Deliverable # 922-053 U.S. Agency for International Development Security Plan For the New Management System (NMS) February 4, 2000 Prepared for the USAID Office of Information Resources Management By the USAID PRIME Contract GSA00K96AJD0012 TAC-22 NMS Security Team Computer Sciences Corporation USAID PRIME Principal Resource for Information Management Enterprise-wide This page intentionally left blank. ii Deliverable # 922-053 Security Plan For the USAID New Management System (NMS) February 4, 2000 Prepared for United States Agency for International Development Office of Information Resources Management Under Contract GSA00K96AJD0012 TAC 22 By the USAID PRIME Computer Sciences Corporation Approved by: ________________________ Mike Gold NMS Security Team Manager ________________________ John McKenna TAC 22 Manager _______________________ Kitty Richmond NMS Project Manager iii This page intentionally left blank iv OUTLINE The following comments describe the structure of the NMS Security Plan: Security Plans, executed according to federal guidelines, are voluminous in their attention to detail. To alert senior management to the most serious shortcomings and needs for action, we narrate and illustrate our findings and recommendations for NMS as a whole, and for each of the five main sections of the report, starting with a high level Executive Summary: EXECUTIVE SUMMARY………………….. - Requirements and Current Conditions .…... - Recommendations …..………………….… - Schedule of Remedial Actions …………… - Mission Connectivity………………….….. 1-page introduction 2-page summary for the entire NMS 1-page bulletized call for action 1-page illustration postulating a 3-year implementation 1-page argument for decoupling USAID/W from the missions - Descriptive Overview: ………………….. 2-page illustrated narratives for each of the 5 main sections, 1. System Identification describing the major vulnerabilities and proposed remedies 2. Protection of Sensitive Information 3. Management Controls 4. Operational Controls 5. Technical Controls - Tabular Overview: …………………..…. 2-page tabular indexes for management, operational, and technical Management Controls controls, indicating the state of compliance, risk, and priority. Operational Controls Technical Controls Each 1-line tabular index points to a section of the full-text report, which references the specific requirement stipulated for this category by federal regulations, ADS policy, and best practices. Main Body of the NMS Security Plan - Blue Tabs 1. 2. 3. 4. 5. SYSTEM IDENTIFICATION PROTECTION OF SENSITIVE INFORMATION MANAGEMENT CONTROLS OPERATIONAL CONTROLS TECHNICAL CONTROLS Requirements Compliance Recommendations The internal structure of the three "controls" sections consists of a narrative and tabular presentation of: Requirements, Compliance, and Recommendations, as shown in the sketch above. Appendices - White Tabs Appendix-A: Appendix-B: Appendix-C: Appendix-D: ABBREVIATIONS GLOSSARY REFERENCES RULES OF BEHAVIOR -------------------------------------------------------------------------------------------------------------------------------------For Comments and Recommendations on this report, please contact Mike Gold, PM, CSC: 703-465-7032 v TABLE OF CONTENTS Preface ....................................................................................................................................................................................... ix Executive Summary ............................................................................................................... ES-Error! Bookmark not defined. REQUIREMENTS AND CURRENT CONDITIONS .................................................. ES-ERROR! BOOKMARK NOT DEFINED. RECOMMENDATIONS ............................................................................................... ES-ERROR! BOOKMARK NOT DEFINED. SCHEDULE OF REMEDIAL ACTIONS .................................................................... ES-ERROR! BOOKMARK NOT DEFINED. MISSION CONNECTIVITY ........................................................................................ ES-ERROR! BOOKMARK NOT DEFINED. DESCRIPTIVE OVERVIEW ........................................................................................ ES-ERROR! BOOKMARK NOT DEFINED. TABULAR OVERVIEW .................................................................................................................................................... ES-11 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 SYSTEM IDENTIFICATION ........................................................................................... Error! Bookmark not defined. NAME AND TITLE ........................................................................................................... ERROR! BOOKMARK NOT DEFINED. RESPONSIBLE ORGANIZATIONS ...................................................................................... ERROR! BOOKMARK NOT DEFINED. INFORMATION CONTACTS .............................................................................................. ERROR! BOOKMARK NOT DEFINED. ASSIGNMENT OF SECURITY RESPONSIBILITY ................................................................. ERROR! BOOKMARK NOT DEFINED. SYSTEM OPERATIONAL STATUS ..................................................................................... ERROR! BOOKMARK NOT DEFINED. GENERAL DESCRIPTION AND PURPOSE .......................................................................... ERROR! BOOKMARK NOT DEFINED. SYSTEM ENVIRONMENT ................................................................................................. ERROR! BOOKMARK NOT DEFINED. SYSTEM INTERCONNECTION AND INFORMATION SHARING ............................................ ERROR! BOOKMARK NOT DEFINED. 2 REQUIREMENTS FOR PROTECTION OF SENSITIVE INFORMATION AND SYSTEMSError! Bookmark not defined. 2.1 MISSION CRITICALITY.................................................................................................... ERROR! BOOKMARK NOT DEFINED. 2.2 INFORMATION SENSITIVITY ........................................................................................... ERROR! BOOKMARK NOT DEFINED. 3 MANAGEMENT CONTROLS ......................................................................................... Error! Bookmark not defined. 3.1 RISK ASSESSMENT AND MANAGEMENT ......................................................................... ERROR! BOOKMARK NOT DEFINED. 3.2 REVIEW OF SECURITY CONTROLS ................................................................................. ERROR! BOOKMARK NOT DEFINED. 3.3 RULES OF BEHAVIOR ..................................................................................................... ERROR! BOOKMARK NOT DEFINED. 3.4 PLANNING FOR SECURITY IN THE LIFE CYCLE ............................................................... ERROR! BOOKMARK NOT DEFINED. 3.5 INITIATION PHASE .......................................................................................................... ERROR! BOOKMARK NOT DEFINED. 3.6 DEVELOPMENT AND ACQUISITION PHASE ...................................................................... ERROR! BOOKMARK NOT DEFINED. 3.7 IMPLEMENTATION PHASE............................................................................................... ERROR! BOOKMARK NOT DEFINED. 3.8 OPERATIONS AND MAINTENANCE PHASE ...................................................................... ERROR! BOOKMARK NOT DEFINED. 3.9 DISPOSAL PHASE............................................................................................................ ERROR! BOOKMARK NOT DEFINED. 3.10 AUTHORIZATION OF PROCESSING ................................................................................ ERROR! BOOKMARK NOT DEFINED. 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 5 5.1 5.2 5.3 5.4 OPERATIONAL CONTROLS .......................................................................................... Error! Bookmark not defined. PERSONNEL SECURITY ................................................................................................... ERROR! BOOKMARK NOT DEFINED. PHYSICAL AND ENVIRONMENTAL PROTECTION ............................................................. ERROR! BOOKMARK NOT DEFINED. INPUT/OUTPUT CONTROLS ............................................................................................. ERROR! BOOKMARK NOT DEFINED. CONTINGENCY PLANNING.............................................................................................. ERROR! BOOKMARK NOT DEFINED. APPLICATION SOFTWARE MAINTENANCE CONTROLS .................................................... ERROR! BOOKMARK NOT DEFINED. DATA INTEGRITY/VALIDATION CONTROLS .................................................................... ERROR! BOOKMARK NOT DEFINED. DOCUMENTATION .......................................................................................................... ERROR! BOOKMARK NOT DEFINED. SECURITY AWARENESS AND TRAINING.......................................................................... ERROR! BOOKMARK NOT DEFINED. TECHNICAL CONTROLS ............................................................................................... Error! Bookmark not defined. IDENTIFICATION AND AUTHENTICATION ........................................................................ ERROR! BOOKMARK NOT DEFINED. LOGICAL ACCESS CONTROLS ......................................................................................... ERROR! BOOKMARK NOT DEFINED. PUBLIC ACCESS CONTROLS ........................................................................................... ERROR! BOOKMARK NOT DEFINED. AUDIT TRAILS ................................................................................................................ ERROR! BOOKMARK NOT DEFINED. vi Appendix A: ABBREVIATIONS & ACRONYMS ........................................................... A-Error! Bookmark not defined. Appendix B: GLOSSARY ...................................................................................................... B-Error! Bookmark not defined. Appendix C: REFERENCES ................................................................................................. C-Error! Bookmark not defined. Appendix D: RULES OF BEHAVIOR ................................................................................. D-Error! Bookmark not defined. Appendix E: RECOMMENDED ACTION PLAN .............................................................. E-Error! Bookmark not defined. vii This page intentionally left blank viii Preface Congressional Legislation and Federal Regulations require Federal Agencies to establish and maintain Security Plans for each major application of their information infrastructure, and to enforce them with renewed vigor in response to Presidential Decision Directive 63: “Protecting American Critical Infrastructure.” Computer Security Act of 1987, 2(b)(3): "The purposes of this Act are…to require establishment of security plans by all operators of Federal computer security systems that contain sensitive information. …"Within one year after the date of enactment of this Act, each Agency shall, consistent with the standards, guidelines, policies, and regulations prescribed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949, establish a plan for the security and privacy of each Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. …Copies of each such plan shall be transmitted to the National Bureau of Standards and the National Security Agency for advice and comment. A summary of such plan shall be included in the agency's five year plan required by section 3505 of Title 44, United States Code. Such plan shall be subject to disapproval by the Director of the Office of Management and Budget. Such plan shall be revised annually as necessary." Privacy Act of 1974, (e)(10): "Each agency that maintains a system of records shall establish appropriate administrative, technical, and physical safeguards, to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained." OMB Circular-A-130, Appendix-III: Management of Information Resources defines Federal agency requirements for managing and protecting their information resources. The Appendix sets four new requirements for the protection of information resources: Assigning responsibility for security Completing security plans for general support systems and major applications Periodically reviewing security controls Authorizing processing NIST 800-12, 6.5: "…These plans ensure that each Federal and Federal interest system has appropriate and cost-effective security. System-level security personnel should be in a position to develop and implement security plans... All security plans, at a minimum, should be marked, handled, and controlled to the level of sensitivity determined by organizational policy." ix This page intentionally left blank x TABULAR OVERVIEW This Overview shows the degree of NMS compliance with requirements for management, operational, and technical controls. The tables on the following pages state Compliance with Security Requirements on the left, and Recommendations for remediation of vulnerabilities and material weaknesses on the right, as shown below: Degree of Compliance Section Number Responsible Organization Priority Current Risk Action Reference Recommendations Responsibility Priority: H=High M=Moderate L=Low Priority Risk: H=High M=Moderate L=Low Recommended Actions Risk No Partially Yes Section ID State of Compliance Action Reference Compliance with Security Requirements Controls In Place? Figure ES-13. Example, Tabular Overview, Compliance of “NMS” & Recommendations Compliance with Security Requirements for each Section and Sub-section are annotated as to the extent to which controls for “NMS” security are in place: Yes = Fully compliant as required Partial = Incomplete, undocumented, or documented but not enforced No = Not compliant The Risk of Not Correcting the Vulnerability is estimated as being: H M L = = = High, seriously endangers mission-critical operations of USAID Moderate, poses a material threat to USAID operations Low, affects routine local operations that can readily be remedied In many cases, de facto controls were found to exist for NMS. But federal regulations and guidance require documented procedures for the control of management, operational, and technical functions as a prerequisite for security accreditation and fiscal certification. Organizations inferred to be Responsible for correcting the noted security requirements include: FM, IRM, and PRIME. The “NMS Security Plan” is a living document with major updates scheduled at least every three years. Comments, corrections, and recommendations are welcome and may addressed to Mr. Mike Gold, Project Manager for the PRIME NMS Security Team: 703-465-7032. [Note that NMS remains operational and the detail to this Security Plan has not been released.]