5 FAH-11 H-400
SYSTEM AUTHORIZATION OF NON-DEPARTMENT SYSTEMS

5 FAH-11 H-410

GENERAL

(CT:IAH-11;†† 08-10-2017)
(Office of Origin:† IRM/IA)

5 FAH-11 H-411 †INTRODUCTION

5 FAH-11 H-411.1 †Purpose

(CT:IAH-9;†† 04-06-2017)

a. This subchapter establishes procedures to implement system authorization of non-Department entity systems that process information on behalf of the Department as set forth in is 5 FAM 1066.1-1(F).† These systems either connect to Department information systems, or process/store Department information without establishing a connection.

†††† NOTE:† Non-Department entity refers to U.S. Government civilian and military personnel, consultants, contractors, foreign, state, local governments or organizations, and other individuals that require access to Department information systems.† This includes entities that provide information technology (IT) services and related computer industry support that contribute to the efficient functioning of the Department.

b. This subchapter will assist sponsoring bureaus to implement processes that protect Department information and information systems from operational, strategic, and legal risks that a non-Departmental system may present.

c.† The Non-Department System Authorization Process is designed to certify that a non-Departmental system meets documented security requirements, and will continue to maintain the accredited security posture throughout the authorized system's life cycle.

5 FAH-11 H-411.2 †Objective

(CT:IAH-5;†† 06-25-2007)

a. The Federal Information Security Management Act of 2002 (FISMA) requires that all systems that process or store Department information must be certified and accredited.

b. Implementation of this subchapter will help to enable secure information exchange, collaboration, and interoperability among Department bureaus and other federal, state, and local agencies.

c.† The Office of Information Assurance (IRM/IA) is the responsible office for the contents of this chapter.† Send questions or comments to the IRM/IA e‑mail address, informationassurance@state.gov.

5 FAH-11 H-411.3 †Scope

(CT: IAH-9;†† 04-06-2017)

a. This subchapter outlines the procedures that must be met to achieve non-Department system authorization.† Types of connectivity to Department information systems are identified in 5 FAH-11 H-800, Connections to Non-Department Entities.

b. Bureaus that sponsor non-Department system authorization must use the process established in this subchapter to meet the Authorizing Official's (AO) (formerly known as the Designated Approval Authority (DAA)) authorization requirements whether or not connectivity is achieved.

c.† These procedures exclude authorization of Sensitive Compartmented Information (SCI) systems.† Systems that process or store national security level information are processed for authorization in accordance with applicable Federal and Department requirements for authorization of classified and SCI systems (see 12 FAM 630, 12 FAH-6, and NISPOM-Chapter 8, DD-254, and DOSAR).† The Bureau of Diplomatic Security (DS) is the Security Assessor, and the Bureau of Intelligence and Research (INR) is the AO for SCI systems at the Department (see 1 FAM 271.1, subparagraph (4).)

d. This subchapter does not apply to non-Department systems used with the Department's telework solution.† (See 12 FAM 091 for definition of automated information system.)

5 FAH-11 H-411.4 †Oversight Of Non-Department System

(CT:IAH-9;†† 04-06-2017)

a. The Department, as required by FISMA, must ensure that non-Department entities develop, implement, and maintain a baseline of minimum security controls to protect Department information and information systems.† The policy requirements for non-Department systems are set forth in 5 FAM 1066.1-1(F).

b. In 2005, the Department developed, documented in its Information Security Program Plan (ISPP) (under Management Plan), and implemented an ongoing Department-wide information security program to protect its information and information systems.† This program details the oversight management which extends to those non-Department systems delivering IT systems and services to or on behalf of the Department.

5 FAH-11 H-411.5 †Key Personnel

(CT:IAH-9;†† 04-06-2017)

a. Key personnel, identified to perform certification and accreditation (C&A) of a non-Department system, must not be involved with its development, implementation, or operation (see 5 FAM 1066.1-1(D)), or be under the sponsoring bureau's direct management authority.

b. Members of the authorization team must consist of a combination of key staff members assigned to participate in C&A of a system when operating under Department authority.† Authorization team members must have the appropriate level of experience and credentials for the positions assigned.† They must also be able to fulfill the responsibilities of the following roles:

(1)† Sponsoring bureau representative;

(2)† System manager and/or vendor representative;

(3)† Certification team lead (must be independent for moderate or high impact systems);

(4)† Certification analyst(s) for operating system and database;

(5)† Risk management team lead;

(6)† Risk analyst;

(7)† User representative (where needed); and

(8)† Other key participants having an interest in the C&A outcome.

c.† Non-Department entities must furnish their results for any non-Department system independent C&A to the sponsoring bureau representative and to IRM/IA for compliance evaluation with the requirements of this subchapter.

d. Key staff members working to certify and accredit a system must:

(1)† Coordinate user participation, when necessary;

(2)† Participate in reviews and interviews; and

(3)† Provide review and input for the teamís deliverables.

e. Authorization team members may perform multiple roles or several members may work together to fulfill one role since duties may vary based on the nature of the accreditation task.

