Information Security Program Plan (ISPP) | GSA
[Pages:158]DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
IT Security Procedural Guide: Information Security Program Plan
(ISPP) CIO-IT Security-18-90
Revision 3 June 16, 2020
Office of the Chief Information Security Officer
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
EXECUTIVE SUMMARY
The General Services Administration (GSA) agency-wide Assessment and Authorization (A&A) process is based on the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the A&A process as described in NIST Special Publication (SP) 800-37, Revision 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy."
This Information Security Program Plan (ISPP) was developed in order to provide stakeholders with the detailed information on what GSA considers inheritable common controls and who the responsible party is for implementing the control. NIST SP 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," describes common controls and the responsibility for them as:
Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components--entities internal or external to the organizations where the systems or components reside.
The organization assigns responsibility for common controls to appropriate organizational officials (i.e., common control providers) and coordinates the development, implementation, assessment, authorization, and monitoring of the controls. The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of chief information officers, senior information security officers, the risk executive (function), authorizing officials, information owners/stewards, information system owners, and information system security officers.
The excerpt below from NIST SP 800-53 defines hybrid controls and provides examples:
Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. For example, an organization may choose to implement the Incident Response Policy and Procedures security control (IR1) as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific. Hybrid controls may also serve as predefined templates for further control refinement. Organizations may choose, for example, to implement the Contingency Planning security control (CP-2) as a predefined template for a generalized contingency plan for all organizational information systems with information system owners tailoring the plan, where appropriate, for system-specific uses.
This plan identifies control implementation status for all GSA-wide common controls and identifies hybrid controls where a GSA organization, platform, or general support system provides part of the control implementation.All Privacy controls are included in this plan whether they are common, hybrid, or system specific. Where appropriate, the plan references GSA policies and guides that provide further detail on control implementation.
U.S. General Services Administration
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
VERSION HISTORY/CHANGE RECORD
Change Number
Person Posting Change
Change
Reason for Change
Page Number of
Change
Initial Version ? April 23, 2015
N/A
Desai/Davis New Plan
Document GSA enterprise-wide
N/A
common and hybrid controls status
and implementation guidance.
Revision 1 ? May 2, 2017
1
Klemens/ Revised guide to align with current Update GSA enterprise-wide
Throughout
Dean
format and style, edited, and
common and hybrid controls status
updated guide based on current
and implementation guidance.
control processes.
Revision 2 ? March 14, 2018
1
Feliksa/
Revised guide to address Executive Comply with EO 13800. Update
Throughout
Klemens Order (EO) 13800 and the NIST
GSA enterprise-wide common and
Cybersecurity Framework. Updated hybrid controls parameters and
control parameters and
implementation details based on
implementation details based on changes to GSA processes,
changes to GSA processes,
procedures, and guides.
procedures, and guides.
Revision 3 ? June 16, 2020
1
Dean/
Revised to address:
Changes to GSA guidance on
Throughout
Klemens/ Updates to control parameters control parameters,
Normand
and implementation details
implementation details, and
Changes to controls designated as Common Control designations
common
U.S. General Services Administration
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
Approval
IT Security Procedural Guide: Information Security Program Plan (ISPP), CIO-IT Security-18-90, Revision 3, is hereby approved for distribution.
X
Bo Berlas GSA Chief Information Security Officer
Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division (ISP), at ispcompliance@.
