5 FAM 1060

INFORMATION ASSURANCE MANAGEMENT

(CT:IM-190;†† 03-21-2017)
(Office of Origin: †IRM/IA)

5 FAM 1061 †INTRODUCTION

(CT:IM-190;†† 03-21-2017)

a. This Information Assurance Management FAM sets forth the overarching policy for the Department of State Cybersecurity Program.† The purpose of the FAM is to ensure that the Department is proactively implementing appropriate information security controls to support the Departmentís mission in a cost-effective manner, while managing evolving information security risks.†

b. This policy establishes the information security governance, which will become the framework and supporting management structure to provide assurance that information security strategies are aligned with the Chief Information Officerís (CIO) strategic business objectives.† Moreover; this policy will ensure consistent compliance across the department with applicable laws and regulations, all in an effort to manage risks.

(1)† The Secretary of State is responsible for ensuring that a Department-wide information security program is developed, documented, and implemented to provide security for all systems, networks, and data that support operations of the Department

(2)† The CIO is specifically charged with developing, promoting, and coordinating the Department-wide information security program activities.

(3)† The Chief Information Security Officer (CISO) is designated by the CIO to carry out the CIOís responsibilities under FISMA and its related mandates, including developing, implementing and maintaining an agency-wide Information Security Program

(4)† IRM/IA along with DS/SI/CS has the responsibility to execute the governance set forth by the CIO, and develop and implement an operational Information Security Plan.†

(5)† System Owners and Program Managers must incorporate these information security performance measures into their program plans.

(6)† The Information Security performance measures IRM/IA develops must gauge accurately the Departmentís operational information security functions that will be reported to the Office of Management and Budget (OMB).

(7)† Within the context of this policy, the use of the term ďinformation securityĒ applies to the security of all Department information processed or stored in electronic form on behalf of the Department or processed or stored on a Department information system and or cloud.

(8)† See 5 FAH-11 H-014 for terms and definitions related to Information Assurance (IA) functions specified in this subchapter.

5 FAM 1062 †AUTHORITIES

(CT:IM-190;†† 03-21-2017)

The United States (U.S.) Congress and the Office of Management and Budget (OMB) have instituted a number of laws, regulations, and directives to establish federal and agency level responsibilities for information security, define the roles and responsibilities, identify minimal information security controls, specify compliance reporting rules and procedures, and provide other essential requirements and guidance.† The following list contains the authorities and references used to draft this policy document.

5 FAM 1062.1 †Legislation and Regulations

(CT:IM-190;†† 03-21-2017)

a. Public Law 107-305, Cyber Security Research and Development Act of 2002;

b. Public Law 107-296, The Homeland Security Act of 2002 (November 25, 2002);

c.† Public Law 104-231, Electronic Freedom of Information Act Amendments of 1996, October 2, 1996;

d. Paperwork Elimination Act of 1999;

e. Federal Acquisition Reform Act of 1995;

f.† Federal Information Security Modernization Act (FISMA) of 2014 (Title III of Public Law 113-283;;

g. E-Government Act of 2002 (Public Law 107-347)

h. The Freedom of Information Act, 5 U.S.C. 552, As Amended By Public Law 104-231, 110 Stat. 3048;

i.† Privacy Act of 1974, 5 U.S.C. 522A;

j.† Inspector General Act of 1978, 5 U.S.C., App.3, as amended;

k. Foreign Service Act of 1980, Section 209, 22 U.S.C. 3929, as amended;

l.† 44 U.S.C., Chapter 31, Records Management by Federal Agencies (Federal Records Act);

m. 36 CFR, Chapter XII, Subchapter B, Part 1234, Electronic Records Management; and

n. Federal Information Technology Acquisition Reform Act.

5 FAM 1062.2 †Executive Orders and Issuances

(CT:IM-190;†† 03-21-2017)

a. E.O. 13011, Federal Information Technology, July 16, 1996;

b. E.O. 12472, Assignment of National Security and Emergency Preparedness Telecommunication Functions, April 3, 1984;

c.† E.O. 13526, (Amended 13092) Classified National Security Information, April 17, 1995;

d. E.O. 10450, Security Requirements for Government Employment, 27 April 1953;

e. E.O. 11652, Classification and declassification of national security information and material;

f.† E.O. 13010, Critical Infrastructure Protection;

g. PDD 62, Protection Against Unconventional Threats to the Homeland and Americans Overseas (Summary);

h. PDD 67, Enduring Constitutional Government and Continuity of Government Operations;

i.† Homeland Security Presidential Directive (HSPD) No. 7, December 2003; and

j.† National Security Decision Directive 211 (Partially Classified).

5 FAM 1062.3 †Guidelines and Standards

(CT:IM-190;†† 03-21-2017)

a. OMB Memorandum M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act, September 25, 2000

b. OMB Memorandum M-02-09, OMB Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones

c.† Circular A-130, OMB White House Office of Management and Budget, Management of Federal Information Resources, March 24, 2016

d. Circular A-11, OMB Part 6: Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports

e. OMB Circular A-76, Performance of Commercial Activities, 5/23/1996 (Revised 5/29/2003)

f.† OMB Memorandum M-96-22, Implementation of the Government Performance and Results Act of 1993, 4/11/1996

g. OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, 12/16/2003

h. Federal Preparedness Circular 65, Federal Executive Branch Continuity of Operations

i.† National Plan for Information Systems Protection, Presidentís Management Agenda

j.† NIST SP 800-18 Rev 1:  Guide for Developing Security Plans for Information Technology Systems, February 2007

k. NIST SP 800-30 Rev 1:  Risk Management Guide for Information Technology Systems, July 2012

l.† NIST SP 800-34 Rev 1:  Contingency Planning Guide for IT Systems, June 2010

m. NIST SP 800-35:  Guide to Information Technology Security Services, October 2003

n. NIST SP 800-37:  Guidelines for the Security Certification and Accreditation (C&A) of Federal Information Technology Systems, May 2014

o. NIST SP 800-47: Security guide for interconnecting information technology systems.

