wo_6683-6684 - USDA Forest Service
advertisement
6683-6684 Page 1 of 127 FOREST SERVICE MANUAL NATIONAL HEADQUARTERS (WO) WASHINGTON, DC FSM 6600 - SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMATION TECHNOLOGY Amendment No.: 6600-2015-2 Effective Date: February 5, 2015 Duration: This amendment is effective until superseded or removed. Approved: J. LENISE LAGO Deputy Chief for Business Operations Date Approved: 01/29/2015 Posting Instructions: Amendments are numbered consecutively by title and calendar year. Post by document; remove the entire document and replace it with this amendment. Retain this transmittal as the first page(s) of this document. The last amendment to this title was 6600-2015-1 to FSM 6680-6682. New Document 6683-6684 127 Pages Superseded Document(s) (Interim Directive Number and Effective Date) 6683-6684 (Amendment No. 6600-2010-1, 05/29/2010) 109 Pages Digest: 6680 - Revises and clarify direction throughout entire chapter. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 2 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY Table of Contents 6683 - SECURITY OPERATIONAL CONTROLS ........................................................... 6 6683.01 - Authority [Reserved] .............................................................................................. 6 6683.02 - Objective ................................................................................................................. 6 6683.03 - Policy [Reserved] ................................................................................................... 6 6683.04 - Responsibility ......................................................................................................... 6 6683.04a - Chief Information Officer ..................................................................................... 6 6683.04b - Line Officers ......................................................................................................... 9 6683.04c - Information System Security Program Manager .................................................. 9 6683.04d - Information System Security Officers ................................................................ 14 6683.04e - System Owners ................................................................................................... 15 6683.04f - Vulnerability Manager [Reserved] ...................................................................... 17 6683.04g - Information System Contingency Planning Coordinator ................................... 17 6683.04h - Information Technology Asset Managers .......................................................... 18 6683.04i - Network Operations Manager ............................................................................. 18 6683.04j - Network Administrators ...................................................................................... 18 6683.04k - Information Technology System Administrators ............................................... 19 6683.04l - Data Center Managers [Reserved] ....................................................................... 20 6683.04m - Information Technology Controlled or Restricted Space Employees ............... 20 6683.04n - Acquisition Management .................................................................................... 21 6683.04o - Security System Administrators ......................................................................... 23 6683.04p - Human Resources Management ......................................................................... 23 6683.04q - Law Enforcement and Investigations ................................................................. 25 6683.04r - Facility Managers ................................................................................................ 26 6683.04s - Facility Engineers ............................................................................................... 26 6683.04t - Supervisors .......................................................................................................... 27 6683.04u - Employees .......................................................................................................... 29 6683.04v - End Users ............................................................................................................ 30 6683.04w - Local Site Coordinator ....................................................................................... 32 6683.04x - Forest Service Computer Incident Response Team Leader ................................ 32 6683.05 - Definitions [Reserved] .......................................................................................... 33 6683.06 - References [Reserved] .......................................................................................... 33 6683.07 - Team, Committee, and Group Responsibility ...................................................... 33 6683.07a - Computer Incident Response Team .................................................................... 33 6683.07b - Information System Users .................................................................................. 34 6683.1 - Media .......................................................................................................................... 34 6683.11 - Media Protection................................................................................................... 34 6683.11a - Media Access ...................................................................................................... 35 6683.11b - Media Marking ................................................................................................... 35 6683.11c - Media Storage ..................................................................................................... 35 6683.11d - Media Transport ................................................................................................. 35 WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 3 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.11e - Media Sanitization and Disposal ........................................................................ 36 6683.2 - Personnel Security ...................................................................................................... 36 6683.21 - Separation of Duties ............................................................................................. 36 6683.22 - Personnel Screening.............................................................................................. 38 6683.23 - Personnel Hiring, Transfer, and Separation .......................................................... 40 6683.23a - Personnel Hiring and Security Awareness .......................................................... 40 6683.23b - Personnel Termination ........................................................................................ 41 6683.23c - Personnel Transfer .............................................................................................. 