U.S. General Services Administration
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
Table of Contents
1 Introduction................................................................................................................... 1
1.1 Purpose ............................................................................................................................................ 3 1.2 Scope................................................................................................................................................ 3
2 References ..................................................................................................................... 3
3 Security Controls............................................................................................................ 5
3.1 Access Control (AC) .......................................................................................................................... 6
3.1.1 Access Control Policy and Procedures (AC-1) .................................................................................................. 6 3.1.2 Account Management | Dynamic Privilege Management (AC-2 (6)) .............................................................. 7 3.1.3 Use of External Information Systems (AC-20).................................................................................................. 8 3.1.4 Use of External Information Systems | Limits On Authorized Use (AC-20 (1)) ................................................ 9 3.1.5 Use of External Information Systems | Portable Storage Devices (AC-20 (2))............................................... 10
3.2 Awareness and Training (AT) ......................................................................................................... 11
3.2.1 Security Awareness and Training Policy and Procedures (AT-1).................................................................... 11 3.2.2 Security Awareness Training (AT-2) ............................................................................................................... 12 3.2.3 Security Awareness Training | Insider Threat (AT-2 (2))................................................................................ 13 3.2.4 Role-Based Security Training (AT-3)............................................................................................................... 13 3.2.5 Security Training Records (AT-4).................................................................................................................... 14
3.3 Audit and Accountability (AU) ....................................................................................................... 15
3.3.1 Audit and Accountability Policy and Procedures (AU-1)................................................................................ 15 3.3.2 Audit Storage Capacity (AU-4) ....................................................................................................................... 16 3.3.3 Audit Review, Analysis, and Reporting (AU-6) ............................................................................................... 17 3.3.4 Audit Review, Analysis, and Reporting | Process Integration (AU-6 (1)) ....................................................... 18 3.3.5 Audit Review, Analysis, and Reporting | Correlate Audit Repositories (AU-6 (3))......................................... 19 3.3.6 Audit Review, Analysis, and Reporting | Central Review and Analysis (AU-6 (4)) ......................................... 19 3.3.7 Audit Reduction and Report Generation (AU-7)............................................................................................ 20 3.3.8 Audit Reduction and Report Generation | Automatic Processing (AU-7 (1)) ................................................ 21 3.3.9 Audit Record Retention (AU-11) .................................................................................................................... 22
3.4 Security Assessment and Authorization (CA)................................................................................. 22
3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1) ...................................................... 22 3.4.2 Plan of Action and Milestones (CA-5) ............................................................................................................ 23 3.4.3 Security Authorization (CA-6) ........................................................................................................................ 24 3.4.4 Continuous Monitoring (CA-7)....................................................................................................................... 25 3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1)) .......................................................................... 27
3.5 Configuration Management (CM).................................................................................................. 27
3.5.1 Configuration Management Policy and Procedures (CM-1) .......................................................................... 27 3.5.2 Baseline Configuration | Configure Systems, Components, Or Devices For High- Risk Areas (CM-2 (7))...... 29 3.5.3 Least Functionality | Authorized Software / Whitelisting (CM-7 (5)) ............................................................ 29 3.5.4 Information System Component Inventory | Automated Maintenance (CM-8 (2))...................................... 30 3.5.5 Information System Component Inventory | Automated Unauthorized Component Detection (CM-8 (3)) 31 3.5.6 Information System Component Inventory | No Duplicate Accounting of Components (CM-8 (5))............. 32 3.5.7 Information System Component Inventory | Centralized Repository (CM-8 (7)).......................................... 33 3.5.8 User-Installed Software (CM-11) ................................................................................................................... 33
3.6 Contingency Planning (CP) ............................................................................................................. 34
3.6.1 Contingency Planning Policy and Procedures (CP-1) ..................................................................................... 34
3.7 Identification and Authentication (IA) ........................................................................................... 35
3.7.1 Identification and Authentication Policy and Procedures (IA-1).................................................................... 35
3.8 Incident Response (IR) ................................................................................................................... 36
3.8.1 Incident Response Policy and Procedures (IR-1)............................................................................................ 36
U.S. General Services Administration
i
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