p. NIST SP 800-53:  Recommended Security Controls for Federal Information Systems, February 2005

q. NIST SP 800-55:  Security Metrics Guide for Information Technology Systems, July 2008

r.† NIST SP 800-59: Guideline for Identifying an Information System as a National Security System, August 2003

s.† NIST SP 800-60:  Guide for Mapping Types of Information and Information Systems to Security Categories, September 2004 Volume 1

t.† NIST SP 800-63 rev 2: Electronic Authentication Guide

u. NIST SP 800-64: Security Considerations in the Information System Development Life Cycle, October 2003

v. NIST SP 800-65:  Integrating Security into the Capital Planning and Investment Control Process, January 2005

w. NIST SP 800-66:  An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005

x. NIST SP 800-117: Guide to Adopting and Using the Security Content Automation Protocol (SCAP), V1

y. NIST SP 800-126:† The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP V1.1

z.† NIST SP 800-137: Security continuous monitoring for Federal information systems and organizations

aa. Federal Information Processing Standard 199, (FIPS 199) Standards for Security Categorization of Federal Information and Information Systems, February 2004

bb. Federal Information Processing Standard 200, (FIPS 200) Minimum Security Requirements for Federal Information and Information Systems, March 2007

cc. All applicable Committee on National Security Systems (CNSS) advisories, directives, instructions and policies

dd. Government Auditing Standards, 2003 Revision, GAO-03-673G, June 2003, Page 25

5 FAM 1063 †IA Directorate: CISO

(CT:IM-190;†† 03-21-2017)

a. The Chief Information Security Officer (CISO) operates under the direction and supervision of the Agency Chief Information Officer (CIO).  The CISO is responsible for defining and evaluating the security posture of the Departmentís information and information systems (see 1 FAM 272).

b. Acting for the CIO, the CISO oversees all Department information security elements.  As part of this oversight, the CISO will determine the level of information security necessary to protect the Departmentís information as directed by 44 U.S.C. 3544 and in accordance with the Federal Information Security Modernization Act (FISMA) of 2014.

c.† The CISO:

(1)† Develops and maintains the Department-wide Information Security program, and leads the Department in the protection of information and information systems;

(2)† Improves the Departmentís security posture by assuring the protection and integrity of its information and information systems through the implementation of federal compliance standards, policy, and governance;

(3)† Acts as the risk executive to provide a more comprehensive, department-wide approach to risk management;

(4)† Is responsible for coordinating the design and implementation of the processes and procedures needed to assess, quantify, and qualify risk with respect to the Departmentís information resources; maintaining information security procedures and control techniques that address all applicable information security requirements in the Department;

(5)† Is responsible for Departmental compliance with FISMA 2014 and other applicable national requirements and mandates;

(6)† Is responsible for reporting compliance status with program-related federal mandates to Department leadership, the Department of Homeland Security (DHS), the Office of Management and Budget (OMB) and the Government Accountability Office (GAO) and/or Congress; and

(7)† Is responsible for implementing information security awareness training to inform Department personnel and non-Department entities of the security risks inherent in operating the Departmentís automated information systems.

5 FAM 1064 †Office of Information System Security Officer Oversight (IRM/IA/ISSO)

(CT:IM-190;†† 03-21-2017)

The Office of Information System Security Officer (ISSO) Oversight oversees the Departmentís ISSO Program. The Information Systems Security Officer Program Handbook is published in 5 FAH-11 H-110. †This office has governance and oversight responsibilities for the Departmentís domestic and overseas automated information systems. This office is comprised of two divisions as follows:

5 FAM 1064.1 †Regional and Domestic ISSO (RD) Division

(CT:IM-190;†† 03-21-2017)

The RD Division is responsible for:

(1)† Ensuring that guidance to the ISSO community, System Administrators (SA), and Information Management Officers (IMO) at regional post and domestic locations worldwide is consistent with Department, federal, and industry best practices for information security standards.

(2)† Directing the coordination of ISSO activities through the DOS enterprise that includes its domestic facilities and overseas missions.†

5 FAM 1064.1-1 †ISSO Liaisons

(CT:IM-82;†† 02-22-2007)

IRM/IA ISSO liaisons manage the Departmentís Information System Security Officer (ISSO) Program.† ISSO Liaisons:

(1)† Provide liaison and technical assistance to the ISSOs in performing ISSO duties;

(2)† Ensure specific ISSO duties and responsibilities are available on the IRM/IA/ISSO website;

(3)† Maintain the on-line ISSO library and ISSO ListServ as a resource to assist ISSOs in performing their duties;

(4)† Are active members of the Departmentís Firewall Advisory Board (FAB) (See 5 FAM 115.8-1 for details on the FAB.);

(5)† Provides technical information security assistance to the Information Technology Change Control Board (IT CCB), and serves as the system authorization security reviewer for all applications except those for SCI systems; and

(6)† Serve as the IRM/IA point-of-contact with the Departmentís Computer Incident Response Team (CIRT).

5 FAM 1064.1-2 †Special Assessments

(CT:IM-190;†† 03-21-2017)

a. Special Assessments conducts technical risk analysis performed on an Information Systemsí configuration which affects information security specified in 12 FAM 600, 5 FAM or other applicable federal mandates.† These requirements require a justification relative to operational resource implications. When security compliance is not achievable in the immediate term, system owners may request an exception.†

b. IRM/IA/ISSO Special Assessment personnel:

(1)† Manage the processing of all requests for exceptions to information security policy requirements, standards, or approved processes, specified in 12 FAM 600 and 5 FAM;

(2)† Coordinate risk assessments, estimates, and recommendations for decisions on policy exceptions, deviations from standards (baseline), and changes that affect the operational risk profile of the Department; and

(3)† Coordinate risk estimates when insufficient vulnerability data exists to support a full assessment.

5 FAM 1064.1-2(A) †Requests for Interagency and Non-Department Connectivity

(CT:IM-190;†† 03-21-2017)

a. In collaboration with DS/SI/CS, IRM/IA/ISSO Liaison personnel evaluate requests from bureaus requiring other agencies and non-Department entities to connect to Department information systems.

b. System interconnection must include:

(1)† A Signed Memorandum of Agreement or Understanding (MOA/MOU);

(2)† An Interconnection Security Agreement (ISA); or

(3)† An overall agreement that combines an MOU/MOA and ISA; and

(4)† For commercial contractors and consultants with contractual relations with the Department, Form DD-254, Contract Security Classification Specification, or other document containing contract security requirements language specifying all information contained in a connectivity MOA/MOU and ISA. (See 5 FAH-11 H-815 Extensions for additional details on interconnections).

c.† Network extensions must include:

(1)† Refer to 5 FAH-11 H-830 for specific procedures.

(2)† A signed Memorandum of Agreement/Understanding (MOA/MOU) or other formal agreement.

(3)† For commercial contractors and consultants with contractual relations with the Department, Form DD-254, Contract Security Classification Specification, or other document containing contract security requirements language specifying all information contained in a connectivity MOA/MOU and ISA. (See 5 FAH-11 H-815 for the definition of an extension and 5 FAH-11 H-830 Systems Connectivity for additional details on extensions).

d. IRM/IA ISSO personnel must ensure that the requested connections meet the standards and guidelines set forth in the NIST SP 800-47, and Department information security policies.