42 6683.23d - Long-term Absence ............................................................................................ 43 6683.23e - Access Agreements ............................................................................................. 43 6683.23f - Third-Party Personnel Security ........................................................................... 44 6683.23g - Physical Security ................................................................................................ 44 6683.24 - Appropriate Use of Information Technology Resources ...................................... 46 6683.24a - Limited Personal Use .......................................................................................... 47 6683.24b - Proper Representation......................................................................................... 47 6683.24c - Inappropriate Personal Uses ............................................................................... 47 6683.24d - Peer-to-Peer Networking, Networked Collaboration Tools, and Instant Messaging ................................................................................................................. 49 6683.24e - “Back Door” Access ........................................................................................... 50 6683.24f - Elevated Privileges .............................................................................................. 50 6683.24g - Software Usage/User Installed Software Restrictions, Including Freeware and Shareware .................................................................................................................. 50 6683.24h - Privacy Expectations .......................................................................................... 52 6683.24i - Sanctions for Misuse ........................................................................................... 52 6683.3 - Physical and Environmental Protection...................................................................... 53 6683.31 - Physical Access Authorizations............................................................................ 53 6683.32 - Visitor Control ...................................................................................................... 54 6683.33 - Information Technology Facilities ....................................................................... 55 6683.34 - Delivery and Removal of IT Related Items .......................................................... 60 6683.4 - Information Technology Contingency Planning ........................................................ 60 6683.41- Continuity of Operations Plan ............................................................................... 64 6683.42 - Contingency Training ........................................................................................... 64 6683.43 - Contingency Plan Testing ..................................................................................... 64 6683.43a - Continuity of Operations (COOP) Plan Testing Requirements .......................... 65 6683.43b - Business Resumption Plan Testing Requirements ............................................. 65 6683.43c - Backup and Recovery Plan Testing Requirements ............................................. 65 6683.44 - Alternate Storage Sites ......................................................................................... 65 6683.45 - Alternate Processing Sites .................................................................................... 66 6683.46 - Telecommunications Services .............................................................................. 67 6683.47 - Information System Backup ................................................................................. 67 6683.48 - Information System Recovery and Reconstitution ............................................... 69 6683.48a - Disaster Recovery and Reconstitution ................................................................ 70 WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 4 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.5 - Hardware and System Software Maintenance ............................................................ 71 6683.51 - Controlled and Remote Maintenance and Maintenance Tools ............................. 71 6683.52 - Maintenance Personnel ......................................................................................... 73 6683.53 - Timely Maintenance ............................................................................................. 73 6683.6 - Security Awareness and Training ............................................................................... 74 6683.6a - Security Awareness ............................................................................................... 74 6683.6b - Security Training .................................................................................................. 75 6683.61 - Security Training Records .................................................................................... 76 6683.7 - Computer Incident Response Capability .................................................................... 76 6683.71 - Incident Handling, Monitoring, and Reporting .................................................... 76 6683.72 - Incident Response Training and Testing .............................................................. 79 6683.8 - System and Services Acquisition ............................................................................... 80 6683.8a - Allocation of Resources ........................................................................................ 80 6683.8b - Acquisitions .......................................................................................................... 80 6683.9 - Security Engineering Principles ................................................................................. 81 6683.91 - External Information System Services ................................................................. 81 6683.91a - Developer Configuration Management............................................................... 81 6683.91b - Developer Security Testing ................................................................................ 81 6683.91c - System and Information Integrity ....................................................................... 82 6683.92 - Flaw Remediation ................................................................................................. 84 6683.93 - Malicious Code Protection and Spam Control ..................................................... 84 6683.94 - Information System Monitoring ........................................................................... 85 6683.95 - Security Alerts and Advisories ............................................................................. 