Deliverable # 922-053
U.S. Agency for
International Development
Security Plan
For the
New Management System
(NMS)
February 4, 2000
Prepared for the
USAID Office of Information Resources Management
By the
USAID PRIME
Contract GSA00K96AJD0012 TAC-22
NMS Security Team
Computer Sciences Corporation
USAID
PRIME
Principal Resource for
Information Management Enterprise-wide
This page intentionally left blank.
ii
Deliverable # 922-053
Security Plan
For the
USAID New Management System
(NMS)
February 4, 2000
Prepared for
United States Agency for International Development
Office of Information Resources Management
Under
Contract GSA00K96AJD0012 TAC 22
By the
USAID PRIME
Computer Sciences Corporation
Approved by:
________________________
Mike Gold
NMS Security Team Manager
________________________
John McKenna
TAC 22 Manager
_______________________
Kitty Richmond
NMS Project Manager
iii
This page intentionally left blank
iv
OUTLINE
The following comments describe the structure of the NMS Security Plan:
Security Plans, executed according to federal guidelines, are voluminous in their attention to detail. To alert senior
management to the most serious shortcomings and needs for action, we narrate and illustrate our findings and
recommendations for NMS as a whole, and for each of the five main sections of the report, starting with a high level
Executive Summary:
EXECUTIVE SUMMARY…………………..
- Requirements and Current Conditions .…...
- Recommendations …..………………….…
- Schedule of Remedial Actions ……………
- Mission Connectivity………………….…..
1-page introduction
2-page summary for the entire NMS
1-page bulletized call for action
1-page illustration postulating a 3-year implementation
1-page argument for decoupling USAID/W from the missions
- Descriptive Overview: ………………….. 2-page illustrated narratives for each of the 5 main sections,
1. System Identification
describing the major vulnerabilities and proposed remedies
2. Protection of Sensitive Information
3. Management Controls
4. Operational Controls
5. Technical Controls
- Tabular Overview: …………………..…. 2-page tabular indexes for management, operational, and technical
 Management Controls
controls, indicating the state of compliance, risk, and priority.
 Operational Controls
 Technical Controls
Each 1-line tabular index points to a section of the full-text report,
which references the specific requirement stipulated for this category
by federal regulations, ADS policy, and best practices.
Main Body of the NMS Security Plan - Blue Tabs
1.
2.
3.
4.
5.
SYSTEM IDENTIFICATION
PROTECTION OF SENSITIVE INFORMATION
MANAGEMENT CONTROLS
OPERATIONAL CONTROLS
TECHNICAL CONTROLS
Requirements
Compliance
Recommendations
The internal structure of the three "controls" sections consists of a narrative and tabular presentation of:
Requirements, Compliance, and Recommendations, as shown in the sketch above.
Appendices - White Tabs
Appendix-A:
Appendix-B:
Appendix-C:
Appendix-D:
ABBREVIATIONS
GLOSSARY
REFERENCES
RULES OF BEHAVIOR
-------------------------------------------------------------------------------------------------------------------------------------For Comments and Recommendations on this report, please contact Mike Gold, PM, CSC: 703-465-7032
v
TABLE OF CONTENTS
Preface ....................................................................................................................................................................................... ix
Executive Summary ............................................................................................................... ES-Error! Bookmark not defined.
REQUIREMENTS AND CURRENT CONDITIONS .................................................. ES-ERROR! BOOKMARK NOT DEFINED.
RECOMMENDATIONS ............................................................................................... ES-ERROR! BOOKMARK NOT DEFINED.
SCHEDULE OF REMEDIAL ACTIONS .................................................................... ES-ERROR! BOOKMARK NOT DEFINED.
MISSION CONNECTIVITY ........................................................................................ ES-ERROR! BOOKMARK NOT DEFINED.
DESCRIPTIVE OVERVIEW ........................................................................................ ES-ERROR! BOOKMARK NOT DEFINED.
TABULAR OVERVIEW .................................................................................................................................................... ES-11
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
SYSTEM IDENTIFICATION ........................................................................................... Error! Bookmark not defined.
NAME AND TITLE ........................................................................................................... ERROR! BOOKMARK NOT DEFINED.
RESPONSIBLE ORGANIZATIONS ...................................................................................... ERROR! BOOKMARK NOT DEFINED.