5 FAM 1064.1-2(B) †Requests for Exceptions and Deviations

(CT:IM-190;†† 03-21-2017)

a. System owners must submit to IRM/IA/ISSO requests for exceptions to, or deviations from required information security controls or processes.  IRM/IA/ISSO in collaboration with DS/SI/CS recommends approval/disapproval to the CISO. The request must outline:

(1)† Why the controls cannot be maintained, including the resource implications;

(2)† Why the actions are required at the time of the request; and

(3)† How long it will be until compliance can be achieved.

b. Requests for exceptions to, or deviations from policies, standards, or approved processes, which affect information security specified in 12 FAM 600, 5 FAM, or other applicable federal mandates, require a justification relative to operational resource implications.

c.† DS/SI/CS personnel must perform a security vulnerability assessment outlining the technical ramifications of the request.

d. DS/SI/CS assessment results, any recommendations for compensating controls, and recommendation for approval or disapproval must be provided to the CISO upon completion.

e. IRM/IA/ISSO/RD personnel will validate DS/SI/CS findings, and based on the results, submit recommendations for approving or disapproving of the request to the CISO.

f.† The CISOís final decision (approval or disapproval) on the exception, or deviation request will be sent to the requesting system owner by official memorandum (domestically) or record email (abroad).

(1)† If the CISO approves the request for implementation domestically, the system owner must:

(a)† Within 30 days, endorse the memorandum, in writing, acknowledging his or her understanding and acceptance of the decision and any terms/conditions; and

(b)† Make a copy of the endorsed memorandum for his or her record, and return the original memorandum with endorsement to the CISO.

(2)† If the CISO approves the request for implementation abroad, the system owner must:

(a)† Send a record email to the CISO acknowledging acceptance of the decision and any terms/conditions; and

(b)† For future reference and inspection, ensure copies of all documents related to the request are on file at post.

(c)† In both subparagraphs f(1)(a) and f(2)(b) of this section, the system owner must not implement the requested change until he or she accepts the terms and/or conditions of the approved request.

(3)† If the request is disapproved, the system owner must not, in any case, implement the requested change.

(4)† IRM/IA/ISSO must provide a copy of the final decision memo to DS/SI/CS.

g. DS must coordinate with the CISO for all exceptions to the Overseas Security Policy Board (OSPB) standards (12 FAH-6) for Department of State systems. 

h. System owners or executive directors (or equivalent level) for bureau-sponsored non-Department entities must submit all requests for changes to the Departmentís security configuration guides produced by the Enterprise Technology & Awareness Division (DS/CS/ESS) to DS/CS/ESS.  The provisions of 5 FAM 1064.1-2(B) do not apply to IA and IA-enabled products employed with or in classified information processing systems as defined in 5 FAM 913.  These products require a Deferred Compliance Authorization (DCA).  (See 5 FAM 915.15-4.)

i.† All Dedicated Internet Network waiver requests must be registered via the† DIN Registration site.  (See 5 FAM 874.2.)

j.† For specific guidance on Exceptions to Policy requirements, see the Special Assessments page.

5 FAM 1064.2 †ISSO Operations (OPS) Division

(CT:IM-190;†† 03-21-2017)

The Operations Division:

(1)† Implements the Departmentís technology toolsets to support the ISSO program worldwide;

(2)† Is responsible for coordinating efforts between IRM Operations and DS, and for developing the appropriate tools within the Enterprise (Domestically and at Posts);

(3)† Coordinates Penetration Testing with DS/SI/CS and remediation efforts through IT security planning, evaluation, analysis, guidance, verification, and validation of Information Security (INFOSEC) Plan of Actions and Milestones (POA&M) closures and remediation;

(4)† Collaborates with other INFOSEC professionals within IRM/IA and with DS to review, establish, and/or approve qualifications for the Departmentís Information Systems Security Officers;

(5)† Is responsible for the analysis of New Information Technologies; and

(6)† Is responsible for managing system patch management compliance.

5 FAM 1064.2-1 †Patch Management Compliance

(CT:IM-190;†† 03-21-2017)

a. The purpose of the Departmentís Patch Management Program is to protect data confidentiality, integrity, and availability by mitigating software and hardware vulnerabilities through proactive patch management.

b. IRM/IA ISSO OPS personnel are responsible for managing and ensuring patch management compliance for each Department information system.† Patch management compliance is defined as:

(1)† For critical patches: achieving and maintaining a patch installation rate of 100%, as designated by the Enterprise Network Management Office (IRM/OPS/ENM);

(2)† For all workstations and servers on OpenNet and ClassNet: achieving and maintaining a patch installation rate of 90% of all patches within 15 days after patch release.

c.† IRM/IA ISSO OPS personnel will:

(1)† Work with IRM/OPS/ENM and personnel responsible for sites to determine if there are circumstances that preclude a site from reaching an acceptable level.

(2)† Notify stakeholders, including the CIO, CISO, DS/SI, Regional Information Management Center (RIMC) Directors, ISSOs, post Information Management Officers (IMOs), and system owners quarterly of each sites compliance status with official OpenNet and ClassNet patch installation implementation.

(3)† Sites not in compliance with this program risk sanctions from the CIO. (See 5 FAM 866.)

(4)† To mitigate compatibility issues with local applications, personnel responsible for sites should establish a representative system of all local applications for testing purposes.

(5)† Personnel responsible for sites must document concerns relating to issues implementing patches and report those concerns to the IRM IT Service Center.

5 FAM 1064.2-2 †Analysis of New Information Technologies

(CT:IM-190; ††03-21-2017)

a. IRM/IA/ISSO/OPS personnel will conduct an initial risk estimate associated with each planned new technology pilot after completion of its concept of operations (ConOps) and prior to implementing the new technology as a pilot or test program.

b. The system owner must register all new technology pilots in the iMatrix, and plan for conducting the system authorization process prior to the new technologyís production operational deployment. 

c.† This planning is vital to avoid a period of non-operation between the pilot or test and operational deployment as the systems authorization process completes.

5 FAM 1065 †Office of Policy, Liaison and Training (IRM/IA/PLT)

(CT:IM-190;†† 03-21-2017)

a. The Office of Policy, Liaison and Training (PLT) oversees and addresses departmental policy and governance issues related to integrating current federal cyber security technology requirements and compliance policies into emerging technology initiatives.†

b. This office plans, designs, monitors and coordinates the department-wide Cybersecurity Training and Awareness program, Information Security Contingency Plan, and Capability Planning for Systems Development Lifecycle projects and processes.