5 FAH-11 H-412 †ROLES AND RESPONSIBILITIES FOR NON-DEPARTMENT SYSTEMS AUTHORIZATION

5 FAH-11 H-412.1 †Authorizing Official (AO)

(CT:IAH-11;†† 08-10-2017)

a. The Chief Information Officer (CIO) is the authorizing official (AO) for systems at the Department that are designated unclassified up through collateral Top Secret (TS).† The AO's approval requirements must be stated in the formal agreement established by contractual arrangement between the sponsoring bureau and the non-Department entity.† The CIO makes the decision to authorize or deny authorization of a non-Department system.† (See 1 FAM 271.1, subparagraph (4).)

b. The Bureau of Diplomatic Security (DS) is the security assessor and the Bureau of Intelligence and Research (INR) is the AO for State systems that fall under the requirements of the Intelligence Community Directive 503 for Protecting Sensitive Compartmented Information (SCI) within information systems.

c.† The CIO also works with program officials, budget officers, inspectors general, and other appropriate agency officials, to develop a Plan of Actions and Milestones (POA&M) report to the Office of Management and Budget (OMB) for each non-Department system for which a weakness is identified during annual FISMA reports.† The IRM/IA Web site contains requirements and instructions for completing the POA&M.

5 FAH-11 H-412.2 †Chief Information Security Officer (CISO)

(CT:IAH-8;†† 12-22-2016)

a. The Chief Information Security Officer (CISO) heads IRM/IA and oversees and manages compliance with the requirements imposed on the sponsoring bureau during authorization of a non-Department system under the CIOís direction.† (See 44 U.S.C. 3554.)

b. The CISO defines and oversees the process and requirements for meeting a non-Department system authorization.

†††† NOTE:† The independent certification authority performing certification of a system must show that the level of information security is appropriate to protect the integrity, confidentiality, and availability of Department information and information systems.

5 FAH-11 H-412.3 †IRM/IA

(CT:IAH-11;†† 08-10-2017)

IRM/IA evaluates a percentage of the completed system authorization packages annually to ensure compliance with Department assessment and authorization (A&A) processes and standards.

NOTE:† Requirements for independent authorization are in 5 FAM 1066.

5 FAH-11 H-412.4 †Sponsoring Bureau

(CT:IAH-11;†† 08-10-2017)

a. The bureau sponsoring authorization of a system is responsible for the secure operation of Department information systems accessed by a non-Department system.† The sponsoring bureau must ensure that controls are in place to protect Department information that is processed or stored at a non-Department entity's facility.

b. The sponsoring bureau must ensure that the supporting documentation required for AO authorization of a non-Department system is generated.

†††† NOTE:† Refer to the documentation requirements in 5 FAH-11 H-820 for establishing and governing connections with non-Department entities in instances where connectivity is an issue.

c.† The sponsoring bureau must send a memo to the CISO explaining the basic functions and purpose of the system and indicating that the system is entering into the non-Department system authorization process.† Once a system is entered into the non-Department system authorization process, the sponsoring bureau must:

(1)† Exercise program control over Department information systems under their management authority that will exchange information with a non-Department entity that is allowed access to process or store information on behalf of the Department;

(2)† Represent the non-Department systemís interest to the Department throughout its lifecycle;

(3)† Ensure that the non-Department entity establishes and documents the unclassified and classified baseline security control configuration for the information system seeking AO authorization (see Department of State Security Control Baseline Process and Security Control Catalog For Unclassified Systems, and 12 FAM 630).† The identified security controls must be documented in the systemís System Security Plan (SSP) and Contingency Plan (CP) as generated by the non-Department entity;

(4)† Register the system in the Information Management, Analytics, and Technology Resource for Information Exchange (iMATRIX), and ensure the systemís security categorization process is completed in accordance with Department requirements.† (See the iMATRIX website for more information on registering IT assets in iMatrix);

(5)† Ensure that the non-Department entity completes the security categorization for unclassified systems in accordance with the latest FIPS Publication 199 requirements;

(6)† Determine the sensitivity level of Department information processed or stored in the system, and define the functions users are permitted to perform when accessing the system;

(7)† Ensure that the non-Department entity implements system baseline security controls that meet federal mandates to protect information commensurate with its sensitivity level and classification and assure the controls are in compliance with Department policy and guidelines for security control selection:

(a)† Unclassified Systems:† The categorization of information must determine the impact level (see FIPS Publication 199 and NIST Special Publication (SP) 800-60) of the processing system, and, as categorized, minimum baseline controls must be implemented in accordance with the Security Control Baseline Process and Security Control Catalog for Unclassified Systems; and

(b)† Classified Systems:† The classification of the information (Confidential, Secret, Top Secret), combined with availability and integrity impact, must

††††† (i)†††† Determine the baseline controls from the National Industrial Security Program Operating Manual (NISPOM) Chapter 8, DD-254, Department of State Acquisition Regulations (DOSAR), and Department specific controls identified for systems processing or storing classified information on behalf of the Department; and

††††† (ii)††† Supplement the security control baseline in accordance with Department policy (see 12 FAM 630 and 12 FAH-6);

(8)† Identify key stakeholders that will participate as members of the independent accreditation team.† This includes identifying the user representative for the system, and sponsoring bureau participants appointed as facilitators to handle key functions that support A&A of the system;

(9)† Identify, assess, prioritize, and monitor the progress of corrective efforts (remediation) of security weaknesses (vulnerabilities) found in the system under the sponsoring bureauís management authority; and

