Information Security Program Plan (ISPP) | GSA

[Pages:158]DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

IT Security Procedural Guide: Information Security Program Plan

(ISPP) CIO-IT Security-18-90

Revision 3 June 16, 2020

Office of the Chief Information Security Officer

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

EXECUTIVE SUMMARY

The General Services Administration (GSA) agency-wide Assessment and Authorization (A&A) process is based on the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the A&A process as described in NIST Special Publication (SP) 800-37, Revision 2, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy."

This Information Security Program Plan (ISPP) was developed in order to provide stakeholders with the detailed information on what GSA considers inheritable common controls and who the responsible party is for implementing the control. NIST SP 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," describes common controls and the responsibility for them as:

Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components--entities internal or external to the organizations where the systems or components reside.

The organization assigns responsibility for common controls to appropriate organizational officials (i.e., common control providers) and coordinates the development, implementation, assessment, authorization, and monitoring of the controls. The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of chief information officers, senior information security officers, the risk executive (function), authorizing officials, information owners/stewards, information system owners, and information system security officers.

The excerpt below from NIST SP 800-53 defines hybrid controls and provides examples:

Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. For example, an organization may choose to implement the Incident Response Policy and Procedures security control (IR1) as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific. Hybrid controls may also serve as predefined templates for further control refinement. Organizations may choose, for example, to implement the Contingency Planning security control (CP-2) as a predefined template for a generalized contingency plan for all organizational information systems with information system owners tailoring the plan, where appropriate, for system-specific uses.

This plan identifies control implementation status for all GSA-wide common controls and identifies hybrid controls where a GSA organization, platform, or general support system provides part of the control implementation.All Privacy controls are included in this plan whether they are common, hybrid, or system specific. Where appropriate, the plan references GSA policies and guides that provide further detail on control implementation.

U.S. General Services Administration

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

VERSION HISTORY/CHANGE RECORD

Change Number

Person Posting Change

Change

Reason for Change

Page Number of

Change

Initial Version ? April 23, 2015

N/A

Desai/Davis New Plan

Document GSA enterprise-wide

N/A

common and hybrid controls status

and implementation guidance.

Revision 1 ? May 2, 2017

1

Klemens/ Revised guide to align with current Update GSA enterprise-wide

Throughout

Dean

format and style, edited, and

common and hybrid controls status

updated guide based on current

and implementation guidance.

control processes.

Revision 2 ? March 14, 2018

1

Feliksa/

Revised guide to address Executive Comply with EO 13800. Update

Throughout

Klemens Order (EO) 13800 and the NIST

GSA enterprise-wide common and

Cybersecurity Framework. Updated hybrid controls parameters and

control parameters and

implementation details based on

implementation details based on changes to GSA processes,

changes to GSA processes,

procedures, and guides.

procedures, and guides.

Revision 3 ? June 16, 2020

1

Dean/

Revised to address:

Changes to GSA guidance on

Throughout

Klemens/ Updates to control parameters control parameters,

Normand

and implementation details

implementation details, and

Changes to controls designated as Common Control designations

common

U.S. General Services Administration

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

Approval

IT Security Procedural Guide: Information Security Program Plan (ISPP), CIO-IT Security-18-90, Revision 3, is hereby approved for distribution.

X

Bo Berlas GSA Chief Information Security Officer

Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division (ISP), at ispcompliance@.

U.S. General Services Administration

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

Table of Contents

1 Introduction................................................................................................................... 1

1.1 Purpose ............................................................................................................................................ 3 1.2 Scope................................................................................................................................................ 3

2 References ..................................................................................................................... 3

3 Security Controls............................................................................................................ 5

3.1 Access Control (AC) .......................................................................................................................... 6

3.1.1 Access Control Policy and Procedures (AC-1) .................................................................................................. 6 3.1.2 Account Management | Dynamic Privilege Management (AC-2 (6)) .............................................................. 7 3.1.3 Use of External Information Systems (AC-20).................................................................................................. 8 3.1.4 Use of External Information Systems | Limits On Authorized Use (AC-20 (1)) ................................................ 9 3.1.5 Use of External Information Systems | Portable Storage Devices (AC-20 (2))............................................... 10