5 FAM 1065.1 †Policy

(CT:IM-190;†† 03-21-2017)

IRM/IA/PLT policy personnel, in support of the Departmentís Information Security Program Plan:

(1)† Govern and oversee implementation of the Departmentís Cybersecurity policies;†

(2)† Review policy recommendations and assess impact to Departmentís cybersecurity program;

(3)† Assess the impact of new legislation on the Departmentís security standards and policies; 

(4)† Assist special assessment personnel in analyzing deviations, and exception requests to identify policy revision requirements;

(5)† Perform other appropriate and authorized tasks as designated by the CISO or CIO; and

(6)† Collaborates with IRM/IA and DS/SI/CS, in the development† and maintenance of the Departmentís cybersecurity policies based on risk assessments and in compliance with FISMA, federal standards, agency configuration standards, and other applicable requirements. IRMís IA Cybersecurity policy is 5 FAM 1060.

5 FAM 1065.2 †Technical Consultation

(CT:IM-190;†† 03-21-2017)

IRM/IA/PLT:

(1)† Assists the Bureau of the Comptroller and Global Financial Services (CGFS) with the development and maintenance of the Departmentís Critical Infrastructure Protection Plan (CIPP) to protect the Departmentís critical information system assets and infrastructure.

(2)† Provides technical assistance to the Enterprise Architecture Division (IRM/BMP/SPO/EAD) in evaluating modifications to the Departmentís information security architecture.

5 FAM 1065.3 †Liaison

(CT:IM-190;†† 03-21-2017)

IRM/IA liaison personnel represent the Department:

(1)† On interagency and intra-agency boards, working groups, and councils with charters related to information security and critical infrastructure protection for non-SCI systems;

(2)† In conjunction with IRM/IA/ITSC and IRM/BMP/SPO/SPD, liaise with the Office of Management and Budget (OMB) regarding cyber-security issues;

(3)† In conjunction with IRM/IA/ITSC, respond through the designated IRM/H liaison on any Congressional inquiries† originating from the Bureau of Legislative Affairs (H) on cybersecurity issues; and

(4)† Serve as the IRM/IA point-of-contact with the Departmentís Foreign Service Institute (FSI) and the Bureau of Diplomatic Security Training Center.

5 FAM 1065.4 †Cybersecurity Awareness, Training, and Education

(CT:IM-190;†† 03-21-2017)

a. IRM/IA/PLT is responsible for governance, oversight and approval of the Departmentís programs that provide cyber security awareness and role-based training in support of the Departmentís Information Security Program and Information Security Program Plan.

b. Cyber security awareness and training is implemented to inform Department personnel and non-Department entities of the security risks inherent in operating the Departmentís automated information systems, and to inform employees and non-Department entities of their responsibilities in complying with Department policies and procedures designed to reduce risk to Department information systems, as well as penalties for noncompliance.  (See 44 U.S.C. 3544.)

c.† IRM/IA/PLT is responsible for ensuring:

(1)† Awareness programs include initial and annual awareness training for all system users.

(2)† Training programs include specific role-based security training for identified Department personnel with significant information security responsibilities. 

(3)† IRM/IA/PLT coordinates development of and oversees implementation of cyber security awareness and training performed by DS/SI/CS, DS/TPS/SECD and FSI/SAIT.

5 FAM 1065.5 †Information System Contingency Planning

(CT:IM-190;†† 03-21-2017)

a. Information System Contingency Planning involves establishing procedures for the assessment and recovery of a system including roles and responsibilities, inventory information (hardware & software details), assessment procedures, detailed recovery procedures, and testing of a system, to include testing periodicity.

b. IRM/IA/PLT will:

(1)† Establish, manage and monitor the deployment of Information System Contingency Planning (ISCP) across the Department in accordance with† appropriate National Institute of Standards and Technology (NIST) guidance and appropriate FAM/FAH.

(2)† Assess system security, contingency planning, and continuity of operations efforts, and assist system owners in correcting deficiencies to become compliant with most current NIST and federal mandated guidelines, to include appropriate FAM/FAH.

(3)† Validate ISCP annual ISCP testing

c.† System owners will:

(1)† Employ contingency planning, to include creating a Contingency Plan for each information system under their purview to meet the needs of critical system operations in the event of a disruption. The procedures for execution of such a capability will be documented in the formal Information Systems Contingency Plan (ISCP) and managed locally by the ISCP Coordinator.†

d. The ISCP Coordinator:

(1)† Develops the strategy in collaboration and cooperation with IRM/IA/PLT and other functional and resource managers associated with the system.†

(2)† Manages the development and execution of the contingency plan for the respective information system.

(3)† Use the Departmentís Contingency Plan (CP) template and toolkit to prepare the ISCP.

(4)† Reviews the ISCP at least annually and update and test the contingency plan when the major application or general support system has undergone a major change to its operational baseline configuration.

(5)† For moderate and high impact systems, test the contingency plan at least annually to verify the entitiesí ability to recover and/or restore the application or system to operation in the event of a system or application failure.

(6)† For purposes of inspection, retain copies of the contingency plan and test results for the life of the system.

5 FAM 1066 †Office of Information Technology Security Compliance (IRM/IA/ITSC)

(CT:IM-190;†† 03-21-2017)

a. The Office of ITSC oversees the implementation of the Departmentís IT Risk Management Framework (RMF) and the Information Risk Management Strategy.†

b. The Department manages information security risk at three levels:

(1)† Information System Level Ė The Department deploys information systems to satisfy mission needs at both the enterprise and bureau levels.† In accordance with National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS) requirements, system owners must design, develop, acquire, and document systems with mandatory security controls to effectively manage information that systems process, store, and transmit.†

(2)† Mission Level Ė As the mission owner, the Deputy Assistant Secretary (DAS) considers the potential impact of an information system on their mission and communicates this degree of tolerance to system owners.† The DAS makes risk decisions on the basis of system security control assessments.† The DAS documents and provides the provisional acceptance to the risk executive (Chief Information Security Officer (CISO)) for review.

(3)† Organizational Level Ė To maintain the desired level of risk throughout the Department, the risk executive (CISO) reviews all provisional authorization decisions.† This review assures the decision is within the scope of the authorizing official and aligns with the Departmentís overall risk tolerance.†

c.† To ensure this risk management process is consistent with applicable laws, regulation, and Department-wide requirements, the Chief Information Officer (CIO) may direct bureau authorizing officials to make changes to their systems.† If the CIO does not seek changes, the provisional authorization becomes a full authorization.

d. In addition to acting as the Departmentís designated information security risk management, ITSC represents IRM and the Department on interagency and intra-agency boards, working groups, and councils with charters related to information security and critical infrastructure protection for non-SCI systems.

e. The IRM/IA/ITSC work is accomplished within the two Divisions supported by the Office (see 1 FAM 272.3).