(10) Work with the CIO to report to OMB the status of implementation of planned security controls and/or remediation of identified deficiencies of the system security controls listed in the systemís POA&M report.† The quarterly submissions of POA&M reports to OMB should include, but not necessarily replace, all Department security remediation plans.† (See OMB memorandum M-01-24 for guidance on reporting the results of security reviews and evaluations.)

d. Systems currently processing or storing information on behalf of the Department without authorization from the AO must be immediately reported to DS/SI/CS and IRM/IA.† Also report systems connected to the Departmentís networks to IRM/OPS.† All non-Department systems must be entered into the non-Department system authorization process by the sponsoring bureau.† The sponsoring bureau must notify DS, IRM/OPS and IRM/IA with the required system information.† The CIO may deny authorization of the system if the sponsoring bureau fails to enter the unauthorized system into the non-Department system authorization process.

e. The sponsoring bureau must coordinate and monitor the activities of information security practitioners assigned to independently certify and accredit a non-Department system.

†††† NOTE:† Independent certification is required for moderate or high impact level unclassified and all classified systems.† Low impact systems do not require independent certification.

5 FAH-11 H-412.5 †Assessment Team

(CT:IAH-11;†† 08-10-2017)

a. The assessment team must ensure all required controls specified in the SSP of a non-Department system that processes or stores Department information have been appropriately scoped and are addressed.

b. The assessment team must evaluate all controls specified in the non-Department system SSP to the level of rigor required for the systemís designated impact level.

c.† Only the lead assessor must meet the requirements for independence as specified in 5 FAM 1066 in circumstances where independent certification is required.

d. All assessment analysts must perform assessment in accordance with 5 FAH-11 H-200, Certification (Information Security Audit).

5 FAH-11 H-412.6 †Authorization Team

(CT:IAH-11;†† 08-10-2017)

a. The authorization team is responsible for scoping the initial security control baseline by using an assessment of risk and potential harm to the Departmentís mission from a non-Department system and documenting the resulting baseline in the SSP.

b. The authorization team analyst assigned to assess risk for a system undergoing accreditation under the non-department system authorization process must perform the following activities:

(1)† Assess and document the risk and potential impact posed from this system which accesses Department information and information systems;

(2)† Evaluate, determine the scope, and identify the minimum security controls to meet the requirements in this subchapter for unclassified systems.† The analyst must use the results of the documented risk and potential impact posed from this system.† (See the latest security control Baseline process and Security Control Catalog for Unclassified Systems process guide, available on the IRM/IA Web site);

(3)† Ensure that all requirements mandated in 12 FAM 600 and 12 FAH-6, have been incorporated into the SSP for classified non-SCI systems; and

(4)† Recommend the level of managed risk to the AO for authorization approval or denial upon completion of the system certification.

(a)† Systems with overall high residual risk require the authorization team analyst to make a recommendation to the AO to deny authorization.† Systems with overall medium residual risk require the authorization teamís analyst to make a risk-managed authorization recommendation to the AO based upon information supplied by the sponsoring bureau.† This may include, but is not limited to, business need, scoping justifications, compensating security controls, and reasonable completion dates for remediation of medium risk items.† The recommendation to the AO may be to:

(i)†††† Grant the system a full authorization for 36 months;

(ii)††† Grant a full authorization for less than 36 months;

(iii)††† Grant a full authorization with stipulations pertaining to remediation of medium risk items; or

(iv)†† Deny authorization; and

(b)† Systems with low risk require the authorization team analyst to make a recommendation that the AO approve authorization.

c.† Besides a recommendation to the AO to approve or deny a non-Department system authorization, the Authorization Memorandum generated by the authorization team analyst must include:

(1)† A brief description of the system operating environment and accreditation boundary, including hardware/software configurations, and the applications that fall within the accreditation boundary;

(2)† A detailed presentation of the assessed risk affecting the authorization decision; and

(3)† The systemís initial POA&M report.

††† NOTE:† This report must translate the results of the Security Assessment Report into the standard POA&M format, and should be used to facilitate communication back to the sponsoring bureau concerning the vulnerabilities found in connecting to a system.)† (See the IRM/IA Web site for more information on preparation and use of the Authorization Memorandum.

5 FAH-11 H-413 †PROCEDURES FOR SYSTEM AUTHORIZATION OF NON-DEPARTMENT SYSTEMS

5 FAH-11 H-413.1 †General

(CT:IAH-5;†† 06-25-2007)

a. Non-Department entities must undergo system authorization under the non-Department system authorization process if:

(1)† The sponsoring bureau demonstrates a business need that the non-Department entity fills; or

(2)† Department information is being, or is planned to be processed or stored on a non-Department system; or

(3)† Department required legal contractual arrangements are in place between the sponsoring bureau and the non-Department entity.

b. The sponsoring bureau facilitates certification and accreditation (C&A) of a non-Department system.† The four aspects that encompass C&A are:

(1)† Technical review and evaluation:† Verify through independent technical review and evaluation the existence of the minimum required security controls in and around the system for low, moderate, and high impact unclassified and all classified systems;

(2)† Testing:† Test the effectiveness of the implemented or planned baseline security controls.† These controls must provide sufficient protection, commensurate with the level of information that the controls protect;

(3)† Risk-managed processes:† Involve senior management in the security lifecycle, and provide sound operational decisions, based on an identified, objective, risk-managed process; and

(4)† Authorization:† Achieve full authorization to operate for the maximum time allowable, up to three years, using a risk-management process.† Authorization requires that:

(a)† Mission effectiveness is balanced with security requirements and risk management;

(b)† Appropriate officials are assigned to manage responsibilities commensurate with their designated roles and security responsibilities; and

(c)† Authorization of systems that process or store Department information is achieved either prior to operations, or as currently operational.