86 6683.96 - Software and Information Integrity ...................................................................... 86 6683.97 - Information Input Restrictions.............................................................................. 86 6683.98 - Information Input Validation ................................................................................ 87 6683.98a - Error Handling .................................................................................................... 87 6683.99 - Information Output Handling and Retention ........................................................ 88 6683.99a - Risk Assessment ................................................................................................. 88 6683.99b - Security Categorization ...................................................................................... 88 6683.99c - Vulnerability Scanning ....................................................................................... 89 6684 - TECHNICAL CONTROLS ................................................................................. 89 6684.01 - Authority [Reserved] ............................................................................................ 89 6684.02 - Objective ............................................................................................................... 89 6684.04 - Responsibility ....................................................................................................... 90 6684.04a - Chief Information Officer ................................................................................... 90 6684.04b - Information System Security Program Manager ................................................ 90 6684.04c - Information System Security Officers ................................................................ 93 6684.04d - Supervisors ......................................................................................................... 95 6684.04e - End Users ............................................................................................................ 95 6684.04f - System Administrators ........................................................................................ 96 6684.04g - System Owners ................................................................................................... 98 WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 5 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.04h - Information Owners ............................................................................................ 99 6684.04i - Account Requesters ............................................................................................. 99 6684.04j - Generic System Access Account Managers ........................................................ 99 6684.04k - Account Sponsors ............................................................................................. 100 6684.1 - Password Management ............................................................................................. 101 6684.11 - Password Procedures .......................................................................................... 101 6684.12 - Password Content Requirements ........................................................................ 103 6684.2 - Access Controls ........................................................................................................ 103 6684.21 - Account Management ......................................................................................... 107 6684.22 - Access Enforcement ........................................................................................... 108 6684.23 - Separation of Duties and Least Privilege............................................................ 108 6684.24 - Management of Generic and Guest Accounts .................................................... 109 6684.25 - Public Access Content ........................................................................................ 109 6684.26 - Wireless Access Restrictions .............................................................................. 110 6684.27 - Remote Access ................................................................................................... 110 6684.28 - Portable and Mobile Devices .............................................................................. 112 6684.29 - Use of External Information Systems and Publicly Accessible Content ............ 113 6684.3 - Security Monitoring/Audit Controls......................................................................... 113 6684.31 - Auditable Events................................................................................................. 116 6684.32 - Content of Audit Records ................................................................................... 116 6684.33 - Response to Audit Processing Failures and Audit Review, Analysis, and Reporting and Audit Reduction and Report Generation ......................................... 117 6684.34 - Time Stamps ....................................................................................................... 118 6684.35 - Protection of Audit Information ......................................................................... 118 6684.36 - Audit Storage Capacity and Retention ............................................................... 119 6684.37 - Audit Generation ................................................................................................ 119 6684.4 - System and Communications Protections ................................................................ 119 6684.41 - Public Key Infrastructure Certificates ................................................................ 120 6684.42 - Mobile Code ....................................................................................................... 120 6684.43 - Use of Cryptography .......................................................................................... 120 6684.5 - Device Identification and Authentication ................................................................. 120 6684.6 - Network Security ...................................................................................................... 121 6684.61 - Network Perimeter Management/Boundary Protection...................................... 121 6684.62 - Secure Name/Address Resolution Service and Session Authenticity ................ 126 6684.63 - Transmission Integrity and Confidentiality ........................................................ 126 6684.7 - Public Access Protections......................................................................................... 127 6684.8 - Information in Shared Resources ............................................................................. 