INFORMATION CONTACTS .............................................................................................. ERROR! BOOKMARK NOT DEFINED.
ASSIGNMENT OF SECURITY RESPONSIBILITY ................................................................. ERROR! BOOKMARK NOT DEFINED.
SYSTEM OPERATIONAL STATUS ..................................................................................... ERROR! BOOKMARK NOT DEFINED.
GENERAL DESCRIPTION AND PURPOSE .......................................................................... ERROR! BOOKMARK NOT DEFINED.
SYSTEM ENVIRONMENT ................................................................................................. ERROR! BOOKMARK NOT DEFINED.
SYSTEM INTERCONNECTION AND INFORMATION SHARING ............................................ ERROR! BOOKMARK NOT DEFINED.
2
REQUIREMENTS FOR PROTECTION OF SENSITIVE INFORMATION AND SYSTEMSError! Bookmark not
defined.
2.1 MISSION CRITICALITY.................................................................................................... ERROR! BOOKMARK NOT DEFINED.
2.2 INFORMATION SENSITIVITY ........................................................................................... ERROR! BOOKMARK NOT DEFINED.
3
MANAGEMENT CONTROLS ......................................................................................... Error! Bookmark not defined.
3.1 RISK ASSESSMENT AND MANAGEMENT ......................................................................... ERROR! BOOKMARK NOT DEFINED.
3.2 REVIEW OF SECURITY CONTROLS ................................................................................. ERROR! BOOKMARK NOT DEFINED.
3.3 RULES OF BEHAVIOR ..................................................................................................... ERROR! BOOKMARK NOT DEFINED.
3.4 PLANNING FOR SECURITY IN THE LIFE CYCLE ............................................................... ERROR! BOOKMARK NOT DEFINED.
3.5 INITIATION PHASE .......................................................................................................... ERROR! BOOKMARK NOT DEFINED.
3.6 DEVELOPMENT AND ACQUISITION PHASE ...................................................................... ERROR! BOOKMARK NOT DEFINED.
3.7 IMPLEMENTATION PHASE............................................................................................... ERROR! BOOKMARK NOT DEFINED.
3.8 OPERATIONS AND MAINTENANCE PHASE ...................................................................... ERROR! BOOKMARK NOT DEFINED.
3.9 DISPOSAL PHASE............................................................................................................ ERROR! BOOKMARK NOT DEFINED.
3.10 AUTHORIZATION OF PROCESSING ................................................................................ ERROR! BOOKMARK NOT DEFINED.
4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
5
5.1
5.2
5.3
5.4
OPERATIONAL CONTROLS .......................................................................................... Error! Bookmark not defined.
PERSONNEL SECURITY ................................................................................................... ERROR! BOOKMARK NOT DEFINED.
PHYSICAL AND ENVIRONMENTAL PROTECTION ............................................................. ERROR! BOOKMARK NOT DEFINED.
INPUT/OUTPUT CONTROLS ............................................................................................. ERROR! BOOKMARK NOT DEFINED.
CONTINGENCY PLANNING.............................................................................................. ERROR! BOOKMARK NOT DEFINED.
APPLICATION SOFTWARE MAINTENANCE CONTROLS .................................................... ERROR! BOOKMARK NOT DEFINED.
DATA INTEGRITY/VALIDATION CONTROLS .................................................................... ERROR! BOOKMARK NOT DEFINED.
DOCUMENTATION .......................................................................................................... ERROR! BOOKMARK NOT DEFINED.
SECURITY AWARENESS AND TRAINING.......................................................................... ERROR! BOOKMARK NOT DEFINED.
TECHNICAL CONTROLS ............................................................................................... Error! Bookmark not defined.
IDENTIFICATION AND AUTHENTICATION ........................................................................ ERROR! BOOKMARK NOT DEFINED.
LOGICAL ACCESS CONTROLS ......................................................................................... ERROR! BOOKMARK NOT DEFINED.
PUBLIC ACCESS CONTROLS ........................................................................................... ERROR! BOOKMARK NOT DEFINED.
AUDIT TRAILS ................................................................................................................ ERROR! BOOKMARK NOT DEFINED.
vi
Appendix A: ABBREVIATIONS & ACRONYMS ........................................................... A-Error! Bookmark not defined.