5 FAH-11 H-413.2 †Certification Requirements

(CT:IAH-11;†† 08-10-2017)

a. All moderate and high impact unclassified, and all classified systems seeking authorization must have independent certification (see 5 FAM 1066.1-1(D)).

b. Low impact unclassified systems do not require independent certification but may be certified using resources provided by the sponsoring bureau.

c.† Systems undergoing certification that are connected to the Department must be in compliance with the requirements in 5 FAH-11 H-822.5.

d. The certification package must meet the Departmentís C&A requirements for system authorization.† The sponsoring bureau must verify that:

(1)† The security controls, put in place to protect the Department's unclassified information and information systems, are in compliance with the requirements in the FIPS Publication 200, the most current version of NIST SP 800-53, 12 FAM 600, 5 FAM, and 12 FAH-6;

(2)† The security controls, put in place to protect the Departmentís classified information and information systems, are in accordance with the requirements in 12 FAM 600 and 12 FAH-6; and

(3)† See the DS/SI/CS and IRM/IA online security resources library for the most current classified and unclassified security control catalogs.† The catalogs map Department and additional national level requirements that must be met in order to comply with the NIST SP 800-53 security controls.

5 FAH-11 H-413.3 †Authorization Requirements

(CT:IAH-5;†† 06-25-2007)

All non-Department systems processing or storing Department information, whether via a connection or not, are required to enter and complete the non-Department system authorization process before DAA authorization is granted:

(1)† New systems must complete the non-Department system authorization process and receive DAA authorization before being allowed to process or store Department information; and

(2)† Systems identified as operating without DAA authorization may be required to cease operations.† However, at the discretion of the CIO, and only to meet a critical business need, these systems may be allowed to continue operations, provided the sponsoring bureau makes arrangements with the non-Department entity to begin system authorization of the identified system.† Upon identification, authorization must be achieved within three months, or the system may be disconnected.

5 FAH-11 H-413.4 †Non-Department System Authorization Process Phases

(CT:IAH-5;†† 06-25-2007)

Authorization of unclassified non-Department systems progresses through four phases and is similar to the Departmentís system authorization process.† The phases include initiation, certification, accreditation, and life cycle monitoring.† Individuals conducting C&A of a non-Department system must be familiar with all four phases of this process.

5 FAH-11 H-413.4-1 †Phase I† Initiation Phase

(CT:IAH-5;†† 06-25-2007)

The sponsoring bureau must, at a minimum, complete and provide the documentation listed in 5 FAH-11 Exhibit H-413.4-1.

5 FAH-11 H-413.4-2 †Phase II† Certification Phase

(CT:IAH-5;†† 06-25-2007)

Certification must validate compliance of a system with the minimum mandatory security controls that are defined within the non-Department systemís SSP.† (See IRM/IAís Web site for the latest minimum mandatory security controls.)† The certification requirements (Phase II) are listed in 5 FAH-11 Exhibit H-413.4-2.

5 FAH-11 H-413.4-3 †Phase III† Accreditation Phase

(CT:IAH-5;†† 06-25-2007)

Accreditation produces the required evidence to support the Designated Approval Authority (DAA) in making an informed, risk-managed decision to approve or deny authorization of a non-Department system.† The risk analyst generates an authorization package created during the certification phase.† Accreditation requirements are in 5 FAH-11 Exhibit H-413.4-3.

5 FAH-11 H-413.4-4 †Phase IV† Life Cycle Monitoring Phase

(CT:IAH-5;†† 06-25-2007)

The sponsoring bureau is responsible for audit and continuous monitoring of non-Department systems that it sponsors for authorization.† Audits must validate that these systems do not compromise the integrity, availability or confidentiality of Department information systems, or the information processed or stored on behalf of the Department.† Life cycle monitoring (Phase IV) requirements are in 5 FAH-11 Exhibit H-413.4-4.

5 FAH-11 H-414 †Procedure For a Targeted Security Control Assessment

(CT:IAH-5;†† 06-25-2007)

a. A targeted security control assessment (SCA) is performed by the certification analyst to validate whether or not remediated items are successfully mitigated.

b. A risk analyst reviews the targeted SCA results to determine the level of residual risk:

(1)† The system may be recommended for full authorization if, after remediation, residual risk is determined to be low; and

(2)† The system may not be recommended for full authorization until such time that risk is remediated to an acceptable level (low), if remediation is not completed, or remediation did not mitigate unacceptable risk to low.

c.† The DAA can authorize a system with medium and high residual risk.† The sponsoring bureau must first make every effort to reduce the risk to low.† Next, the sponsoring bureau must send a memorandum to DAA that outlines a supporting business case which demonstrates a critical business need that overrides the security concerns.

d. Updates to documents that may have been affected by re-entry into an earlier phase of the non-Department system authorization process must be reviewed by the sponsoring bureau to ensure that any changes in the system's baseline, necessary to support re-entry into the process, are accurately recorded.

