5 FAM 840
MANAGING SYSTEMS
(CT:IM-309; 10-26-2023)
(Office of Origin: IRM/OPS)
5 FAM 841 SYSTEMS AUTHORIZATION PROCESS
(CT:IM-89; 05-30-2007)
a. In accordance with OMB Circular A-130, the Department is required to make a security determination, called authorization, to permit placing IT systems into operation. In order for officials to make fully advised risk-based decisions, they must conduct a security evaluation known as certification of the IT system.
b. All IT systems must complete the systems authorization process before becoming operational. (See 5 FAM 1060 and 5 FAM 611.)
5 FAM 842 INFORMATION TECHNOLOGY SECURITY PLANS
(CT:IM-251; 11-21-2018)
a. The Federal Information Security Modernization Act (FISMA) of 2014 and OMB Circular A-130 require all major applications and support systems to have a security plan. The system security plan provides all the information necessary to secure an IT system throughout the system’s lifecycle.
b. See Information Assurance for the available tool.
5 FAM 843 INFORMATION QUALITY
(CT:IM-144; 07-12-2013)
OMB requires each agency to establish guidelines on ensuring the integrity of the information it maintains. Department guidelines state that each post and bureau is responsible and accountable for the integrity of information maintained on its IT systems. Information management officers (IMOs), information systems officers (ISOs), and system owners must carry out these responsibilities.
5 FAM 844 media and esoc
5 FAM 844.1 Storing, Handling, and Destroying Media
(CT:IM-175; 03-15-2016)
To protect information from loss, damage, or compromise, the ISO/system administrators and information systems security officer (ISSO) must verify destruction of media. For further guidance, see 12 FAH-10 H-260 for unclassified/SBU media and 12 FAM 632.1-6 and 12 FAM 632.1-9 for classified media.
5 FAM 844.2 ESOC: Enterprise Server Operations Center/IT Consolidation
(CT:IM-251; 11-21-2018)
a. This section addresses the handling, maintenance, storing, and viewing of information residing on the Enterprise IT Consolidated (ITC) Storage Area Network (SAN). This policy applies to all personnel requiring access to the information contained within the system. ESOC provides:
(1) Access to the information on the ITC SAN is strictly controlled on a need-to-know basis via Active Directory (AD) security groups;
(2) The AD security group controlling ESOC Administrator and Backup/Archive Service account access to the ITC SAN infrastructure and root shares are controlled by the ESOC in compliance with the Bureau of Diplomatic Security and IA security in 5 FAM and 12 FAM;
(3) The AD security group(s) controlling other IRM administrator (i.e., Desktop Support Division (DSD), Operational Support Division (OSD), IT Service Center (ITSC), or consolidated bureau user access to stored information is controlled by the domestic information security officer (DISSO) and/or the DSD based on the access request procedures (reference OSD for further guidance); and
(4) Maintenance of the information stored on the ITC SAN is the responsibility of the consolidated bureau.
b. The domestic information security officer (DISSO) responsibilities are briefly described below and also in 5 FAM 824.1, 12 FAH-10, and 1 FAM 276.4-3:
(1) All ISSO responsibilities and functions relating to the information stored on the ITC SAN are to be directed to the OSD domestic information security officer (DISSO) for guidance; and
(2) The ESOC has supplied the OSD DISSO’s with the necessary access to any logging information required and will assist upon request to supply any supplementary information.
c. The transference of system level Plan of Actions & Milestones (POA&M) supporting the in-scope server ITC functions are described below:
(1) The ESOC scope in ITC is limited to servers supporting in-scope ITC functions;
(2) Consolidated bureaus retain responsibility for all physical asset management pertaining to in-scope servers and their associated lifecycle and hardware support;
(3) Server operating system vulnerabilities and remediation of in-scope systems are now the responsibility of the ESOC;
(4) Server vulnerabilities and remediation related to facility management continue to be the responsibility of the consolidated bureau; and
(5) All in-scope systems supporting ITC functions will have their functions centralized onto IRM resources and will then be decommissioned.
5 FAM 845 SECURITY AWARENESS, TRAINING, AND EDUCATION
(CT:IM-175; 03-15-2016)
a. The Department is required by the Federal Information Security Act (FISMA) 2002 to conduct computer security training to ensure the confidentiality, integrity, and availability of its computer-based information. See 12 FAH-10 H-210.
b. DS/T/TPS/SECD implements the Department’s Information Assurance (IA) role-based training program. The Diplomatic Security Training Center (DSTC) suite of security role-based training courses is valid for 3 years. IRM/IA has responsibility for ensuring that Department’s IA training program complies with Federal guidelines. For courses offered, see DS Training and Information Assurance.
c. DS/IS/CSD initiates, develops, and provides annual IT security awareness briefings for users. The CISO also may authorize others to conduct the briefing.
d. 12 FAH-10 H-210 requires the ISSOs, IMOs, and system administrators to ensure that all users receive appropriate security training. COTRs/contracting officer representatives (CORs) are responsible for their contract employees, and must ensure that all contracted employees receive appropriate systems security training before accessing any bureau or post system.
5 FAM 846 ANTI-VIRUS
(CT:IM-175; 03-15-2016)
All IMOs/ISOs/system administrators for classified and unclassified systems are required to implement virus protection and detection programs for all systems connected to the Department’s network, per 12 FAH-10 H-292.2-1, Malicious Code Protection.
5 FAM 847 FIREWALLS
(CT:IM-144; 07-12-2013)
a. The Department uses firewall technology to provide protection for network resources at all points where the internal networks connect with non-Department networks.
b. The Department’s Firewall Advisory Board, chaired by the Perimeter Security Division (IRM/OPS/ENM/PSD), ensures consistency of protection worldwide by establishing a baseline configuration for each of the Department firewalls.
c. IMOs/ISOs/system administrators must comply with all guidance provided by the Firewall Advisory Board.
5 FAM 848 REMOTE ACCESS
(CT:IM-175; 03-15-2016)
Domestically, the Department is able to provide employees with secure dial-up access to Department resources by using secure domestic dial-in (SDDI) to access their Sensitive but Unclassified (SBU) email accounts and the Department’s Intranet from locations outside of their normal office. Information on SAFENET is found on the Encryptions Programs and Product List. See 12 FAH-10 H-173.
5 FAM 849 AUDIT TRAILS
(CT:IM-175; 03-15-2016)
ISSO is responsible for coordinating with IMOs/ISOs/system administrators to monitor, investigate, log, and report system events and activities resulting from unauthorized access and modifications of sensitive critical files. See 12 FAH-10 H-120 and 12 FAM 637 for further guidance.