3.2 Awareness and Training (AT) ......................................................................................................... 11

3.2.1 Security Awareness and Training Policy and Procedures (AT-1).................................................................... 11 3.2.2 Security Awareness Training (AT-2) ............................................................................................................... 12 3.2.3 Security Awareness Training | Insider Threat (AT-2 (2))................................................................................ 13 3.2.4 Role-Based Security Training (AT-3)............................................................................................................... 13 3.2.5 Security Training Records (AT-4).................................................................................................................... 14

3.3 Audit and Accountability (AU) ....................................................................................................... 15

3.3.1 Audit and Accountability Policy and Procedures (AU-1)................................................................................ 15 3.3.2 Audit Storage Capacity (AU-4) ....................................................................................................................... 16 3.3.3 Audit Review, Analysis, and Reporting (AU-6) ............................................................................................... 17 3.3.4 Audit Review, Analysis, and Reporting | Process Integration (AU-6 (1)) ....................................................... 18 3.3.5 Audit Review, Analysis, and Reporting | Correlate Audit Repositories (AU-6 (3))......................................... 19 3.3.6 Audit Review, Analysis, and Reporting | Central Review and Analysis (AU-6 (4)) ......................................... 19 3.3.7 Audit Reduction and Report Generation (AU-7)............................................................................................ 20 3.3.8 Audit Reduction and Report Generation | Automatic Processing (AU-7 (1)) ................................................ 21 3.3.9 Audit Record Retention (AU-11) .................................................................................................................... 22

3.4 Security Assessment and Authorization (CA)................................................................................. 22

3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1) ...................................................... 22 3.4.2 Plan of Action and Milestones (CA-5) ............................................................................................................ 23 3.4.3 Security Authorization (CA-6) ........................................................................................................................ 24 3.4.4 Continuous Monitoring (CA-7)....................................................................................................................... 25 3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1)) .......................................................................... 27

3.5 Configuration Management (CM).................................................................................................. 27

3.5.1 Configuration Management Policy and Procedures (CM-1) .......................................................................... 27 3.5.2 Baseline Configuration | Configure Systems, Components, Or Devices For High- Risk Areas (CM-2 (7))...... 29 3.5.3 Least Functionality | Authorized Software / Whitelisting (CM-7 (5)) ............................................................ 29 3.5.4 Information System Component Inventory | Automated Maintenance (CM-8 (2))...................................... 30 3.5.5 Information System Component Inventory | Automated Unauthorized Component Detection (CM-8 (3)) 31 3.5.6 Information System Component Inventory | No Duplicate Accounting of Components (CM-8 (5))............. 32 3.5.7 Information System Component Inventory | Centralized Repository (CM-8 (7)).......................................... 33 3.5.8 User-Installed Software (CM-11) ................................................................................................................... 33

3.6 Contingency Planning (CP) ............................................................................................................. 34

3.6.1 Contingency Planning Policy and Procedures (CP-1) ..................................................................................... 34

3.7 Identification and Authentication (IA) ........................................................................................... 35

3.7.1 Identification and Authentication Policy and Procedures (IA-1).................................................................... 35

3.8 Incident Response (IR) ................................................................................................................... 36

3.8.1 Incident Response Policy and Procedures (IR-1)............................................................................................ 36