127 WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 6 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683 - SECURITY OPERATIONAL CONTROLS 6683.01 - Authority [Reserved] 6683.02 - Objective The objective of operational security controls is to protect the confidentiality, integrity, and availability of the information, information systems, and information technology (IT) that support the Forest Service mission by: 1. Mitigating risks to Forest Service information, physical resources, operation, or image that can result either intentionally or accidentally from insufficiently secured or inappropriately used IT resources. 2. Ensuring that employees are clearly and explicitly informed about requirements and procedures regarding the security and use of IT resources. 3. Providing an effective Forest Service response to security threats and breaches. 6683.03 - Policy [Reserved] 6683.04 - Responsibility 6683.04a - Chief Information Officer The Forest Service Chief Information Officer has overall responsibility for the Forest Service’s program and management of operational security controls for information, information systems, and information technology (IT). The Chief Information Officer is responsible for: 1. Establishing and maintaining an effective program for screening each user of Forest Service information systems commensurate with the risk and magnitude of harm they could cause to that system. 2. Ensuring that the security and integrity of Forest Service information systems is protected by proper implementation of backup and recovery plans and procedures. 3. Designating an Information System Contingency Planning Coordinator (CPC). 4. Ensuring that appropriate training and certification opportunities are available to those with a role or responsibility in developing or implementing information system contingency plans. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 7 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Ensuring that IT contingency plans are developed and approved for all corporate information systems. 6. Ensuring that resources and facilities needed for disaster recovery and business resumption, such as alternate backup or operations sites, are available. 7. Establishing an overall Forest Service IT security awareness and training strategy. 8. Ensuring that Forest Service IT security awareness and training programs are developed, implemented, documented, and maintained. 9. Conducting a risk assessment after any change to the Forest Service IT organizational structure that may affect critical operational control functions, processes, information and associated roles, responsibilities, and separation of duties requirements. 10. Separating critical operational control functions within the Forest Service Chief Information Office (CIO) wherever possible. 11. Ensuring that Information Resources Management personnel receive appropriate training about the separation of duties principles. 12. Implementing and documenting security or other compensating controls (see sec. 6683.2) when separation of duties is not possible. 13. Requiring CIO Supervisors to review new and changed position descriptions as part of the position classification process to ensure that the proper separation of duties is maintained. 14. Establishing in cooperation with the Forest Service Director of Human Resources Management (HRM), the suitability determination for employees whose position or duties requires a higher level of personnel screening than has been previously conducted, but only for positions for which the Forest Service makes the final determination of suitability. This responsibility may not be delegated below the Washington Office. 15. Working with the Forest Service Director of HRM to ensure that problems or issues affecting information system personnel screening are promptly addressed and efficiently resolved. 16. Ensuring that a computer incident response (IR) capability for the Forest Service is established, documented, and maintained according to the direction in this manual (see sec. 6683.07a). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 8 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 17. Chartering and maintaining the Forest Service Computer Incident Response Team (CIRT) and determining the overall role and authority of the CIRT. 18. Approving the orderly disconnect or shutdown of compromised systems, if necessary as a mitigating action, and the reactivation of those compromised systems after recovery. 19. Communicating with the U.S. Department of Agriculture, Office of the Chief Information Office (USDA OCIO), as required by USDA DM 3505-001, regarding information system security incidents, responses, and follow-up actions. 20. Ensuring that mitigation of all incidents is completed and preventive measures are taken to reduce incident recurrence. 21. Ensuring that the Forest Service effectively implements and maintains IT security policies, procedures, and control techniques to address all media protection requirements. 22. Designating appropriate IT component teams to implement the system recovery strategy and ensure that each team should be trained and ready to deploy in the event of a disruptive situation requiring plan activation. 23. Establishing and implementing an internal Forest Service program for patch management on all information systems. 24. Ensuring that all IT professionals, especially System Administrators, Network Administrators and Information System Security Program Manager are trained and made aware of this policy and procedures. 25. Clearly assigning System Administrators and other authorized personnel specific patch management and vulnerability correction responsibilities. 26. Employing the departmental or an approved automated patch management solution to facilitate compliance with this policy and to promote efficiency for all systems, wherever feasible; apply patch management solutions to in-house applications and monitor status of those systems. 27. Reporting patch management status monthly to USDA OCIO. 28. Requesting a formal exception through the established process for any systems which are not compliant within 90 days. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 9 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.04b - Line Officers For information systems (IS) and IS-related activities under their control, Line Officers at the Washington Office and Field units are responsible for: 1. Ensuring personnel in their units receive required information security and privacy training. 2. Reviewing, approving, and participating in the testing of information system contingency plans (CPs) that involve or affect resources or facilities for which they are responsible. 3. Supporting or cooperating with the execution of CPs in the event of an emergency, disaster, or other major disruption of an information system. 4. Making an appropriate reassignment or terminating any employee who fails to receive a favorable adjudication as a result of the personnel screening process. 