5 FAM 820
INFORMATION TECHNOLOGY ROLES AND RESPONSIBILITIES FOR SYSTEM OPERATIONS/MANAGEMENT
(CT:IM-326; 07-09-2024)
(Office of Origin: DT/PDCIO)
5 FAM 821 SUMMARY
(CT:IM-318; 05-29-2024)
This subchapter defines responsibilities for systems operations and management.
5 FAM 822 CHIEF INFORMATION OFFICER
(CT:IM-326; 07-09-2024)
The CIO:
(1) Is the Department’s senior information technology (IT) professional and an Assistant Secretary equivalent. The CIO reports via the Under Secretary for Management (M) to the Secretary of State on all matters relating to information technology;
(2) Ensures availability of information technology systems and operations, including IT contingency planning, to support the Department’s diplomatic, consular, and management operations;
(3) Ensures that appropriate procedures are in place for system authorization of national security systems;
(4) Serves as the authorizing official (AO) for non-Sensitive Compartmented Information (non-SCI) systems in the Department; and
(5) Is the Department official responsible for compliance with the Paperwork Reduction Act, 44 U.S.C. 3501 et seq; implementation has been delegated to the Bureau of Administration, Office of Directives Management, A/GIS/DIR (see Delegation of Authority 226, dated October 13, 1998).
5 FAM 823 ENTERPRISE CHIEF INFORMATION SECURITY OFFICER (E-CISO)
(CT:IM-326; 07-09-2024)
The E-CISO:
(1) Reports directly to the CIO on all matters pertaining to IT security and is a Deputy Assistant Secretary equivalent;
(2) Develops and maintains the Department’s information security program;
(3) Provides guidance to personnel with responsibilities for information security and coordinates with information systems security officers (ISSOs) domestically and abroad; and
(4) Coordinates the design and implementation of processes and practices that assess and quantify risk.
5 FAM 824 INFORMATION SYSTEMS SECURITY OFFICER (ISSO)
(CT:IM-326; 07-09-2024)
The ISSO:
(1) Ensures that the systems for which they are responsible are configured, operated, maintained, and disposed of in accordance with all relevant Diplomatic Technology (DT) and Diplomatic Security (DS) security guidelines;
(2) Is responsible for overseeing configuration and administration of auditing and for ensuring that audit trails are reviewed periodically and archived in accordance with security guidelines;
(3) Works closely with the DT office and system administrator to ensure all security related functions and activities are performed;
(4) Plays a leading role in introducing an appropriate methodology to help identify, evaluate, and minimize risks to all IT systems; and
(5) Is accountable to the E-CISO to ensure that an IT system(s) is configured and maintained securely throughout its lifecycle in accordance with the Systems Security Plan (SSP). See also 12 FAM 620 and 12 FAM 630.
5 FAM 824.1 Domestic Information Systems Security Officer (DISSO)
(CT:IM-326; 07-09-2024)
The DISSO:
(1) Provides desktop security support and fulfills “in-scope” ISSO duties as defined in 1 FAM 274.3-3; and
(2) Performs in-scope ISSO roles and responsibilities for domestic consolidated bureaus which include:
(a) Establishing enterprise policy, processes and procedures in compliance with Department of State (DOS) desktop security guidelines;
(b) Administrating access control/user accounts to include file permissions;
(c) Performing desktop incident handling to include incident response, computer incident response team's (CIRT) litigation and remediation requests;
(d) Executing desktop security audits to include random security scans;
(e) Managing software download request authorizations;
(f) Monitoring data transfer requests to include authorizing transfers to and from CDs, DVDs and other removable media;
(g) Providing training and education to include performing security briefings as well as informing users of DOS security best practices; and
(h) Responsibility for maintaining requirements for all desktops and providing desktop security guidance to all users within bureaus that have fully consolidated—as defined by the respective master service level agreement (SLA) for each consolidated bureau and ISSO appointment memo.
(3) Works closely with “out-of-scope” ISSOs whose roles and responsibilities include:
(a) Performing certification and accreditation requirements;
(b) Managing “out-of-scope” applications and servers;
(c) Performing routine security audits for out-of-scope server functions; and
(d) Regulating physical security.
5 FAM 825 SYSTEM OWNER
(CT:IM-318; 05-29-2024)
a. Domestically, the system owner is the bureau-designated senior executive who is responsible for the system. Abroad, the system owner is the Chargé, deputy chief of mission, consul general, or principal officer or equivalent, or the bureau-designated senior executive responsible for the system.
b. Each system owner:
(1) Is responsible and accountable for the business aspects of managing a system, including funding and representing the interests of the system throughout its lifecycle;
(2) Ensures adequate confidentiality, integrity, and availability of data and applications software residing on the system;
(3) Ensures system security plans and contingency plans are developed and maintained for each system and applications; and
(4) Ensures systems personnel are properly designated and trained; and appoints the ISSO and the alternate ISSO for a system.