3.8.2 Incident Response Training (IR-2) .................................................................................................................. 37 3.8.3 Incident Response Testing (IR-3) ................................................................................................................... 39 3.8.4 Incident Response Testing | Coordination with Related Plans (IR-3 (2))....................................................... 40 3.8.5 Incident Handling (IR-4) ................................................................................................................................. 41 3.8.6 Incident Handling | Automated Incident Handling Processes (IR-4 (1)) ........................................................ 42 3.8.7 Incident Monitoring (IR-5) ............................................................................................................................. 43 3.8.8 Incident Reporting (IR-6)................................................................................................................................ 44 3.8.9 Incident Reporting | Automated Reporting (IR 6 (1)) .................................................................................... 48 3.8.10 Incident Response Assistance (IR-7) .............................................................................................................. 49 3.8.11 Incident Response Assistance | Automation Support for Availability of Information / Support (IR 7 (1)) .... 50 3.8.12 Incident Response Plan (IR-8) ........................................................................................................................ 51
3.9 Maintenance (MA) ......................................................................................................................... 52
3.9.1 System Maintenance Policy and Procedures (MA-1)..................................................................................... 52
3.10 Media Protection (MP) .................................................................................................................. 53
3.10.1 Media Protection Policy and Procedures (MP-1)........................................................................................... 53 3.10.2 Media Use (MP-7) .......................................................................................................................................... 54
3.11 Physical and Environmental Protection (PE).................................................................................. 55
3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1) .......................................................... 55
3.12 Planning (PL) .................................................................................................................................. 56
3.12.1 Security Planning Policy and Procedures (PL-1)............................................................................................. 56
3.13 Rules of Behavior (PL-4) ................................................................................................................. 57
3.13.1 Rules of Behavior | Social Media and Networking Restrictions (PL-4 (1)) ..................................................... 58 3.13.2 Information Security Architecture (PL-8)....................................................................................................... 59
3.14 Program Management (PM) .......................................................................................................... 60
3.14.1 Information Security Program Plan (PM-1) ................................................................................................... 60 3.14.2 Senior Information Security Officer (PM-2) ................................................................................................... 62 3.14.3 Information Security Resources (PM-3)......................................................................................................... 62 3.14.4 Plan of Action and Milestones Process (PM-4) .............................................................................................. 63 3.14.5 Information System Inventory (PM-5) ........................................................................................................... 64 3.14.6 Information Security Measures of Performance (PM-6) ............................................................................... 65 3.14.7 Enterprise Architecture (PM-7)...................................................................................................................... 66 3.14.8 Critical Infrastructure Plan (PM-8) ................................................................................................................. 67 3.14.9 Risk Management Strategy (PM-9) ................................................................................................................ 68 3.14.10 Security Authorization Process (PM-10) ........................................................................................................ 69 3.14.11 Mission/Business Process Definition (PM-11) ............................................................................................... 70 3.14.12 Insider Threat Program (PM-12) .................................................................................................................... 70 3.14.13 Information Security Workforce (PM-13) ...................................................................................................... 71 3.14.14 Testing, Training, and Monitoring (PM-14).................................................................................................... 72 3.14.15 Contacts with Security Groups and Associations (PM-15)............................................................................. 73 3.14.16 Threat Awareness Program (PM-16) ............................................................................................................. 74
3.15 Personnel Security (PS) .................................................................................................................. 75
3.15.1 Personnel Security Policy and Procedures (PS-1) .......................................................................................... 75 3.15.2 Position Risk Designation (PS-2) .................................................................................................................... 76 3.15.3 Personnel Screening (PS-3) ............................................................................................................................ 77 3.15.4 Personnel Termination (PS-4) ........................................................................................................................ 78 3.15.5 Personnel Transfer (PS-5) .............................................................................................................................. 79 3.15.6 Access Agreements (PS-6) ............................................................................................................................. 80 3.15.7 Third-Party Personnel Security (PS-7)............................................................................................................ 81 3.15.8 Personnel Sanctions (PS-8) ............................................................................................................................ 82