U.S. General Services Administration

i

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

3.8.2 Incident Response Training (IR-2) .................................................................................................................. 37 3.8.3 Incident Response Testing (IR-3) ................................................................................................................... 39 3.8.4 Incident Response Testing | Coordination with Related Plans (IR-3 (2))....................................................... 40 3.8.5 Incident Handling (IR-4) ................................................................................................................................. 41 3.8.6 Incident Handling | Automated Incident Handling Processes (IR-4 (1)) ........................................................ 42 3.8.7 Incident Monitoring (IR-5) ............................................................................................................................. 43 3.8.8 Incident Reporting (IR-6)................................................................................................................................ 44 3.8.9 Incident Reporting | Automated Reporting (IR 6 (1)) .................................................................................... 48 3.8.10 Incident Response Assistance (IR-7) .............................................................................................................. 49 3.8.11 Incident Response Assistance | Automation Support for Availability of Information / Support (IR 7 (1)) .... 50 3.8.12 Incident Response Plan (IR-8) ........................................................................................................................ 51

3.9 Maintenance (MA) ......................................................................................................................... 52

3.9.1 System Maintenance Policy and Procedures (MA-1)..................................................................................... 52

3.10 Media Protection (MP) .................................................................................................................. 53

3.10.1 Media Protection Policy and Procedures (MP-1)........................................................................................... 53 3.10.2 Media Use (MP-7) .......................................................................................................................................... 54

3.11 Physical and Environmental Protection (PE).................................................................................. 55

3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1) .......................................................... 55

3.12 Planning (PL) .................................................................................................................................. 56

3.12.1 Security Planning Policy and Procedures (PL-1)............................................................................................. 56

3.13 Rules of Behavior (PL-4) ................................................................................................................. 57

3.13.1 Rules of Behavior | Social Media and Networking Restrictions (PL-4 (1)) ..................................................... 58 3.13.2 Information Security Architecture (PL-8)....................................................................................................... 59

3.14 Program Management (PM) .......................................................................................................... 60

3.14.1 Information Security Program Plan (PM-1) ................................................................................................... 60 3.14.2 Senior Information Security Officer (PM-2) ................................................................................................... 62 3.14.3 Information Security Resources (PM-3)......................................................................................................... 62 3.14.4 Plan of Action and Milestones Process (PM-4) .............................................................................................. 63 3.14.5 Information System Inventory (PM-5) ........................................................................................................... 64 3.14.6 Information Security Measures of Performance (PM-6) ............................................................................... 65 3.14.7 Enterprise Architecture (PM-7)...................................................................................................................... 66 3.14.8 Critical Infrastructure Plan (PM-8) ................................................................................................................. 67 3.14.9 Risk Management Strategy (PM-9) ................................................................................................................ 68 3.14.10 Security Authorization Process (PM-10) ........................................................................................................ 69 3.14.11 Mission/Business Process Definition (PM-11) ............................................................................................... 70 3.14.12 Insider Threat Program (PM-12) .................................................................................................................... 70 3.14.13 Information Security Workforce (PM-13) ...................................................................................................... 71 3.14.14 Testing, Training, and Monitoring (PM-14).................................................................................................... 72 3.14.15 Contacts with Security Groups and Associations (PM-15)............................................................................. 73 3.14.16 Threat Awareness Program (PM-16) ............................................................................................................. 74

3.15 Personnel Security (PS) .................................................................................................................. 75

3.15.1 Personnel Security Policy and Procedures (PS-1) .......................................................................................... 75 3.15.2 Position Risk Designation (PS-2) .................................................................................................................... 76 3.15.3 Personnel Screening (PS-3) ............................................................................................................................ 77 3.15.4 Personnel Termination (PS-4) ........................................................................................................................ 78 3.15.5 Personnel Transfer (PS-5) .............................................................................................................................. 79 3.15.6 Access Agreements (PS-6) ............................................................................................................................. 80 3.15.7 Third-Party Personnel Security (PS-7)............................................................................................................ 81 3.15.8 Personnel Sanctions (PS-8) ............................................................................................................................ 82

3.16 Risk Assessment (RA) ..................................................................................................................... 83

3.16.1 Risk Assessment Policy and Procedures (RA-1) ............................................................................................. 83 3.16.2 Risk Assessment (RA-3).................................................................................................................................. 84 3.16.3 Vulnerability Scanning (RA-5) ........................................................................................................................ 85 3.16.4 Vulnerability Scanning | Update Tool Capability (RA-5 (1))........................................................................... 87