6683.04c - Information System Security Program Manager The Forest Service Information System Security Program Manager (ISSPM) is responsible for: 1. Forwarding and coordinating immediately action with the U. S. Department of Agriculture (USDA) Associate Chief Information Officer (ACIO) for Cyber Security or designated agent any suspected high-level, major information technology (IT) security incidents, including but not limited to the following: a. Distribution of copyrighted software; b. Child pornography; c. Sexually explicit material; d. Downloading of music or unauthorized software; e. Any violation of law; and f. On-line gambling. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 10 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 2. Verifying that Information Technology Contingency Plans (ITCPs) are developed for information systems and: a. Tested, reviewed, and updated as necessary, at least on an annual basis or once every 6 months for financial systems. b. Personnel with recovery responsibilities receive annual training regarding these responsibilities. 3. Forwarding to the USDA Office of the Associate Chief Information Officer (ACIO) for Cyber Security all suspected incidents of gambling using Forest Service equipment. 4. Ensuring protection of evidence and referring immediately to the Forest Service Director of Law Enforcement and Investigations any detected incident that may be a violation of criminal law, including but not limited, to use of Forest Service systems to facilitate a crime, and possession or transmittal of child pornography. 5. Forwarding to the USDA Office of the ACIO for Cyber Security all suspected incidents of copyright infringement or any other illegal activity involving information system resources. 6. Promoting awareness and understanding of the policies and issues related to appropriate use and limited personal use of telecommunications and IT resources and equipment. 7. Ensuring that the separation of duties (see sec. 6683.21) is maintained for all critical operational and information security functions, including: a. Analyzing operations related to new or modified Forest Service information systems during development or maintenance of these systems and: (1) Identifying critical operational control functions requiring separation of duties. (2) Notifying the function owner of the separation of duties requirement. b. Performing annual assessments to verify that procedures for segregating critical operational control functions are functioning properly and are being maintained at acceptable levels. c. Verifying that Information Resources Management Supervisors review new or changed position descriptions to ensure proper separation of duties is maintained. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 11 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY d. Providing information security training to all Forest Service personnel about the need for separation of duties. e. Auditing security and compensating controls annually and documenting the audit results. 8. Verifying that information technology contingency plans (ITCPs) for Forest Service information systems are developed and: a. Coordinated with other applicable emergency plans. b. Tested, reviewed, and updated as necessary at least every 6 months. c. Ensured to have the ability to be quickly and efficiently executed. 9. Ensuring that the Chief Information Officer is informed of resources, facilities, funding, and other requirements for developing and executing information system contingency plans (CPs). 10. Ensuring system owners and managers understand the security training strategy. 11. Overseeing the development and implementation of the Forest Service IT security awareness and training programs. 12. Verifying that all systems, applications, or point solution security plans include applicable backup and recovery strategies. 13. Performing random audits to verify that backups are completed and protected. 14. Ensuring that recovery procedures are tested at least annually and function as intended. 15. Identifying deficiencies in backup and recovery plans or procedures. 16. Reviewing and approving or denying local backup waiver requests. 17. Determining the level of personnel screening required for each level of access to Forest Service information systems. 18. Validating that individuals who have been granted access to a Forest Service information system have been screened for suitability. 19. Recommending steps to address promptly and resolve problems or issues affecting information system personnel screening. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 12 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 20. Assisting those involved in determining position sensitivity levels that are applicable to positions that develop, manage, support, maintain, operate, and use each Forest Service information system, and in the event of a dispute, making the final determination regarding the position sensitivity level to be applied to such a position. 21. Coordinating with Human Resources Management and Acquisition Management staffs to integrate information system user hiring, transfer, and termination procedures into applicable personnel and contract actions. 22. Resolving, with the assistance of the relevant Information System Security Officers (ISSO), conflicts or discrepancies between Forest Service-wide procedures and individual system security plan requirements. 23. Maintaining a list of ISSOs, and the information system(s) for which they are responsible, who are to receive timely notification of the hiring, separation, transfer, or change in status of users of Forest Service information systems. 24. Providing oversight, guidance, and support for the CIRT including assistance with obtaining or developing the training, tools, skills, and authority necessary to fulfill its responsibilities. 25. Ensuring the CIRT knows and understands its responsibilities and authority. 26. Ensuring that security incidents are responded to according to the direction in this manual (see sec. 6683.04q), and that law enforcement investigations are initiated, if necessary, and supported. 27. Ensuring that appropriate training is available to all information system users, managers, and administrators regarding the recognition, reporting, and handling of security incidents. 28. Advising the Forest Service Chief Information Officer, in conjunction with the Forest Service CIRT, on the shutdown or disabling of compromised systems and the reactivation of those systems after recovery. 29. Overseeing the documentation, analysis, and reporting of security incident responses and the actions taken to help prevent a recurrence of incidents. 30. Recognizing any issues or trends resulting from security incidents and responses, and making recommendations to the Chief Information Officer for resolving or correcting them. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 13 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 31. Initiating and overseeing changes to direction or procedures based on lessons learned from security incident responses. 