5 FAH-11 H-415 †REACCREDITATION OF NON-DEPARTMENT SYSTEMS

5 FAH-11 H-415.1 †General

(CT:IAH-11;†† 08-10-2017)

a. Reaccreditation of systems can be event-driven (e.g. upgrades, laws, regulations, directives, instructions or policies that dictate such activity change), or time-driven (e.g., the authorization has expired).† Examples include:

(1)† Event-driven can be represented through a significant system change that requires reaccreditation or the systemís operating environment changes to the degree that threats formerly rated as low are now significant enough for reaccreditation;

††††† NOTE:† A significant change is one that alters the authorized configuration to the degree that reaccreditation must be considered.† Adding a new function or application that establishes a new interconnection with other agencies or non-Department entities is an example;

(2)† Time-driven supports OMB Circular A-130 requirements to re-accredit a system every three years; and

(3)† Changes to laws that define the requirements for protecting a systemís baseline controls can be either event- or time-driven.† (For example, FISMA and other laws and regulations control processing requirements of unclassified and classified national security information and direct that a systemís minimum security controls be sufficient to protect the agencyís information and information systems commensurate with the sensitivity level and classification of the information processed.† The authorization of a system could be affected and must be evaluated for reaccreditation if these laws and regulations change and the changes are significant.)

b. Authorized systems must be reaccredited prior to expiration of their current authorization:

††† NOTE:† The sponsoring bureau should process the system for reaccreditation within three months prior to the expiration date of the systemís current authorization to allow time for recertification to occur.

(1)† The sponsoring bureau must validate that the system meets policy, guidelines, and procedures which require and recommend adequate security controls that balance risk and business needs in submitting a non-Department system for reauthorization; and

(2)† Reauthorization of this system is dependent upon the outcome of DAAís review of Accreditation Recommendation to approve or deny authorization and the residual risk posed to Department information systems.

c.† The DAA authority may take the following actions if reaccreditation cannot be completed before expiration of the systemís current authorization:

(1)† Approve an authorization extension until reaccreditation is achieved and the system is authorized to operate;

(2)† Direct that operations cease, and the system be disconnected and removed from the Departmentís iMATRIX (integrated management, analytics, and technology resource for information exchange); or

(3)† Accept the risk and authorize the system.† In this case, every effort to reduce risk to low must be exhausted, and the sponsoring bureau must demonstrate that a critical business need overrides the security concerns.

d. Sponsoring bureaus must ensure that their sponsored non-Department unclassified system is compliant with the latest FIPS 200 requirements when submitting a system for reaccreditation.† Security control sets must be validated and selected under the Department's latest implemented Security Control Baseline Process and Security Control Catalog for Unclassified Systems.† (See 5 FAH-11 H-412.6 paragraph b(3) above for security controls for classified systems.)

e. System reaccreditation begins at the initiation phase (phase I), and progresses through all tasks initially completed during the original accreditation, and ends at the lifecycle monitoring phase (phase IV).

f.† All phases of the non-Department system authorization process must be successfully completed before a system is once again granted full authorization to process or store Department information.

5 FAH-11 H-415.2 †Reaccreditation Of Non-Department Systems Resulting From A Significant Change

(CT:IAH-5;†† 06-25-2007)

a. Reaccreditation of a system is required whenever a significant change is made to the accredited system's baseline.† Proposed modifications to a system (including software, firmware, hardware, or interfaces and interconnections to networks) must be jointly reviewed by the sponsoring bureau and IRM/IA to determine if the proposed modifications will impact the connecting systemís (and subsequently the Department systemís) protection profile.

b. The DAA may extend authorization to continue to process or store information until reaccreditation is completed and full authorization is once again granted in cases where a non-Department systemís authorization has expired, or is about to expire but has been submitted for or is undergoing reaccreditation.

c.† The sponsoring bureau must assess the risk in cases where a system is undergoing major modifications.† The risk must be lower than moderate to high risk before the system can qualify for an authorization extension.

d. The sponsoring bureau must submit a memo to the DAA indicating that reaccredidation for the specified system is due at least three months prior to expiration of the systemís current authorization, unless circumstances dictate otherwise.† A non-Department system must be scheduled for reauthorization upon submittal of the reaccreditation request memo.

5 FAH-11 H-415.3 †Reaccreditation Of Non-Department Systems Without Significant Change To Baseline Configuration

(CT:IAH-5;†† 06-25-2007)

a. The sponsoring bureau must ensure that the system complies with all applicable Department Security Configuration Guidelines if an authorized system is due for reaccreditation and has not undergone any significant change to its baseline configuration.

b. The sponsoring bureau should conduct a spot check of the system to ensure the original documentation and evidence, used in the former authorization, still applies.† If so, the sponsoring bureau will coordinate their efforts.† Accomplish this by:

(1)† Department-approved application scans of the system;

(2)† Documentation review (specifically the SSP and CP); and

(3)† Review of waivers and/or exceptions applied for and granted since authorization of the system.

c.† The sponsoring bureau must review the results of Department-approved scans and system documentation provided by the non-Department system owner for configuration compliance, including the summary status of POA&Ms from the previous assessment.† In the event no new vulnerabilities are noted:

(1)† The current authorization must be amended to reflect no significant changes have occurred, and no new vulnerabilities were found that require remediation action;

(2)† The systemís current authorization date must remain unchanged; and

(3)† The sponsoring bureau must recommend that the DAA approve reauthorization of the system extending up to three years from expiration date of its current authorization.

d. If conducting a spot check and it is determined that new vulnerabilities exist because of a significant change in the systemís baseline configuration, the non-Department system may be required to undergo re-certification and reaccreditation in phases I through III before granting reauthorization.

e. The DAA may require the system to undergo a targeted C&A in accordance with the requirements in this subchapter if authorization of a moderate or high application is due to expire.