Appendix B: GLOSSARY ...................................................................................................... B-Error! Bookmark not defined.
Appendix C: REFERENCES ................................................................................................. C-Error! Bookmark not defined.
Appendix D: RULES OF BEHAVIOR ................................................................................. D-Error! Bookmark not defined.
Appendix E: RECOMMENDED ACTION PLAN .............................................................. E-Error! Bookmark not defined.
vii
This page intentionally left blank
viii
Preface
Congressional Legislation and Federal Regulations require Federal Agencies to establish and maintain
Security Plans for each major application of their information infrastructure, and to enforce them with
renewed vigor in response to Presidential Decision Directive 63: “Protecting American Critical
Infrastructure.”
Computer Security Act of 1987, 2(b)(3):
"The purposes of this Act are…to require establishment of security plans by all operators of Federal
computer security systems that contain sensitive information.
…"Within one year after the date of enactment of this Act, each Agency shall, consistent with the
standards, guidelines, policies, and regulations prescribed pursuant to section 111(d) of the Federal
Property and Administrative Services Act of 1949, establish a plan for the security and privacy of each
Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with
the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification
of the information contained in such system.
…Copies of each such plan shall be transmitted to the National Bureau of Standards and the National
Security Agency for advice and comment. A summary of such plan shall be included in the agency's five
year plan required by section 3505 of Title 44, United States Code. Such plan shall be subject to
disapproval by the Director of the Office of Management and Budget. Such plan shall be revised
annually as necessary."
Privacy Act of 1974, (e)(10):
"Each agency that maintains a system of records shall establish appropriate administrative, technical,
and physical safeguards, to protect against any anticipated threats or hazards to their security or
integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any
individual on whom information is maintained."
OMB Circular-A-130, Appendix-III:
Management of Information Resources defines Federal agency requirements for managing and protecting
their information resources. The Appendix sets four new requirements for the protection of information
resources:




Assigning responsibility for security
Completing security plans for general support systems and major applications
Periodically reviewing security controls
Authorizing processing
NIST 800-12, 6.5:
"…These plans ensure that each Federal and Federal interest system has appropriate and cost-effective
security. System-level security personnel should be in a position to develop and implement security
plans... All security plans, at a minimum, should be marked, handled, and controlled to the level of
sensitivity determined by organizational policy."
ix
This page intentionally left blank
x
TABULAR OVERVIEW
This Overview shows the degree of NMS compliance with requirements for management, operational, and technical
controls.
The tables on the following pages state Compliance with Security Requirements on the left, and Recommendations for
remediation of vulnerabilities and material weaknesses on the right, as shown below:
Degree of Compliance
Section
Number
Responsible
Organization
Priority
Current Risk
Action
Reference
Recommendations
Responsibility
Priority: H=High M=Moderate L=Low
Priority
Risk: H=High M=Moderate L=Low
Recommended Actions
Risk
No
Partially
Yes
Section ID
State of Compliance
Action Reference
Compliance with Security Requirements
Controls
In Place?
Figure ES-13. Example, Tabular Overview, Compliance of “NMS” & Recommendations
Compliance with Security Requirements for each Section and Sub-section are annotated as to the extent to which
controls for “NMS” security are in place:
Yes
=
Fully compliant as required
Partial =
Incomplete, undocumented, or documented but not enforced
No
=
Not compliant
The Risk of Not Correcting the Vulnerability is estimated as being:
H
M
L
=
=
=
High, seriously endangers mission-critical operations of USAID
Moderate, poses a material threat to USAID operations
Low, affects routine local operations that can readily be remedied
In many cases, de facto controls were found to exist for NMS. But federal regulations and guidance require
documented procedures for the control of management, operational, and technical functions as a prerequisite for
security accreditation and fiscal certification.
Organizations inferred to be Responsible for correcting the noted security requirements include: FM, IRM, and
PRIME.
The “NMS Security Plan” is a living document with major updates scheduled at least every three years. Comments,
corrections, and recommendations are welcome and may addressed to Mr. Mike Gold, Project Manager for the PRIME
NMS Security Team: 703-465-7032.
[Note that NMS remains operational and the detail to this Security Plan has not been released.]