5 FAM 1066.1 †Assessment and Authorization (A&A) Division

(CT:IM-190;†† 03-21-2017)

The A&A Division is responsible for:

(1)† Developing guidance and providing oversight to system owners ensuring the Departmentís systems are compliant with FISMA 2014 and OMB A-130.

(2)† Overseeing DOS Bureausí compliance with FISMA 2014 including the implementation of the A&A process (to include processing cloud security authorization as described in the CCGB Portal, department-wide common control management, contingency plan testing, review and verification and secure systems development as required for FISMA and NIST compliance.

5 FAM 1066.1-1 †Assessment

(CT:IM-190;† †03-21-2017)

5 FAM 1066.1-1(A) †Information System and Security Controls Assessment

(CT:IM-190;†† 03-21-2017)

a. Designated assessment personnel must perform security control assessments of all FISMA reportable Department systems except those systems designated as sensitive compartmented information (SCI) (see 1 FAM 271 (4)).

b. The Security Control Assessor (SCA) must provide the Security Assessment Report (SAR) to the IRM/IA Bureau Coordinator within two weeks of completing the System Security Assessment.

c.† The system owner must perform an annual security control self-assessment using the automated Governance, Risk and Compliance (GRC) reporting tool.

d. Security control assessment must be performed in accordance with NIST guidance.  System Owners and/or designated ISSO can contact the IRM/IA Bureau Coordinators for current Department guidelines.

e. Unclassified and Sensitive But Unclassified (SBU) Systems with low impact/high cost, moderate impact, or high impact security categorization levels must be independently assessed.  (See NIST SP 800-53.)

f.† Classified non-National Security System (NSS) must be independently assessed.  (See 40 U.S.C. 11103 for definition of NSS.)

5 FAM 1066.1-1(B) †General Security Assessment Requirements

(CT:IM-190;†† 03-21-2017)

a. An independent security control assessor must perform the independent assessment, as defined in this subchapter (see 5 FAM 1066.1-1(D)).

b. Bureaus requiring independent assessment of their systems may use independent assessment resources available from independently contracted qualified vendors, or from internal bureau-independent assessors.

c.† Vendors selected to perform independent assessment must be fully qualified in accordance with Department policy and any specific requirements defined in the contract (e.g., Form DD-254, Contract Security Classification Specification, or contract modification).

d. The A&A Division must ensure that independent assessment resources are compliant with 5 FAM 1065.1-2 prior to the start of a systemís Assessment and Authorization (A&A) process.

e. The A&A Division must provide oversight of the independent audit function by performing selected random quality assurance evaluations of independent assessment reports to ensure full compliance with Department requirements.

5 FAM 1066.1-1(C) †Assessment Requirements For Low Impact Systems

(CT:IM-190;†† 03-21-2017)

a. A system owner is authorized to perform self-assessments of their low- impact/low-cost systems.

b. All assessment results of low-impact/low-cost systems must be forwarded to the Bureau Coordinators in the A&A Division for validation within 10 business days of the completion of assessment.

c.† Failure to provide IRM/IA with the assessment results of low-impact/low-cost systems may invalidate the systemís Authorization to Operate (ATO).

5 FAM 1066.1-1(D) †Criteria for Independent Assessment

(CT:IM-190;†† 03-21-2017)

a. Assessor independence implies that the security control assessor (or security assessment team), whether obtained from within the organization or external to the organization, is not involved with the information systemís development, implementation, or operation.  (See NIST SP 800-53.)

b. A U.S. Government-affiliated internal assessment organization can be presumed to be free from organizational impairments to independence when reporting internally to management only if the head of the audit organization meets all of the following criteria:

(1)† Accountable to the head or deputy head of the U.S. Government entity;

(2)† Required to report the results of the assessment organizationís work to the head or deputy head of the U.S. Government entity; and

(3)† Located organizationally outside the staff or line management function of the system owner.  (Reference, Government Auditing Standards, 2003 Revision, GAO-03-673G, June 2003, Page 25.)

5 FAM 1066.1-1(E) †Penetration Testing Results

(CT:IM-190;†† 03-21-2017)

a. The Bureau of Diplomatic Securityís Cyber Threat Analysis Division (DS/CS/CTA) executes penetration testing of the Departmentís networks.  The CISO provides oversight to this internal and external penetration testing of selected general support systems (GSSs) and designated critical applications in support of the systems authorization program and, as general information, security performance program (e.g., financial applications, medical applications). †In addition, the CISO:

(1)† Coordinates the schedule for systems to be tested with the Office of Computer Cybersecurity (DS/SI/CS); and

(2)† Coordinates with Office of the Senior Coordinator for Security Infrastructure (DS/SI), the GSSs, and designated applications selected for penetration testing, and established schedule for the penetration tests.

b. DS/SI must provide the results of all penetration testing of selected GSSs and designated applications to IRM/IA and the system owner within two weeks of test report completion.

5 FAM 1066.1-1(F) †Unclassified Non-Department-Owned Systems Processing Federal Information

(CT:IM-190;†† 03-21-2017)

a. The Executive Director (or equivalent level) for a bureau-sponsored non-Department entities must ensure that the annual security control self-assessment required by FISMA 2014 for non-Department-owned systems that process federal information on behalf of the Department is completed, and the results are forwarded to IRM/IA/ITSC/A&A.

b. Unclassified Non-Department-Owned Systems must achieve at least an Interim Authority to Operate (IATO) with the goal of achieving full ATO prior to operation.

c.† The annual self-assessment must be performed in accordance with the Plan of Action and Milestones (POA&M) Process Guide.  (See the IRM/IA Web site for the current guide.)

d. The executive director (or equivalent level) for bureau-sponsored non-Department entities must ensure the inclusion of the results of the annual security control self-assessment in the bureauís POA&Ms.

5 FAM 1066.1-2 †Risk Analysis

(CT:IM-190;†† 03-21-2017)

a. A&A personnel:

(1)† Balance the tangible and intangible cost to the Department of applying security safeguards against the value of information and the associated information system;

(2)† Follow a defined methodology recommended by the National Institute of Standards and Technology (NIST) in Special Publication 800-30;

(3)† Perform risk analysis of Department and non-Department systems, which process federal information on behalf of the Department, in support of the Systems Authorization process and FISMA reporting requirements.