3.16 Risk Assessment (RA) ..................................................................................................................... 83
3.16.1 Risk Assessment Policy and Procedures (RA-1) ............................................................................................. 83 3.16.2 Risk Assessment (RA-3).................................................................................................................................. 84 3.16.3 Vulnerability Scanning (RA-5) ........................................................................................................................ 85 3.16.4 Vulnerability Scanning | Update Tool Capability (RA-5 (1))........................................................................... 87
U.S. General Services Administration
ii
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
3.16.5 Vulnerability Scanning | Update By Frequency / Prior to New Scan / When Identified (RA-5 (2)) ............... 88 3.16.6 Vulnerability Scanning | Privileged Access (RA-5 (5)) .................................................................................... 89
3.17 System and Services Acquisition (SA) ............................................................................................ 89
3.17.1 System and Services Acquisition Policy and Procedures (SA-1)..................................................................... 89 3.17.2 Acquisition Process (SA-4) ............................................................................................................................. 90
3.17.2.1 Security Engineering Principles (SA-8) ....................................................................................................... 91 3.17.3 External Information System Services (SA-9)................................................................................................. 92
3.18 System and Communications Protection (SC) ............................................................................... 93
3.18.1 System & Communications Protection Policy and Procedures (SC-1) ........................................................... 93 3.18.2 Denial of Service Protection (SC-5) ................................................................................................................ 94 3.18.3 Boundary Protection (SC-7) ........................................................................................................................... 95 3.18.4 Boundary Protection | Access Points (SC-7 (3))............................................................................................. 96 3.18.5 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5))....................................................... 97 3.18.6 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5))....................................................... 97 3.18.7 Boundary Protection | Prevent Split Tunneling for Remote Devices (SC-7 (7))............................................. 98 3.18.8 Boundary Protection | Prevent Unauthorized Exfiltration (SC-7 (10)) .......................................................... 99 3.18.9 Mobile Code (SC-18) ...................................................................................................................................... 99
3.19 System and Information Integrity (SI).......................................................................................... 100
3.19.1 System & Information Integrity Policy & Procedures (SI-1)......................................................................... 100 3.19.2 Flaw Remediation (SI-2) ............................................................................................................................... 101 3.19.3 Flaw Remediation | Automated Flaw Remediation Status (SI-2 (2)) ........................................................... 103 3.19.4 Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions (SI-2(3)) .................. 103 3.19.5 Malicious Code Protection (SI-3) ................................................................................................................. 104 3.19.6 Malicious Code Protection | Central Management (SI-3 (1)) ...................................................................... 105 3.19.7 Malicious Code Protection | Automatic Updates (SI-3 (2)) ......................................................................... 106 3.19.8 Malicious Code Protection | Nonsignature-Based Detection (SI-3 (7)) ....................................................... 107 3.19.9 Information System Monitoring (SI-4) ......................................................................................................... 107 3.19.10 Information System Monitoring | Automated Tools for Real-Time Analysis (SI-4 (2)) ................................ 109 3.19.11 Information System Monitoring | Inbound and Outbound Communications Traffic (SI-4 (4)) ................... 110 3.19.12 Information System Monitoring | System-Generated Alerts (SI-4 (5))........................................................ 110 3.19.13 Information System Monitoring | Analyze Traffic / Covert Exfiltration (SI-4 (18))...................................... 111 3.19.14 Information System Monitoring | Host-Based Devices (SI-4 (23))............................................................... 112 3.19.15 Security Alerts, Advisories, and Directives (SI-5) ......................................................................................... 113 3.19.16 Software, Firmware, and Information Integrity (SI-7) ................................................................................. 114 3.19.17 Software, Firmware, and Information Integrity | Integrity (SI-7 (1))........................................................... 114 3.19.18 Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7 (7)) .......... 115 3.19.19 Memory Protection (SI-16) .......................................................................................................................... 116
4 Privacy Controls ......................................................................................................... 116
4.1 Authority and Purpose (AP) ......................................................................................................... 116
4.1.1 Authority to Collect (AP-1)........................................................................................................................... 116 4.1.2 Purpose Specification (AP-2)........................................................................................................................ 117
4.2 Accountability, Audit, and Risk Management (AR)...................................................................... 118
