure 8.2-2. The Risk Management Framework Cycle. Addressing each of its six steps, our current RMF follows. 8.2.1 Step 1: Categorize Information System 8.2.1.1 Security Categorization, RMF Task 1-1

associate with the SBU dataset. Attributes include: x

The security categorization of the EIS BSS is given as a

Among other items, the risk assessment recognized the information to be processed by the EIS BSS, that this processing may, upon customer request, include

The analysis also considered what bounds should be in place to control system access, as well as the consequences of a successful malware attack and exfiltration.

Vol. 2 Management RFP No. QTA0015THA3003 (page count unlimited)

8-5

Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download