32. Ensuring formal procedures are in place to control the allocation of access rights to prevent unauthorized access or disclosure of media devices containing confidential or proprietary information. 33. Educating users about their responsibilities for maintaining effective media protection to prevent unauthorized user access. 34. Ensuring the monitoring of all media and media devices to detect deviation from established policies and record security events to provide evidence in the case of unauthorized access and/or security incidents. 35. Working with HRM to ensure that employees are rotated during times of absence or emergency, and that they have the necessary position sensitivity, clearance, and applicable training. 36. Becoming familiar with cyber security (CS) patch management policy, procedures, enterprise-wide solutions and National Institute of Standards and Technology (NIST) SP 800-40. 37. Reporting, as required by USDA, the patch status of Forest Service systems to USDA Office of the ACIO for Cyber Security. 38. Working with the HSPD-12 staff to determine the level of personnel screening required for each level of access to Forest Service information systems. 39. Working with the HSPD-12 staff in recommending steps to immediately address and promptly and resolve problems or issues affecting information system personnel screening. 40. Identifying types of activities or conditions considered unusual or unauthorized. 41. Approving monitoring tools, maintaining a list of approved tools, and ensuring that only approved tools are used by authorized personnel for monitoring system activity. 42. Ensuring that all system maintenance tools are tested and approved prior to use. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 14 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.04d - Information System Security Officers Information System Security Officers (ISSO) is responsible for: 1. Subscribing to specific security and advisory alerts applicable to their IT system(s) that may not be included in information about common threats, vulnerabilities, and incident-related information disseminated by the Forest Service CIRT. 2. Providing the Forest Service CIRT with responses regarding actions taken in response to the security alerts or advisory alerts. 3. Assisting system owners in resolving deficiencies in backup and recovery plans or procedures. 4. Developing, updating, and maintaining the ITCPs as required. 5. Developing and conducting ITCP tests and completing associated test documentation as required. 6. Developing and updating ITCP training plans for all information systems. 7. Supporting or participating in the training of contingency personnel as required by a specific plan. 8. Supporting the Forest Service IT security awareness and training strategy, and fostering an atmosphere of IT security in general. 9. Providing, based on the behavior of system users and managers, feedback to the Forest Service ISSPM on the effectiveness of the security awareness and training program, and ways it might be improved. 10. Determining the disposition of user information system accounts when the user is departing or will be on extended absence or detail, including determining whether continued use of information systems during an extended absence or detail should be allowed. 11. Notifying the Forest Service ISSPM of any conflicts or discrepancies between Agency-wide directives or procedures, and individual system security plan requirements, and helping to resolve such conflicts. 12. Providing Information System, Network, and Security Administrators of the Forest Service information systems or networks for which the ISSO is responsible, direction to grant, modify, disable, or terminate user access rights. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 15 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 13. Developing and maintaining system-specific Incident Response Plans (IRPs), including recognizing system security incidents or suspicious activities and immediately reporting them to the Forest Service CIRT. 14. Assisting or coordinating assistance to the Forest Service CIRT as requested by the CIRT Team Leader or Forest Service ISSPM during an incident response. 15. Ensuring that compromised systems for which they are responsible remain disabled and/or disconnected from Forest Service's infrastructure, as directed by the Forest Service CIRT, until the Forest Service Chief Information Officer or designate approves return to operational status. 16. Reviewing system access lists periodically, but at least annually, to ensure that individuals granted access have a current security responsibility agreement on file. 17. Reporting to Law Enforcement and Investigations (LEI) incidents that may be a violation of criminal law, involve the theft or loss of IT hardware containing information, and/or incidents that may pose a threat to the safety of employees. 18. Reviewing preventive and regular maintenance and maintenance logs in accordance with USDA and Forest Service policies, and reporting any anomalies to the ISSPM. 19. Monitoring the use of hardware and software maintenance tools introduced to the information system specifically for diagnostic/repair actions, and reporting any anomalies to the ISSPM. 20. Recognizing system security incidents or suspicious activities and immediately reporting them to the Forest Service CIRT. 6683.04e - System Owners System Owners are responsible for: 1. Supporting and participating, as required, in the training of all contingency personnel with regard to their roles and responsibilities. 2. Procuring, developing, integrating, modifying, operating, and maintaining the System Owner’s information systems. 3. Making corporate information available for backup. 4. Ensuring development of backup and recovery plans for their system(s). 5. Verifying that backup and recovery plans and procedures are followed. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 16 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6. Reporting failures to follow backup and recovery plans and procedures to the Forest Service Information System Security Program Manager (ISSPM). 7. Resolving deficiencies in backup and recovery plans and procedures. 8. Ensuring that anyone accessing or affecting their information system has received appropriate IT security training (for example, new or newly assigned system users or managers, system and network administrators, and other personnel with access to systemlevel software and those with additional security responsibilities). 9. Participating, as required, in the development, review, approval, and testing of CPs for their systems. 10. Assisting with the execution of CPs for their systems and the resulting response and recovery efforts. 11. Arranging for and funding any training necessary for all those with a role or responsibility in executing CPs for their system(s), to ensure the individuals understand both the plan(s) and their role(s). 