5 FAH-11 H-415.4 †Requirements for Addressing Baseline Configuration Changes To Non-Department Systems

(CT:IAH-11;†† 08-10-2017)

a. The sponsored non-Department entity must notify the sponsoring bureau prior to implementation of the change if an authorized system is due to undergo a significant change to its baseline configuration.

b. The sponsoring bureau must ensure that system updates are complete if a system is not authorized but is scheduled for C&A under system authorization.† On the other hand, this bureau can instead request that the system remain unchanged in its current baseline configuration before system authorization is allowed to start or continue.

c.† Requested changes to a non-Department systemís baseline configuration must be assessed for their impact on the Departmentís infrastructure (systems operations, and/or security.)

(1)† The non-Department entity must provide the sponsoring bureau a Business Impact Summary, clearly stating the business impact the proposed changes may have to the system.† (See IRM/IAís Web site for instructions on preparing this summary.); and

(2)† The assigned independent certification analyst must review the request to confirm whether or not the change is significant enough to warrant reauthorization:

(a)† A memo from the sponsoring bureau to the non-Department entity must be issued stating reauthorization is not required if the request is not a major change to the baseline;

(b)† The reauthorization process must continue if the request describes a major change to the baseline; and

(c)† The independent certification and accreditation team should confer or meet with the sponsoring bureau if further investigation is required to determine if the change is major.

d. The sponsoring bureau must approve and manage changes to a non-Department systemís baseline configuration under strict configuration management requirements.† All changes must be promptly recorded in the systemís SSP and CP, where appropriate.† Additional security controls which affect a systemís security posture must be implemented in accordance with requirements in the Department's Security Control Baseline Process and Security control Catalog for Unclassified Systems.

e. Unauthorized and/or undocumented changes to the systemís accredited baseline configuration may invalidate the systemís authorization.

f.† The sponsoring bureau must ensure that changes to a non-Department system are authorized, documented, and registered accordingly.

5 FAH-11 H-416 †END OF LIFE CYCLE REQUIREMENTS FOR NON-DEPARTMENT SYSTEMS

5 FAH-11 H-416.1 †Criteria For Disposal Of Non-Department Systems

(CT:IAH-8;†† 12-22-2016)

a. A system reaching the end of its lifecycle must be disposed of in a secure manner (see 12 FAM 620).

b. The non-Department entity must generate and forward the request for disposal of the unclassified system to the sponsoring bureau.

c.† The assigned certification analyst and the sponsoring bureau must review the disposal request and timeframe to:

(1)† Ensure the system is properly scheduled for disconnection from the Department information system;

(2)† Determine the system is safe to shut down and that safe disposal is coordinated in accordance with Department regulations (See 12 FAM 623.1);

(3)† Inform iMATRIX of the request to retire a system and remove it from the Departmentís integrated management, analytics, and technology resource for information exchange; and

(4)† File the request for disposal, and any other documentation confirming the safe disposal, in IRM/IAís documentation library.

d. The IRM/OPS and the sponsoring bureau must jointly investigate issues of improper system disconnection and disposal, and scheduling of disposal, iMATRIX filings or disagreements with a disposal request.† IRM/OPS will inform all affected parties of the appropriate actions in consideration for proper disposal of a system in the above instances and in anticipation of a non-Department systemís shutdown.

e. The areas the sponsoring bureau must address before elimination of a system includes, but not limited to the:

(1)† Archiving of information;

(2)† Disposal of hardware, firmware, and software; and

(3)† Sanitization of media.

f.† The sponsoring bureau must accomplish, at a minimum, the following management tasks when a system reaches the end of its lifecycle:

(1)† Send a memo to iMATRIX indicating system disposal;

(2)† Contact iMATRIX maintenance to update the application status to indicate that the system is submitted for retirement and disposal (including systemís disposal date); and

(3)† Inform bureau staff and affected parties outside the bureau that a retirement application is submitted and pending approval, and that system disposal is imminent.

g. An extension to accommodate system disposal may be granted for unclassified systems scheduled for retirement and disposal within four months after the expiration date of their authorization.† In this event, the sponsoring bureau must:

(1)† Send the CIO an extension request.† The extension request must include a business case that justifies an extension and the conditions under which it is requested:

(a)† If granted, the system will not need to undergo re-accreditation, but instead will be retired and disposed of as scheduled;

(b)† If denied, the system must be turned off and disconnected upon expiration of its current authorization and before the actual disposal date; and

(2)† Have approved extensions in effect starting upon expiration date of a systemís authorization, and remain in effect until system disposal is completed.

h. Classified systems must be disposed of in accordance with Department guidelines and requirements.

5 FAH-11 H-417 †THROUGH H-419 UNASSIGNED


5 FAH-11 Exhibit H-413.4-1
Phase I Ė Initiation

(CT:IAH-8;†† 12-22-2016)

a. Start the initiation process.

(1)† Memo request for system authorization activities.