U.S. General Services Administration

ii

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

3.16.5 Vulnerability Scanning | Update By Frequency / Prior to New Scan / When Identified (RA-5 (2)) ............... 88 3.16.6 Vulnerability Scanning | Privileged Access (RA-5 (5)) .................................................................................... 89

3.17 System and Services Acquisition (SA) ............................................................................................ 89

3.17.1 System and Services Acquisition Policy and Procedures (SA-1)..................................................................... 89 3.17.2 Acquisition Process (SA-4) ............................................................................................................................. 90

3.17.2.1 Security Engineering Principles (SA-8) ....................................................................................................... 91 3.17.3 External Information System Services (SA-9)................................................................................................. 92

3.18 System and Communications Protection (SC) ............................................................................... 93

3.18.1 System & Communications Protection Policy and Procedures (SC-1) ........................................................... 93 3.18.2 Denial of Service Protection (SC-5) ................................................................................................................ 94 3.18.3 Boundary Protection (SC-7) ........................................................................................................................... 95 3.18.4 Boundary Protection | Access Points (SC-7 (3))............................................................................................. 96 3.18.5 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5))....................................................... 97 3.18.6 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5))....................................................... 97 3.18.7 Boundary Protection | Prevent Split Tunneling for Remote Devices (SC-7 (7))............................................. 98 3.18.8 Boundary Protection | Prevent Unauthorized Exfiltration (SC-7 (10)) .......................................................... 99 3.18.9 Mobile Code (SC-18) ...................................................................................................................................... 99

3.19 System and Information Integrity (SI).......................................................................................... 100

3.19.1 System & Information Integrity Policy & Procedures (SI-1)......................................................................... 100 3.19.2 Flaw Remediation (SI-2) ............................................................................................................................... 101 3.19.3 Flaw Remediation | Automated Flaw Remediation Status (SI-2 (2)) ........................................................... 103 3.19.4 Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions (SI-2(3)) .................. 103 3.19.5 Malicious Code Protection (SI-3) ................................................................................................................. 104 3.19.6 Malicious Code Protection | Central Management (SI-3 (1)) ...................................................................... 105 3.19.7 Malicious Code Protection | Automatic Updates (SI-3 (2)) ......................................................................... 106 3.19.8 Malicious Code Protection | Nonsignature-Based Detection (SI-3 (7)) ....................................................... 107 3.19.9 Information System Monitoring (SI-4) ......................................................................................................... 107 3.19.10 Information System Monitoring | Automated Tools for Real-Time Analysis (SI-4 (2)) ................................ 109 3.19.11 Information System Monitoring | Inbound and Outbound Communications Traffic (SI-4 (4)) ................... 110 3.19.12 Information System Monitoring | System-Generated Alerts (SI-4 (5))........................................................ 110 3.19.13 Information System Monitoring | Analyze Traffic / Covert Exfiltration (SI-4 (18))...................................... 111 3.19.14 Information System Monitoring | Host-Based Devices (SI-4 (23))............................................................... 112 3.19.15 Security Alerts, Advisories, and Directives (SI-5) ......................................................................................... 113 3.19.16 Software, Firmware, and Information Integrity (SI-7) ................................................................................. 114 3.19.17 Software, Firmware, and Information Integrity | Integrity (SI-7 (1))........................................................... 114 3.19.18 Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7 (7)) .......... 115 3.19.19 Memory Protection (SI-16) .......................................................................................................................... 116

4 Privacy Controls ......................................................................................................... 116

4.1 Authority and Purpose (AP) ......................................................................................................... 116

4.1.1 Authority to Collect (AP-1)........................................................................................................................... 116 4.1.2 Purpose Specification (AP-2)........................................................................................................................ 117

4.2 Accountability, Audit, and Risk Management (AR)...................................................................... 118