12. Verifying and documenting the personnel screening of all those with access to their system. 13. Working with the Forest Service ISSPM and Human Resources Management (HRM) officials to determine the position sensitivity levels that are applicable to positions that develop, manage, support, maintain, operate, and use each Forest Service information system. 14. Denying system access until appropriate personnel screening has been completed, unless the screening has been waived in accordance with section 6683.22. 15. Coordinating or assisting with the resolution of problems or issues affecting information system personnel screening. 16. Notifying the Forest Service ISSPM of any change of the individual assigned the Information System Security Officer (ISSO) role for the information systems that they own. 17. Validating, at least annually, the information maintained by the Forest Service ISSPM concerning the identity of the ISSO(s) for the information system(s) that they own. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 17 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 18. Maintaining a list of all authorized personnel who perform maintenance on information systems, and ensuring the Forest Service Facility Manager has an updated copy of the list. 19. Ensuring that all removable media is labeled properly. 20. Ensuring media is properly stored and transported. 21. Ensuring that litigation hold is considered before media is sanitized. 22. Verifying that media are sanitized before reuse or disposal. 23. Ensuring that least privilege is enforced on the information system. 24. Ensuring that the ISSO and other personnel have appropriate incident response training. 25. Ensuring that all incidents which may be a violation of criminal law are reported to LEI. 26. Ensuring maintenance security controls are implemented. 27. Ensuring all maintenance tools (diagnostic and test tools, software, or equipment) are approved by the ISSPM, and their use is monitored. In addition, ensuring that approved maintenance tool use is defined and documented in the System Security Plan (SSP). 28. Maintaining a list of all approved maintenance tools. 29. Overseeing the execution of CPs and any subsequent damage assessment and recovery efforts. 6683.04f - Vulnerability Manager [Reserved] 6683.04g - Information System Contingency Planning Coordinator The Information System (IT) Contingency Planning Coordinator (CPC) is responsible for: 1. Supporting and participating, as required, in developing ITCPs. 2. Coordinating the testing, reviewing, and updating of the ITCPs, as necessary, at least once a year or once every 6 months for financial systems. 3. Coordinating the training of all personnel with contingency responsibilities and verifying all have appropriate training and are trained at least once a year. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 18 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Coordinating with officials to establish teams and team leaders for damage assessment and recovery teams required to implement ITCPs. 5. Ensuring that Supervisors of each unit or group are aware of any requirement for participation by their employees to implement ITCPs. 6. Distributing copies of ITCPs to all those with a role or responsibility in executing them. 6683.04h - Information Technology Asset Managers Managers of information resource assets are responsible for: 1. Tracking and documenting the issuance, replacement, and return of information technology (IT) equipment or resources and providing a copy of such documentation to users as part of the termination of personnel process required by the direction in section 6683.23b. 2. Ensuring that government-owned or provided IT equipment being returned or replaced during termination of personnel is returned to a pristine state before being reissued to another system user or being disposed of as excess property. 6683.04i - Network Operations Manager The Network Operations Manager is responsible for: 1. Implementing and operating network security controls. 2. Ensuring network security controls are regularly monitored and recommending changes in response to real or perceived security threats. 3. Authorizing and managing virtual private network (VPN) or other remote access accounts. 4. Promptly reporting any security breach to the Forest Service CIRT. 6683.04j - Network Administrators Network Administrators are responsible for: 1. As appropriate, monitoring inbound and outbound communications for activities or conditions considered unusual or unauthorized. 2. Implementing security controls regarding remote access as defined by the SSP. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 19 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Configuring and maintaining network security controls, including timely performance of vendor-recommended maintenance on network security components, as directed, and documenting all configuration changes made. 4. Ensuring that network activity and other logs are intact and available as required by the direction in this manual. 5. Reporting immediately any real or perceived threats to network security or security breaches to the Network Operations Manager. 6. Ensuring that Contracting Officers or specialists are available, as needed, to assist with the development and approval of information system CPs. 7. Supporting or participating in the testing or execution of information system CPs as required by those plans. 8. Supporting and assisting with implementation of hiring, transfer, and termination of personnel procedures. 9. Granting, modifying, disabling, or terminating access to network facilities in accordance with the direction in section 6683.23 and section 6684.2. 10. Resetting any network passwords or deleting network accounts, as appropriate, that are assigned to users who no longer require access to Forest Service network equipment or facilities. 6683.04k - Information Technology System Administrators Information Technology (IT) System Administrators are responsible for: 1. Configuring information systems to comply with security requirements. 2. Performing backups of corporate information and verifying successful completion of backups in accordance with system backup plans. 3. Performing recovery and reconstitution operations on an information system and/or corporate information associated with the information system as directed by the system owner (sec. 6683.04e). 4. Testing recovery procedures from stored backup media at least once a year, or more frequently, if required by the system security plan or operations guide. 5. Assisting system owners with resolution of deficiencies in backup and recovery plans and procedures. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 20 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6. Supporting and assisting with implementation of hiring, transfer, and termination of personnel procedures. 