(2)† A Security Categorization Form, also referred to as IT Asset Categorization form (for more information on how to complete the Security Categorization Form and register a system, refer to the iMATRIX website):

(a)† If the system is already entered in iMATRIX, this form will collect the remainder of the necessary information; and

(b)† If the system is not registered in iMATRIX, the sponsoring bureau must register it after completing this form.

(3)† System Security Plan (SSP).† All systems seeking authorization under the non-Department system authorization process, whether classified or unclassified, must have a SSP, that, as a minimum:

(a)† Is current with the systemís baseline configuration;

(b)† Defines the systemís baseline security controls; and

(c)† Accurately reflects the systemís accreditation boundary.

(4)† Contingency plan (CP).† If required, the CP must prescribe how the system is to be recovered to full operation in the event that risk is realized and the system loses its integrity, confidentiality, or availability.† Not every system requires a CP.† However, based on the system type, systems must have a CP if they support critical Department operations:

(a)† General support systems (GSS) and major applications (MA) critical to operations and mission support of the Departmentís infrastructure;

(b)† Systems that process sensitive information, including but not limited to, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Federal Managersí Financial Integrity Act (FMFIA), and Privacy Act information; and

(c)† Systems supported by a single server, which in turn support operations critical to the Department or bureauís mission.

b. Registration in iMATRIX.† For more information on how to register a systemís integrated management, analytics, and technology resource for information exchange in the iMATRIX, refer to the iMATRIX website.

c.† The sponsoring bureau must define the system, including its:

(1)† Support role;

(2)† Operating environment;

(3)† Supporting applications (hardware/software configuration); and

(4)† Boundary of operation.

d. Once the above (phase I) requirements are completed, the sponsoring bureau and the assigned IRM/IA personnel, with senior management support from the non-Department entity, jointly develop a project work plan, under the direction of IRM/IA, which formally establishes project milestones and resources necessary to achieve authorization.

e. The forms and automated tools needed by the sponsoring bureau to complete their components of the authorization process are located on the IRM/IA Web site under "systems authorization."

f.† IRM/IA personnel must verify that the sponsoring bureau completed all documentation to required department standards before a system can move from the initiation phase (phase I), to the certification phase (phase II).

g. Items that may prevent completion of phase I requirements include, but may not be limited to:

(1)† Incomplete or insufficient documentation;

(2)† Scheduling conflicting events that interfere with the SCA;

(3)† Lack of completion of phase I milestones planned for certification and accreditation of the system; and

(4)† Escalated and unresolved issues within the ongoing certification and accreditation process.

h. Refer to the IRM/IA Web site for more information on (1) asset registration requirements, (2) forms using available automated tools, and (3) the latest Automated CP/SSP Tool Guide for generating system security, and contingency plans.


5 FAH-11 Exhibit H-413.4-2
Phase II Ė Certification

(CT:IAH-8;†† 12-22-2016)

a. IRM/IA or the sponsoring bureau must ensure that certification of a non-Department system is accomplished in accordance with phase II certification requirements, whether performed independently or not.† This includes requirements to:

(1)† Prepare and perform the security control assessment (SCA);

(2)† Compile the SCA results (findings); and

(3)† Generate the Certification Report and notify IRM/IA of its completion at the end of the certification phase (phase II).

b. To ensure that the system is ready for a SCA, the sponsoring bureau must validate that:

(1)† Support requirements (time and resources) for its completion will be met; and

(2)† The system is not undergoing, or is not scheduled to undergo, major changes to its baseline configuration that may interfere with the SCA.

c.† If independent certification of a system is required, and the sponsoring bureau:

(1)† Requests IRM/IA assistance, the certification analyst, under authority and direction of the CISO, must:

(a)† Perform a SCA;

(b)† Compile SCA results (findings); and

(c)† Generate the Certification Report and notification to the IRM/IA advocate of its completion at the end of the certification phase (phase II); or

(2)† Does not request IRM/IA assistance, the sponsoring bureau, under authority and direction of CISO, must ensure that:

(a)† The SCA is performed in accordance with the Departmentís non-Department system authorization process (found in this subchapter);

(b)† The non-Department entity provides the sponsoring bureau the compiled SCA results (findings), which the sponsoring bureau forwards to IRM/IA for review; and

(c)† The non-Department entity generates and provides the Certification Report upon completion of the SCA to the sponsoring bureau, who in turn forwards it to IRM/IA upon completion of the certification phase (phase II).

d. After verifying that the Certification Report is completed in the proper format, it will be released to risk management for assignment and analysis.

e. The risk analyst, assigned by IRM/IA risk management to review the Certification Report, must:

(1)† Analyze the SCA findings.† If after analysis, the risk analyst determines that issues in the Certification Report need resolving, the process cannot move into the accreditation phase (phase III).† All issues with SCA findings must be resolved between the certification analyst and the risk analyst before the process can move to the next phase; and

(2)† Accept the certification report.† If after analysis the risk analyst accepts the Certification Report, which is included in the certification package, the certification phase (phase II) is formally completed and the accreditation phase (phase III) begins.

f.† If a system does not meet certification requirements for completion of phase II, the system will not be allowed to move to phase III until certification and risk management verify and agree that phase II requirements are met.

g. Items that may prevent completion of phase II requirements are similar to the items listed in phase I.