4.2.1 Governance and Privacy Program (AR-1)..................................................................................................... 118 4.2.2 Privacy Impact and Risk Assessment (AR-2) ................................................................................................ 119 4.2.3 Privacy Requirements for Contractors and Service Providers (AR-3) .......................................................... 120 4.2.4 Privacy Monitoring and Auditing (AR-4) ...................................................................................................... 121 4.2.5 Privacy Awareness and Training (AR-5) ....................................................................................................... 122 4.2.6 Privacy Reporting (AR-6).............................................................................................................................. 123 4.2.7 Privacy Enhanced System Design and Development (AR-7) ........................................................................ 124 4.2.8 Accounting of Disclosures (AR-8)................................................................................................................. 124

4.3 Data Quality and Integrity (DI)..................................................................................................... 125

4.3.1 Data Quality (DI-1) ....................................................................................................................................... 125 4.3.2 Data Quality | Validate PII (DI-1 (1)) ............................................................................................................ 126

U.S. General Services Administration

iii

DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749

CIO-IT Security-18-90, Revision 3

Information Security Program Plan

4.3.3 Data Quality | Re-Validate PII (DI-1 (2))....................................................................................................... 127 4.3.4 Data Integrity and Data Integrity Board (DI-2)............................................................................................. 128 4.3.5 Data Integrity and Data Integrity Board | Publish Agreements on Website (DI-2 (1)) ................................ 129

4.4 Data Minimization and Retention (DM) ...................................................................................... 130

4.4.1 Minimization of Personally Identifiable Information (DM-1) ...................................................................... 130 4.4.2 Minimization of Personally Identifiable Information | Locate/Remove/Redact/ Anonymize PII (DM-1 (1))

131 4.4.3 Data Retention and Disposal (DM-2) ........................................................................................................... 131 4.4.4 Data Retention and Disposal | System Configuration (DM-2 (1))................................................................ 132 4.4.5 Minimization of PII Used in Testing, Training, and Research (DM-3)........................................................... 133 4.4.6 Minimization of PII used in Testing, Training, and Research | Risk Minimization Techniques (DM-3 (1)) .. 134

4.5 Individual Participation and Redress (IP) ..................................................................................... 135

4.5.1 Consent (IP-1) .............................................................................................................................................. 135 4.5.2 Consent | Mechanisms Supporting Itemized or Tiered Consent (IP-1 (1)) .................................................. 136 4.5.3 Individual Access (IP-2) ................................................................................................................................ 136 4.5.4 Redress (IP-3) ............................................................................................................................................... 137 4.5.5 Complaint Management (IP-4) .................................................................................................................... 138 4.5.6 Complaint Management | Response Times (IP-4 (1)).................................................................................. 139

4.6 Security (SE) ................................................................................................................................. 140

4.6.1 Inventory of Personally Identifiable Information (SE-1) .............................................................................. 140 4.6.2 Privacy Incident Response (SE-2) ................................................................................................................. 141

4.7 Transparency (TR) ........................................................................................................................ 141

4.7.1 Privacy Notice (TR-1).................................................................................................................................... 141 4.7.2 Privacy Notice | Real-Time or Layered Notice (TR-1 (1)) ............................................................................. 143 4.7.3 System of Records Notices and Privacy Act Statements (TR-2) ................................................................... 143 4.7.4 System of Records Notices and Privacy Act Statements | Public Website Publication (TR-2 (1)) ............... 144 4.7.5 Dissemination of Privacy Program Information (TR-3) ................................................................................ 145

4.8 Use Limitation (UL) ...................................................................................................................... 146

4.8.1 Internal Use (UL-1)....................................................................................................................................... 146 4.8.2 Information Sharing with Third Parties (UL-2) ............................................................................................. 146

Appendix A: Acronyms ...................................................................................................... 148

Appendix B: Program Level POA&M .................................................................................. 150

Table 1-1: CSF Functions and Categories/Unique Identifiers ................................................... 1 Table 3-1: Definitions of Key Terms........................................................................................ 5

U.S. General Services Administration

iv

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.