(4)† Coordinate risk assessments, estimates, and recommendations for decisions on exceptions to policy, deviations from standards (baseline), and changes that affect the operational risk profile of the Department; and

(5)† Coordinate risk estimates when insufficient vulnerability data exists to support a full assessment.

b. For detailed information on special assessments, contact the IRM/IA/ITSC A&A Bureau Coordinators.

5 FAM 1066.1-3 †Systems Authorization

(CT:IM-190;†† 03-21-2017)

a. To be compliant with OMB Circular A-130, Management of Federal Information Resources, federal agencies must:

(1)† Plan for security;

(2)† Ensure appropriate officials are assigned security responsibility;

(3)† Authorize system processing prior to operations and periodically thereafter.

b. Systems authorization of all FISMA reportable Department systems must be performed following the NIST Risk Management Framework (RMF). 

c.† All FISMA reportable information systems within the Department must complete the Departmentís System Authorization Process and be authorized by the Authorizing Official (AO) before being permitted to operate.  (See 1 FAM 271.2 (7).)

d. As part of the Systems Authorization Process, Department system owners responsible for Department information systems, including those responsible for non-Department entities (e.g., contractors, vendors), must perform security categorization of the federal information they process on behalf of the Department. IRM/IA Analysts and Bureau Coordinators review and concur/not concur with the categorization. See the Department of State Acquisition Regulation (DOSAR) for further guidance on non-Department entities.

e. For unclassified systems, system owners, and executive directors (or equivalent level) for bureau-sponsored non-Department entities must accomplish the categorization of the information and information system, as defined in Federal Information Processing Standards (FIPS) 199, during the iMatrix registration process.  Executive directors (or equivalent level) for bureau-sponsored non-Department entities are responsible for registering non-Department systems in iMatrix.  The only information categories evaluated for non-Department entities are those that process Federal information on behalf of the Department.

f.† The Department system owner in coordination with iMatrix team must determine a classified systemís impact level during the iMatrix registration process.  Executive directors (or equivalent level) for bureau-sponsored non-Department entities are responsible for registering non-Department systems in the iMatrix.

g. The potential impact to the Department in terms of loss of confidentiality, integrity, and availability of information on an unclassified information system is defined in FIPS 199 and is tailored to Department needs and agreed to by the System Owner and the AO.

(1)† LOW - if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on Department operations, Department assets, or individuals;

(2)† MODERATE - if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on Department operations, Department assets, or individuals; and

(3)† HIGH - if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on Department operations, Department assets, or individuals.

h. System owners must establish the baseline security control configuration for information systems under their control.  The baseline security control configuration is based on the potential impact level determined by the security categorization completed during the iMatrix registration process.  The baseline configuration consists of the minimum information system security controls required under FISMA for information systems.  (See DOS Security Configuration Standards).

i.† Using the SSP system owners must document the information system security controls identified in the system baseline and verify each as planned, implemented, partially implemented, or not applicable.  (See IRM/IA Web site for the most current template.)

j.† Baselined security controls must be implemented without exception.

k. System owners may enhance mandatory security controls without waiver or deviation (without changing the non-major application designation if the application has been identified as a non-major application).  The SSP must document the enhancements, and these enhancements must be reported in the systemís POA&M master database, if these enhancements affect a material weakness or system vulnerability.

l.† To strengthen its security posture without a waiver, exception, or deviation, system owners in coordination with IRM/IA Bureau Coordinators may add information security controls that are not mandatory for the selected security control baseline.  These additional controls will not change a non-major application designation if the application has been identified as a non-major application. This process is known as control tailoring process.

m. System owners must update, and report to the IRM/IA POA&M team of the status of implementation and/or remediation of identified deficiencies of the information system security controls in the systemís POA&M.

5 FAM 1066.1-3(A) †Department Information Systems

(CT:IM-190;†† 03-21-2017)

a. IRM/IA must ensure systems authorization is performed on all Department information systems.  (See 1 FAM 262.7-1 for SCI systems.)

b. IRM/IA must ensure system authorization is performed in accordance with the approved Department System Authorization Process Guide available on the IRM/IA Web site.

c.† The Bureau of Diplomatic Securityís Evaluation and Verification Program, in compliance with the FISMA reporting requirements, must evaluate and validate system security controls in a yearly basis at minimum.  Location-specific system security controls must be verified yearly as well as part of the systems authorization process.  Results of these evaluations are reported to IRM/IA Bureau Coordinators and must be included in the systemís POA&M.  (See 1 FAM 266.2-4.)

d. Security control baselines for Department systems must be established in accordance with Department guidelines using the impact level established during the iMatrix registration process and documented in the systemís SSP prior to commencement of the A&A process.  (Contact IRM/IA/ITSC A&A Bureau Coordinators for the most current security control guidelines.)

e. Systems owners are responsible for all funding required to perform A&A of their systems.

5 FAM 1066.1-3(B) †Unclassified Non-Department-Owned Systems Processing Federal Information

(CT:IM-190;†† 03-21-2017)

a. The executive director (or equivalent level) for bureau-sponsored non-Department entities processing federal information on behalf of the Department must register these systems in the Departmentís iMatrix.

b. Security control baselines for non-Department systems must be established in accordance with Department guidelines, using the impact level established during the iMatrix registration process, the requisite contract security requirements, and documented in the systemís SSP prior to commencement of A&A process.  The non-Department entities must document the baseline in the systemís SSP, using the SSP template from NIST Special Publication 800-18.  (Contact IRM/IA Bureau Coordinators for the most current security control guidelines.)

c.† Contingency plans are required for non-Department-owned systems that process federal information on behalf of the Department.  The non-Department entities must develop the contingency plans in accordance with NIST Special Publication 800-34, and ensure they are fully tested, at least annually.  The executive director (or equivalent level) for bureau-sponsored non-Department entities must ensure that the contingency plans have been tested and the results reported to IRM/IA/PLT.

d. The Departmentís Systems Authorization Process requires that a risk analysis be performed on non-Department-owned systems processing federal information on behalf of the Department.

e. The executive director (or equivalent level) for a bureau-sponsored non-Department entity responsible for the federal information being processed by the non-Department entity on behalf of the Department must report in the POA&M the status of remediation of identified deficiencies of information system security controls contained in the baseline, as documented in the SSP.

f.† System Authorization of unclassified non-Department-owned systems must be performed in accordance with the Departmentís System Authorization Process. The Departmentís System Authorization Process can be found in the A&A Tool Kit.

g. The executive director (or equivalent level) for bureaus sponsoring the non-Department entity processing or storing federal information on behalf of the Department must ensure the yearly self-assessments required for FISMA reporting are completed and the results provided to IRM/IA. †See the A&A Tool kit for the POA&M Process Guide.

