Removal of Material Weakness for
NMS Security and Access Controls
USAID ISSO

FFMIA Report and OMB Circular A-130
Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB
USAID identified 10 material weaknesses, including NMS security and access controls, in its CY-1997
Report.
The Agency CFO indicated remedial actions would be completed within 3 years (by FY-2001).
“ The material weakness resulted from the level at which controls are implemented in the system, the design of access controls implemented in the system, audit trails of system activity, user identification and password administration, and access to sensitive Privacy Act information.”
OMB Circular A-130, Appendix III: Security of Federal Automated Information Resources
"Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications."
OMB Circular A-130 defines 4 new Federal agency requirements for managing and protecting their information resources:

Assigning responsibility for security

Completing security plans for general support systems and major applications

Periodically reviewing security controls

Authorizing processing
2

1. Conduct Risk Assessment
2. Technical Fixes
3. NMS Security Plan Actions
4. Certification and Accreditation (C&A) Policy Approved
5. Certification and Accreditation (C&A) Plan
6. Roles and Responsibilities Approved
7. Delegation of Systems Security Manager
8. NMS Security Training
(Users, Administrators, and Managers)
9. Certification by IV&V Contractor
10. Security Accreditation of NMS by CFO
11. Audit by OIG
12. Executive Brief
(Close NMS Security Material Weakness)
3

1. Conduct Risk Assessment

NMS Security Team (TAC 22) assisted by the ISS Team (TAC 07)

Establish risks for NMS operations at USAID/W, progressively including
– PRIME, T-Hub
– Beltsville
– 81 Foreign Missions
– Communications with foreign missions via DTS-PO, VSAT, and Internet

Deliver report on risk assessment and recommendations - Could be done as part of Certification Report
2. Technical Fixes

5 Key Security Vulnerabilities

Build Test Scenarios/Scripts - Certification
3. NMS Security Plan Actions

Review and approve remaining NMS Security Plan action items for implementation to bring NMS into compliance with security requirements from ADS, OMB A-130, FISCAM, and OIG Audit Reports. Initial action items include:
– Implement NMS audit trails
– Implement Operational and Management Change Procedures
4

4. C&A Policy Approved

Approve C&A Policy for NMS
5. C&A Plan

C&A Plan

C&A Definition

C&A Verification

C&A Validation

Prepare Certification Report and Accreditation Recommendation for ISSO and IRM director approval

C&A Post Accreditation Support
6. Roles & Responsibilities Approved

Delegate accreditation authority for core financial systems to the CFO

Assign the accreditation of general support systems to the CIO

Assign responsibility to the Director, IRM, for ISSPP and general support systems

Assign authority and responsibility to the USAID ISSO for ISSPP implementation
7. Delegate Systems Security Manager

Designate a security official to implement NMS C&A
8. NMS Security Training

Provide security input into current NMS training for users, administrators, and managers
5

9. Certification by IV&V Contractor

CFO selects IV&V contractor

CFO reviews and accepts IV&V contractor
10. Security Accreditation of NMS by CFO

Authorize NMS for processing
11. Audit by OIG

Verify substantial removal of the NMS security and access controls material weakness
12. Executive Brief and Close NMS Security Material Weakness

Include removal of NMS Security material weakness in the FFMIA annual report.
6

1. Conduct Risk Assessment
2. Technical Fixes
3. NMS Security Plan Actions
4. C&A Policy Approved
5. C&A Plan
6. Roles and Responsibilities Approved
7. Delegation of Systems Security Manager
8. NMS Security Training
9. Certification by IV&V Contractor
10. Security Accreditation of NMS by CFO
11. Audit by OIG
12. Executive Brief
(Close NMS Security Material Weakness)
2000
Feb Mar Apr May Jun Jul Aug Sep
NMS 4.81
NMS 4.82
7

O.k.
Policy
ADS
C&A
Implementation of
NMS Sec. Plan
OIG
IV&V
AWACS
NMS
FFMIA
Cairo & San Salvador
Momentum AID/W
IFMS
NMS
02-01 05-01 07-01
2000
10-01 03-31
2001
8

Confirmation of substantial removal of security material weakness by the Inspector General’s Office to the Administrator
FFMIA 2000 Report by the CFO to OMB asserting the removal of the security material weakness from 1997
Semiannual Report to Congress by the OIG confirming substantial removal of security material weakness
9