5 FAH-11 Exhibit H-413.4-3
Phase III Ė Accreditation

(CT:IAH-8;†† 12-22-2016)

a. When generating an Accreditation Report as part of the authorization package, a risk analyst must:

(1)† Characterize the acceptable amount of risk, based on the information provided by the certification results;

(2)† Provide an analysis of the current nature of threats posed against a system; and

(3)† Formalize a recommendation to DAA for approval or denial of a system's authorization in an Authorization Memorandum, which is included as part of the Accreditation Report.

b. The Accreditation Report must be reviewed and cleared in IRM/IA in accordance with internal IRM/IA clearance processes.† In the review process, risk management must validate that the Accreditation Report:

(1)† Documents the assessed risk in the final risk assessment;

(2)† Validates the vulnerabilities identified in certification;

(3)† Itemizes estimated costs for recovery and replacement of systems with medium to high risk, (see the Departmentís IT Cost Estimating Guide);

(4)† Generates the systemís initial POA&M report listing the identified vulnerabilities in the Certification Report, finalized in phase II; and

(5)† Substantiates the recommendation to the DAA to approve or deny authorization.

c.† After receiving the Accreditation Report, which must contain risk management's authorization recommendation, the DAA will either accept or reject the report based on the residual risk posed to the Department, and/or any documented business needs that may override security concerns:

(1)† If the DAA determines that issues in Accreditation Report or accompanying Authorization Memorandum need resolving, then the process cannot move forward until all issues are resolved to the DAAís satisfaction; or

(2)† If the DAA accepts and signs the Authorization Memorandum in the Accreditation Report, it is forwarded from IRM/IA to the sponsoring bureau for signatures.

d. Once the DAA signs the Authorization Memorandum, the authorization decision is made final, and the process is allowed to move to phase IV of the process:

(1)† In cases where full authorization is granted and all approving authorities have signed the Accreditation Report (i.e., DAA, CISO, sponsoring bureau, and other designated key participants), the accreditation phase (phase III) ends and the lifecycle monitoring phase (phase IV) begins.

(2)† In cases of a denial of authorization to operate due to medium or high risk, the CIO may direct operations to cease and the system be disconnected and removed from the Departmentís integrated management, analytics, and technology resource for information exchange as entered in iMATRIX:

(a)† Under special circumstances where a business need overrides security concerns, the DAA may overrule a denial recommendation and accept medium to high risk, in which case authorization may be granted.† Prior to this event, the sponsoring bureau must submit a memorandum to IRM/IA that outlines a business case which demonstrates and justifies an overriding business need for operations to continue, and which shows that all efforts to reduce risk have been exhausted.† Otherwise, at the discretion of the CIO, operations will be discontinued; and

(b)† Upon completion and validation of its remediation, the system that received a denial to operate must be re-entered into and successfully complete system authorization - from Phase I through end of phase IV - to achieve DAA authorization to operate.

e. IRM/IA must ensure that original copies of the completed authorization package sent to IRM/IA are scanned and converted to ".pdf" format (Adobe file format) for archival and inspection purposes.† Archived documentation (filed in both electronic and written form):

(1)† Validates that system authorization is completed in accordance with Department requirements (this subchapter);

(2)† Supports OMB audit requirements; and

(3)† Must be maintained throughout the life cycle of the system, until disposal.


5 FAH-11 Exhibit H-413.4-4
Phase IV Ė Life Cycle Monitoring

(CT:IAH-11;†† 08-10-2017)

a. Lifecycle monitoring activities performed by the sponsoring bureau on behalf of systems should include, but are not limited to:

(1)† System security management;

(2)† Risk management review; and

(3)† Configuration management and control of information system components (see 5 FAH-5 H-521).† The sponsoring bureau must verify with the sponsored non-Department entity that required configuration items exist, and current versions agree with the specified requirements.† Examples include:

(a)† Documentation (specifically the SSP and CP);

(b)† Source and executable code (changes to and modification of function);

(c)† Database and test database scripts and associated access privileges;

(d)† Modification to commercial-off-the-shelf (COTS) and/or patches to COTS products and updates (see below GOTS); and

(e)† Modification to U.S. Government-off-the-shelf (GOTS) and/or patches to GOTS products and updates;

(4)† Security impact analysis of changes to the system.† This includes integration testing and evaluation of new or modified hardware or software for the enterprise network, as well as, coordination and distribution of new releases of software updates and fixes (patches) and version control;

(5)† Ongoing assessment of security controls, including but not limited to:

(a)† Audit logs;

(b)† User accounts and password settings; and

(c)† System access permissions;

(6)† System security requirements and status reporting; and

(7)† In meeting reporting requirements of annual self-assessments, the sponsoring bureau must:

(a)† Ensure that the required annual self-assessment is conducted on the systems completing authorization, and ensure that the results are recorded in the systemsí SSPs; and

(b)† Report the self-assessment results to IRM/IA no later than 30 days after completion of the self-assessment.

b. A Non-Department entity must initiate a new authorization cycle if either (1) major modifications to the site IT Infrastructure or (2) significant changes in threats or operating environment occur.† Otherwise, the system undergoes re-accreditation for the term defined in the authorization.

c.† Sponsoring bureaus must use the Department-approved automated tools posted on the IRM/IA Web site to facilitate reporting the self-assessment results of a system to IRM/IA.

d. For further guidance on management requirements in life-cycle management, see 1 FAM 276.1-3.