5 FAH-11 H-000
CYBERSECURITY Handbook
5 FAH-11 H-010
introduction
(CT:IAH-23; 06-26-2023)
(Office of Origin: IRM/E-CISO)
5 FAH-11 H-011 purpose
(CT:IAH-23; 06-26-2023)
a. The Bureau of Information Resource Management, Office of Cyber Operations (IRM/CO), establishes procedures to manage the security of the Department’s information and information systems efficiently and effectively.
b. This handbook supplements the policy established in 5 FAM 1060, Cybersecurity Management. It complies with the Federal Information Security Management Act of 2014 (FISMA) (Title III of Public Law 107-347) requirements for the chief information officer (CIO) and agency program officials, and establishes cyber-security roles and responsibilities to manage the security of the Department’s information and information systems.
c. Direct questions and suggestions regarding security of the Department’s information and information systems found in this handbook to IRM/E-CISO.
5 FAH-11 H-012 Scope and applicability
(CT:IAH-1; 02-15-2007)
a. These procedures apply to all Department entities with information systems.
b. This handbook also includes procedures for other entities (e.g., contractors, other agencies, and organizations) that exchange or process Department information on their systems through interconnections with the Department, or alternatively, are linked to the Department via extensions of the Department networks.
c. The procedures in this handbook are not applicable to sensitive compartmented information (SCI) systems.
5 FAH-11 H-013 handbook contents
(CT:IAH-23; 06-26-2023)
a. This handbook is composed of nine chapters that cover the following:
(1) 5 FAH-11 H-000 elaborates on the policy requirements established in 5 FAM 1060 and supports the CIO’s and agency program officials’ requirements under FISMA. It also establishes cybersecurity roles and responsibilities to manage the security of the Department’s information and information systems;
(2) 5 FAH-11 H-100 provides duties and implementing procedures for the Department’s information systems security officer (ISSO) program;
(3) 5 FAH-11 H-200 demonstrates how to perform an information security audit to accomplish a system’s certification;
(4) 5 FAH-11 H-400 establishes a comprehensive approach to non-Department systems authorization;
(5) 5 FAH-11 H-500 provides implementing procedures for establishing performance measures for cybersecurity. It explains how system owners and managers must work together to ensure that performance metrics are applied for Department information technology (IT) personnel who are assisting in developing, implementing, and managing an IT security program (see 5 FAM 130);
(6) 5 FAH-11 H-800 provides procedures for planning, establishing, maintaining, and terminating interconnections between information technology systems of non-Department entities and the Department of State, as well as guidance for extensions of the Department’s OpenNet and ClassNet networks.
b. All Department personnel must comply with the requirements in the chapters listed in paragraph a of this section.
5 fah-11 h-014 Definitions and terms used in this handbook and in 5 fam 1060
(CT:IAH-23; 06-26-2023)
These are the definitions and terms that relate to cybersecurity as found in the 5 FAM 1060 and this Handbook.
Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation) or agency assets, based on the implementation of an agreed upon set of security controls.
Certification: (See 5 FAM 814.)
Chief information officer (CIO): (See 5 FAM 820.)
Enterprise - Chief Information Security Officer (E-CISO): (See 5 FAM 820.)
Confidentiality: The assurance that information in an IT system is not disclosed to unauthorized persons, processes, or devices.
Configuration management: (See 5 FAM 613.)
Contingency planning: Security controls dealing with emergency response, backup operations, and post-disaster recovery for an IT system to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.
Defense in depth: A practical strategy for achieving cybersecurity by applying security measures to all components of the system, creating a security architecture that calls for the network to be aware and self-protective. It is a “best practices” strategy that relies on the intelligent application of techniques and technologies. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations.
Authorization official (AO): (See 5 FAM 814.)
Evaluation assurance level (EAL): An assurance requirement as defined by Common Criteria, an international standard in effect since 1999, to replace the ratings (e.g., "C2") found in the Orange Book that were set by the National Computer Security Center (NCSC). The increasing assurance levels (i.e., EAL1 through EAL7) define increasing assurance requirements in computer systems. These levels are:
EAL1: Functionally Tested
EAL2: Structurally Tested
EAL3: Methodically Tested and Checked
EAL4: Methodically Designed, Tested and Reviewed
EAL5: Semiformally Designed and Tested
EAL6: Semiformally Verified Design and Tested
EAL7: Formally Verified Design and Tested
Enterprise architecture: (See 5 FAM 674.)
Federal Information System: An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (See 40 U.S.C. 11331.)
General Support System: An interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people, and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Users may be from the same or different organizations.
Information security: Operations to protect and defend information and IT systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of IT systems by incorporating protection, detection, and reaction capabilities.
Information system: The set of agency information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. Categories of IT systems are major applications and general support systems.
Information system security officer (ISSO): (See 5 FAM 820.)
Information Technology: (See 5 FAM 913.)
Information Type: A specific category of information (e.g., medical, proprietary, financial, investigative, contractor-sensitive, security management), defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation.
Integrity assurance: Information in an IT system is protected from unauthorized, unanticipated, or unintentional modification or destruction. Integrity assurance also addresses the quality of an IT system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms, and the consistency of the data structures and occurrence of the stored data.
Major application: An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. A breach in a major application might compromise many individual application programs and hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.
Management controls: The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk for the system. Management controls include risk management, review of security controls, system lifecycle controls, processing authorization controls, system security plan controls, and privacy controls.
Minor application: An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.
Operational controls: The controls that address security mechanisms implemented and executed primarily by people (as opposed to systems).
Penetration testing: Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers.
Plan of action and milestones (POA&M): A management tool for identifying corrective action that needs to be taken to mitigate vulnerability. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Potential impact level: Federal Information Processing Standards (FIPS) Publication 199 defines three levels of potential impact—low, moderate, and high—on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.
Remediation: The act or process of remedying system or cybersecurity deficiencies, vulnerabilities, or weaknesses discovered and documented in due course of operational checks, controls, evaluations, or audits.
Risk: The net mission impact considering: (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular IT system vulnerability and (2) the resulting impact if this should occur. IT system-related risks arise from legal liability or mission loss due to:
(1) Unauthorized (malicious or accidental) disclosure, modification, or destruction of information;
(2) Unintentional errors and omissions;
(3) IT disruptions due to natural or man-made disasters; and
(4) Failure to exercise due care and diligence in the implementation and operation of the IT system.
Risk assessment: The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. This is part of risk management and synonymous with risk analysis.
Risk management: (See 5 FAM 613.)
Security categories: The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
5 fah-11 h-015 through H-019 Unassigned