5 FAM 826 diplomatic technology chief (dt chief)/diplomatic technology customer engagement chief (dt/ce)/SYSTEM ADMINISTRATOR
(CT:IM-326; 07-09-2024)
The DT Chief (Unit Chief)/DT-CE (Sub-unit Chief)/system administrator:
(1) Develops and maintains system security plans and contingency plans for all IT systems and major applications for which he or she is responsible;
(2) Participates in risk assessments to periodically reevaluate sensitivity of the system, risks, and mitigation strategies; and
(3) Installs only hardware and/or software approved by the Enterprise Technology Review Board (TRB) or local change management team. See 5 FAM 120 for further information on the roles and responsibilities of personnel managing systems abroad.
5 FAM 827 USER
(CT:IM-151; 07-16-2014)
The user must:
(1) Adhere to Department guidelines governing the personal use of information systems;
(2) Not download, install, or use software on any Department computer without prior approval from the ISSO or ISSO’s delegated representative;
(3) Use e-mail systems in a professional and courteous manner with the understanding that misuse of Department e-mail will subject them to possible disciplinary action (see 12 FAM 642);
(4) Use properly formatted passwords and protect them from unauthorized disclosure. Unauthorized disclosure is the release of password information to persons other than senior IT management or security personnel for purposes of performing an investigation; and
(5) Not use a system or application before receiving appropriate training.
5 FAM 828 DEPUTY CHIEF INFORMATION OFFICER OF CYBER OPERATIONS (DCIO/CO)
(CT:IM-326; 07-09-2024)
The DCIO/CO:
(1) Reports directly to the Principal Deputy Chief Information Officer (PDCIO) on all matters pertaining to IT operational security and is a Deputy Assistant Secretary equivalent;
(2) Head of Cyber Operations;
(3) Develop and maintain information security policies, procedures, and control techniques to address all applicable information security requirements, including those issued under 44 U.S.C. 3553 and 40 U.S.C. 11331;
(4) Assists in ensuring agency compliance with the Federal Information Security Act of 2014 and other applicable national requirements and mandates;
(5) Provides guidance and oversight for all steps of the Assessment and Authorization process for all State systems following the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and Security and Privacy Controls for Federal Information Systems;
(6) DT's operationally focused cybersecurity organization responsible for cybersecurity compliance, threat analysis, preventative control monitoring, and incident response across all DT managed networks; and
(7) Overseas the analysis and implementation of technology toolsets to support ISSO operations and manages the Information Systems Security Officer Program.
5 FAM 829 REFERENCES
(CT:IM-326; 07-09-2024)
5 FAM 829.1 Acronyms
(CT:IM-326; 07-09-2024)
A (Bureau of Administration)
A/GIS/DIR Bureau of Administration, Global Information Services, Office of Directives)
AO (Authorizing Official)
CIO (Chief Information Officer)
CIRT (Computer Incident Response Team)
CO (Cyber Operations)
DCIO (Deputy Chief Information Officer)
DCIO/CO (Deputy Chief Information Officer of Cyber Operations)
DS (Diplomatic Security Bureau)
DT (Diplomatic Technology Bureau)
DT Chief (Diplomatic Technology Chief)
DT/CE (Diplomatic Technology Customer Engagement Chief)
E-CISO (Enterprise Chief Information Security Officer)
GIS (Global Information Services)
ISSO (Information Systems Security Officer)
IT (Information Technology)
M (Undersecretary for Management)
NIST (National Institute of Standards and Technology)
PDCIO (Principal Deputy Chief Information Officer)
PRA (Paperwork Reduction Act)
RMF (Risk Management Framework)
SCI (Sensitive Compartmented Information)
SLA (Service Level Agreement)
SSP (Systems Security Plan)
TRB (Technology Review Board)
5 FAM 829.2 Definitions
(CT:IM-318; 05-29-2024)
Availability is the percentage of time that an infrastructure, system, application, or solution remains operational under normal conditions to serve its intended purpose.
IT Contingency Planning establishes thorough plans, procedures, and technical measures that enable a system to recover as quickly and effectively as possible following a service disruption.
Paperwork Reduction Act is a law governing how federal agencies collect information from the public.
Risk Management Framework provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.
5 FAM 829.3 Authorities
(CT:IM-318; 05-29-2024)
5 FAM 829.1 The authorities for these policies are as follows:
(1) Paperwork Reduction Act of 1995, Public Law 104-13 (44 U.S.C. 3501, et seq.);
(2) Clinger-Cohen Act of 1996, Public Law 104-106 (formerly known as the Information Technology Reform Act of 1996, renamed by section 808, Public Law 104-208) (, et seq.);
(3) Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, (44 U.S.C. 3551);
(4) Federal Information Technology Acquisition Reform (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015; (downloadable .pdf available Congress.gov;
5 FAM 829.4 Exhibits
(CT:IM-318; 05-29-2024)
N/A
5 FAM 829.5 Additional Resources
(CT:IM-318; 05-29-2024)
N/A
5 FAM 829.6 Related FAM/FAH
(CT:IM-324; 06-28-2024)
1 FAM 270 (Bureau of Diplomatic Technology)
5 FAM 120 (Diplomatic Technology Staffing Abroad)
5 FAM 810 (Managing Information Systems)
12 FAM 620 (Unclassified System Security Policies)
12 FAM 630 (Classified Automated Information Systems)