4.2.1 Governance and Privacy Program (AR-1)..................................................................................................... 118 4.2.2 Privacy Impact and Risk Assessment (AR-2) ................................................................................................ 119 4.2.3 Privacy Requirements for Contractors and Service Providers (AR-3) .......................................................... 120 4.2.4 Privacy Monitoring and Auditing (AR-4) ...................................................................................................... 121 4.2.5 Privacy Awareness and Training (AR-5) ....................................................................................................... 122 4.2.6 Privacy Reporting (AR-6).............................................................................................................................. 123 4.2.7 Privacy Enhanced System Design and Development (AR-7) ........................................................................ 124 4.2.8 Accounting of Disclosures (AR-8)................................................................................................................. 124
4.3 Data Quality and Integrity (DI)..................................................................................................... 125
4.3.1 Data Quality (DI-1) ....................................................................................................................................... 125 4.3.2 Data Quality | Validate PII (DI-1 (1)) ............................................................................................................ 126
U.S. General Services Administration
iii
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
CIO-IT Security-18-90, Revision 3
Information Security Program Plan
4.3.3 Data Quality | Re-Validate PII (DI-1 (2))....................................................................................................... 127 4.3.4 Data Integrity and Data Integrity Board (DI-2)............................................................................................. 128 4.3.5 Data Integrity and Data Integrity Board | Publish Agreements on Website (DI-2 (1)) ................................ 129
4.4 Data Minimization and Retention (DM) ...................................................................................... 130
4.4.1 Minimization of Personally Identifiable Information (DM-1) ...................................................................... 130 4.4.2 Minimization of Personally Identifiable Information | Locate/Remove/Redact/ Anonymize PII (DM-1 (1))
131 4.4.3 Data Retention and Disposal (DM-2) ........................................................................................................... 131 4.4.4 Data Retention and Disposal | System Configuration (DM-2 (1))................................................................ 132 4.4.5 Minimization of PII Used in Testing, Training, and Research (DM-3)........................................................... 133 4.4.6 Minimization of PII used in Testing, Training, and Research | Risk Minimization Techniques (DM-3 (1)) .. 134
4.5 Individual Participation and Redress (IP) ..................................................................................... 135
4.5.1 Consent (IP-1) .............................................................................................................................................. 135 4.5.2 Consent | Mechanisms Supporting Itemized or Tiered Consent (IP-1 (1)) .................................................. 136 4.5.3 Individual Access (IP-2) ................................................................................................................................ 136 4.5.4 Redress (IP-3) ............................................................................................................................................... 137 4.5.5 Complaint Management (IP-4) .................................................................................................................... 138 4.5.6 Complaint Management | Response Times (IP-4 (1)).................................................................................. 139
4.6 Security (SE) ................................................................................................................................. 140
4.6.1 Inventory of Personally Identifiable Information (SE-1) .............................................................................. 140 4.6.2 Privacy Incident Response (SE-2) ................................................................................................................. 141
4.7 Transparency (TR) ........................................................................................................................ 141
4.7.1 Privacy Notice (TR-1).................................................................................................................................... 141 4.7.2 Privacy Notice | Real-Time or Layered Notice (TR-1 (1)) ............................................................................. 143 4.7.3 System of Records Notices and Privacy Act Statements (TR-2) ................................................................... 143 4.7.4 System of Records Notices and Privacy Act Statements | Public Website Publication (TR-2 (1)) ............... 144 4.7.5 Dissemination of Privacy Program Information (TR-3) ................................................................................ 145
4.8 Use Limitation (UL) ...................................................................................................................... 146
4.8.1 Internal Use (UL-1)....................................................................................................................................... 146 4.8.2 Information Sharing with Third Parties (UL-2) ............................................................................................. 146
Appendix A: Acronyms ...................................................................................................... 148
Appendix B: Program Level POA&M .................................................................................. 150
Table 1-1: CSF Functions and Categories/Unique Identifiers ................................................... 1 Table 3-1: Definitions of Key Terms........................................................................................ 5
U.S. General Services Administration
iv
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- nist cybersecurity framework policy template guide
- fedramp security assessment plan sap training 1 fedramp
- guide for conducting risk assessments nist
- guide for developing security plans for federal nist
- nist cybersecurity framework assessment for name of company
- nist cybersecurity framework sans policy templates
- information security program plan ispp gsa
Related searches
- navy information security website
- information security classification standards
- information security data classification
- dod introduction to information security answers
- introduction to information security cdse
- information security risk register
- introduction to information security stepp
- introduction to information security usalearning
- top information security risks
- information security risk list
- information security classification levels
- information security maturity model