5 FAM 1066.1-3(C) †Classified Non-Department-Owned Systems Processing Federal Information

(CT:IM-190;†† 03-21-2017)

a. On behalf of the Department, the Cognizant Security Agency (CSA), in coordination with the Bureau of Diplomatic Securityís Industrial Security Division (DS/IS/IND), performs A&A of classified non-Department-owned systems operated by commercial firms and consultants under contractual agreement with the Department.  (See National Industrial Security Program Operating Manual (NISPOM) and 12 FAM 570.)

b. Upon completion of A&A, DS/IS/IND must provide DS for sensitive compartmented information (SCI) systems and IRM/IA for all other systems with a copy of the accreditation package, as approved by the Departmentís AO.  (See 1 FAM 271.2 e(7).)

c.† DS/IS/IND must conduct the yearly assessments required for FISMA reporting for those commercial firms and consultants under contractual agreement processing classified information on behalf of the Department.  DS/IS/IND must provide the results of these assessments to IRM/IA and the executive director (or equivalent level) for bureau-sponsoring non-Department entities for inclusion into the sponsoring bureauís POA&M.

d. The sponsoring bureau must ensure the yearly self-assessments required for FISMA reporting for non-Department entities processing information on behalf of the Department without a contractual agreement with the Department (i.e., State, local government agencies, etc.) are conducted.  The sponsoring bureau must provide the results of these self-assessments to IRM/IA and the executive director (or equivalent level) for bureau-sponsoring non-Department entities for inclusion into the sponsoring bureauís POA&M.

5 FAM 1066.1-4 †Vulnerability Scanning

(CT:IM-190;†† 03-21-2017)

a. Using appropriate techniques and IT CCB-approved vulnerability scanning tools, DS/SI/CS, the Evaluation and Verification Program personnel, must scan for vulnerabilities in the information system periodically, as well as when significant new vulnerabilities affecting the system are identified and reported.

b. Vulnerability scanning tools should include the capability to readily update the list of vulnerabilities scanned.

c.† DS/SI/CS, the Evaluation and Verification Program personnel, must update the list of information system vulnerabilities when discovered.

d. Vulnerability scanning procedures must include steps to ensure adequate scan coverage and include both vulnerabilities checked and information system components scanned.

e. DS/SI/CS must provide the results of periodic scanning to the CISO and the system owner.

5 FAM 1066.1-5 †Systems Security Documentation

(CT:IM-190;†† 03-21-2017)

a. In support of the FISMA compliance requirements, the IRM/IA/ITSC/A&A Division maintains an active library of systems authorization and risk management documentation, which is used to support analysis of changes to approved operational baselines, re-evaluation of accepted risk, and as the reference source for entries in the Departmentís automated POA&M management tool.

b. As part of the Systems Authorization Process, system owners must provide current copies of their systemís contingency and system security plan to the assessment team prior to requesting authorization of the system:

(1)† The System Security Plan (SSP) and the Departmentís Contingency Plan (CP) must be up-to-date with the systemís current configuration and system recovery requirements;

(2)† These documents must reflect the actual state of the security controls, including any modifications or changes made during the tailoring process of the security control baseline.

c.† The executive director (or equivalent level) for a bureau-sponsored non-Department entity must ensure that current copies of the non-Department entityís system contingency plan, system security plan, and independent certifiers report are provided to IRM/IA.

d. Current and IRM/IA-approved copies of all guides and reference documents and templates are posted and available on the IRM/IA Web site.

5 FAM 1066.2 †Compliance Reporting (CR) Division

(CT:IM-190;†† 03-21-2017)

The CR Division is responsible for:

(1)† Providing accurate, consistent, and timely reporting on IT security activities to internal and external entities.†

(2)† Managing the Plans of Action and Milestones (POA&M) that are identified during a systemís A&A process, during an Office of Inspector General (OIG) audit or inspection, or during penetration testing.

(3)† Managing the delivery of program and project management artifacts to support Departmentís Cybersecurity compliance reporting.

(4)† Overseeing the life cycle POA&M and information security related audits findings in support of the Departmentís Information Security Program.

(5)† Coordinating IRM/IA responses to the annual Office of Inspector General (OIG) Audit of the Information Security Program at the Department of State.

(6)† Additional IRM/IA reporting coordinated by the Compliance Reporting team includes responses to the Presidentís Management Council (PMC) Agency Cyber Security Self-Assessment, the Cross Agency Priorities (CAP), the General Accountability Office (GAO), the Federal Managers Financial Integrity Act (FMFIA), the Office of Management and Budget (OMB), and other responses, as required.

5 FAM 1066.2-1 †Reporting

(CT:IM-190;†† 03-21-2017)

a. The CISO, through the Compliance Reporting team, oversees the collection, correlation, and drafting of the FISMA annual assessment and quarterly updates for submittal to Congress, the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB).  These evaluations address the adequacy and effectiveness of the Departmentís cybersecurity program, information security policies, procedures, and practices, and their compliance with federal mandates.

b. In compliance with FISMA, managers of information systems projects and programs must develop and implement information security performance measures and include these measures in their project plans.  Contact IRM/IA/ITSC for guidance on program outputs and outcome measurements.

c.† IRM/IA/ITSC reports the Security Content Automation Protocol (SCAP) for the Federal Information Security Management Act (FISMA).The FISMA Monthly Data Feeds are mandated†† per OMB 10-15 and OMB-12-20.† These XML reports are generated from Diplomatic Security and Enterprise Network Management by the fifth of each month. The XML reports are appended and uploaded into Cyberscope which includes the XML, Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE), and Common Platform Enumeration (CPE).

d. The IRM/IA/ITSC Compliance Reporting team coordinates IRM/IA responses to the annual Office of Inspector General (OIG) Audit of the Information Security Program at the Department of State.

e. Additional IRM/IA reporting coordinated by the Compliance Reporting team includes responses to the Presidentís Management Council (PMC) Agency Cyber Security Self-Assessment, the Cross Agency Priorities (CAP), the General Accountability Office (GAO), the Federal Managers Financial Integrity Act (FMFIA), the Office of Management and Budget (OMB), and other responses, as required.

f.† IRM/IA/ITSC personnel represent the Department:

(1)† On interagency and intra-agency boards, working groups, and councils with charters related to information security and critical infrastructure protection for non-SCI systems;

(2)† With the Office of Management and Budget (OMB) regarding cyber-security issues;

(3)† With responses to Congressional inquiries in coordination with the bureau of Legislative Affairs (H) on cyber-security issues; and

(4)† With the Office of Inspector General (OIG) on cyber-security issues.

5 FAM 1066.2-2 †Plan of Action & Milestones (POA&M) Management

(CT:IM-190;†† 03-21-2017)

a. The Plan of Action and Milestones (POA&M) are the steps that describe the measures planned to: (i) correct any deficiencies noted during the assessment of the security and privacy controls; and (ii) reduce the risk of known vulnerabilities in the information system.† It identifies: (i) the tasks needing to be accomplished; (ii) the resources required to accomplish the elements of the plan; and (iii) any milestones with scheduled completion dates.

b. A POA&M must have at least one milestone. Once a milestone has been accepted and closed, the record must be retained for one year.  Milestones should be S.M.A.R.T:

(1)† Specific Ė target a specific area for improvement.

(2)† Measurable Ė quantify or at least suggest an indicator of progress.

(3)† Assignable Ė specify who will do it.

(4)† Realistic Ė state what results can realistically be achieved, given available resources.

(5)† Time-related Ė specify when the result(s) can be achieved.

c.† A POA&M can be used for the following reasons:

(1)† Assist management in identifying and tracking the progress of corrective actions;

(2)† Assist agencies in closing their security and privacy performance gaps;

(3)† Assist the Office of Inspector General (OIG) in evaluating agency security and privacy performance;

(4)† Assist OMB with its oversight responsibilities and the budget formalization process; and

(5)† Assist with Congressional oversight by providing pre-decisional budget information.

d. System owners must develop, implement, review and update their POA&Ms in the Department Central POA&M repository in near-real-time (at minimum monthly).

(1)† Weaknesses that can be remediated will receive detail milestones activities, obtainable planned completion dates, and costs associated with this activity;

(2)† Milestone dates will be met or updated on or before their scheduled completion dates;

(3)† Changes to milestone dates must be approved by the AO'

(4)† Compensating security controls must be applied to weaknesses when the control requirements canít be implemented for cost and/or technology reasons;

(5)† A risk acceptance letter must be submitted and approved by the AO prior to the Authorization, when no or inadequate compensating controls can be implemented.

e. Requests for POA&M closure to IRM/IA will be made after the Bureau ISSO verifies and validates that:

(1)† The closure form is complete and accurate;

(2)† All artifacts that provide evidence the control requirements have been met and the original weakness is adequately remediated;

(3)† System owners will attend and provide IRM/IA the status of all open POA&Ms via in person or VTC at least monthly; and

(4)† Failure to properly remediate risk may result in Denial of Authorization to Operate (DATO) or lead to loss of Authority to Operate (ATO).

f.† IRM/IA POA&M Team will:

(1)† Provide a centralized repository for all Department related POA&Ms;

(2)† Independently Verify & Validate POA&M closure request and remediation efforts are updated in the central repository;

(3)† Provide workshops on how to use the central POA&M repository;

(4)† Coordinate meetings between the system owner security team and security assessors when technical discussions are needed;

(5)† Monitor and report the status of POA&Ms in the Departments Central POA&M repository to system owners and their security team, in near-real-time (at minimum monthly);

(6)† Provide Bureau Executives and their security team with summary and detailed views of risks for their FISMA Information Systems that process, transmit or store Department of State information; and

(7)† Provide CISO and AO with summary views of risks for all FISMA Information Systems that process, transmit or store Department of State information.

5 FAM 1067 †INFORMATION SYSTEMS MINIMUM SECURITY CONTROLS

(CT:IM-190;†† 03-21-2017)

a. This section comprises the minimum security controls for all information systems under the purview of the Departmentís CIO. The CIO has the overall authority to set the minimum security controls for systems at the Department that are designated unclassified up through collateral Top Secret (TS). IRM/IA has the governance and oversight responsibility for the Departmentís information security controls.

b. The National Institute of Standards (NIST), Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, mandates all agencies implement these policies.  These policies align with the NIST Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4.

c.† Per the NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, the Department must categorize its information/application systems as either: Low [L], Moderate [M] or High [H] Impact (See 12 FAH-10 H-332).  The applicability of the security controls listed below depends on the impact level assigned to the system. 

d. The IRM/IA in coordination with the Office of Cybersecurity (DS/SI/CS),will annually review and update, as necessary, the security policies in this subchapter.

Access Control Policy and Procedures (AC-1)

Department-wide policy and procedures related to access controls are defined in 12 FAH-10 H-110. Policy and procedures are disseminated to individuals who are identified as having a role/responsibility in the authorization process. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Awareness and Training.

Department-wide policy and procedures related to awareness and training controls are defined in 12 FAH-10 H-210. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required. In addition to the 5 FAH 312, bureau-specific / organization-specific policies and procedures may be required.

Audit and Accountability.

Department-wide policy and procedures related to audit and accountability controls are defined in 12 FAH-10 H-120. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.†

Configuration Management.

Department-wide policy and procedures related configuration management controls are defined in 12 FAH-10 H-220. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Contingency Planning.

Department-wide policy and procedures related to contingency planning controls are defined in 12 FAH-10 H-230. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.†

Identification and Authentication.

Department-wide policy and procedures related to identification and authentication controls are defined in 12 FAH-10 H-130. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Incident Response.

Department-wide policy and procedures related to Incident Response controls are defined in 12 FAH-10 H-240. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Maintenance.

Department-wide policy and procedures related to Maintenance controls are defined in 12 FAH-10 H-250. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Media Protection.

Department-wide policy and procedures related to media protection controls are defined in 12 FAH-10 H-260. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required. Government issued media may only be used in the performance of assigned duties; personal use of government issued removable media is prohibited. Personally owned media are prohibited on all information systems.

Physical and Environmental.

Department-wide policy and procedures related to physical and environmental controls are defined in 12 FAH-10 H-270. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.†

Planning.

Department-wide policy and procedures related to the planning controls are defined in 12 FAH-10 H-320. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.†

Personnel Security.

Department-wide policy and procedures related to the personnel security controls are defined in 12 FAH-10 H-280. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

Risk Assessment.

Department-wide policy and procedures related to risk assessment controls are defined in 12 FAH-10 H-330. Department-wide risk management is defined in 5 FAM 1066. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

System and Services Acquisition.

Department-wide policy and procedures related to system and services acquisition controls are defined in 12 FAH-10 H-340. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

System and Communications Protection.

Department-wide policy and procedures related to system and communications protection controls are defined in 12 FAH-10 H-140. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.

System and Information Integrity.

Department-wide policy and procedures related to system and information integrity are defined in 12 FAH-10 H-290. These policies and procedures will be reviewed annually or as policy and procedures dictate changes are required.