7. Granting, modifying, disabling, or terminating access to information systems in accordance with the direction in section 6683.23 and section 6684.2. 8. Resetting any information system passwords or deleting information system accounts, as appropriate, that are assigned to users who no longer require access to Forest Service information systems. 9. Recognizing system security incidents or suspicious activities and immediately reporting them to the Forest Service CIRT. 10. Cooperating with and supporting security incident responses and investigations as requested by the Forest Service CIRT. 11. Disabling, disconnecting from the network, or shutting down compromised information system(s) in order to contain a spreading threat. 12. Assisting with analysis of security incidents and development of actions or procedures to prevent their recurrence. 13. Scheduling, performing, and documenting preventive and regular maintenance of the information system’s components including its maintenance tools. 14. Obtaining approval for and testing hardware and software maintenance tools introduced to the information system specifically for diagnostic/repair actions. 6683.04l - Data Center Managers [Reserved] 6683.04m - Information Technology Controlled or Restricted Space Employees Employees assigned to work in information technology (IT) controlled or restricted spaces are responsible for: 1. Ensuring that any visitor is allowed access to IT restricted or controlled space only in accordance with section 6683.32. 2. Challenging any unescorted individual in an IT restricted or controlled space not known to them, to have authorized access in that area. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 21 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.04n - Acquisition Management Forest Service Contracting Officers (COs), Purchasing Agents and Grants and Agreements Specialists are responsible for: 1. Ensuring that physical security requirements, in accordance with the direction in section 6683.3 and HSPD-12 requirements are included in all solicitations, contracts, and agreements for or affecting information technology (IT) restricted space. 2. Including IT security training requirements in all solicitations, contracts, and agreements involving use, management, maintenance, design, or development of information systems and applications. 3. Ensuring that completed IT security training for cooperators and contractor personnel is properly documented in the USDA AgLearn or other official Forest Service training documentation system. 4. Ensuring that Contracting Officers or Specialists are available, as needed, to assist with the development and approval of information system contingency plans (CPs). 5. Supporting or participating in the testing or execution of information system CPs as required by those plans. 6. Ensuring that all contracts, purchase orders, memoranda of understanding, memoranda of agreement, and other formal agreement or work order documents include requirements for personnel screening and specify Forest Service position sensitivity level, applicable to individual cooperators and contractor personnel who will access Forest Service information and information systems. 7. Ensuring that anyone granted access through such an agreement has received the appropriate level of personnel screening. 8. Ensuring that Grants and Agreements Specialists and Contracting Officers, or their representatives, incorporate information system hiring, transfer, and termination of personnel procedures into applicable solicitations, contracts, and agreements. 9. Ensuring Forest Service Information System Security Officers (ISSOs) receive timely notification of changes to cooperators and contractor personnel using or involved with Forest Service information systems, including any specific date and time by which access rights must be created, modified, disabled, or terminated. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 22 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 10. Identifying, in a timely manner, actions that affect information system access rights for contractors or their employees, whereby Forest Service direction for granting or modifying access, as specified in section 6684.2, can be followed without disruption to Forest Service business. 11. Requesting needed access to IT equipment and systems for new cooperators and contractor personnel and ensuring requests are made: a. As far in advance of the prospective user’s reporting date as possible, except in cases of emergency. b. Use the Forest Service approved process for making such requests. 12. Ensuring that cooperators and contractor personnel granted such access comply with hiring, transfer, and termination of personnel procedures required by section 6683.23. 13. Identifying, as part of the hiring process, Forest Service information systems and IT facilities to which the new user requires access. 14. Identifying, as part of the termination of personnel process, Forest Service information systems and IT facilities to which the departing user has been granted access. 15. Providing notice of personnel hiring and termination to: a. ISSOs of affected Forest Service information systems. b. Facility Managers of sites to which the user requires or has been granted access. c. The HSPD-12 staff. 16. Ensuring that cooperators and contractor personnel who will use Forest Service information systems or networks: a. Sign and renew, at least annually, any applicable security agreements, including non-disclosure agreements, before the access that requires the agreement is granted. b. Receive all security-related information and training required for information system users. c. Have been reported to the HSPD-12 staff. 17. Determining the disposition of corporate information possessed or managed by departing users prior to their scheduled date of departure. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 23 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 18. Conducting exit interviews with departing users to establish that: a. Corporate information under their management or control has been identified and properly turned over to the appropriate entity. b. Forest Service IT-related property in the user’s custody has been properly returned to or accounted for by the appropriate entity, and required transfer of custody procedures have been followed. 19. Requiring Forest Service information system users working under contract or agreement to complete required information system security training and report to the Contracting Officer or Grants and Agreements Specialist any security incidents or suspicious information system use or behavior they encounter. 6683.04o - Security System Administrators Security System Administrators are responsible for: 1. Supporting and assisting with implementation of hiring, transfers, and termination of personnel procedures. 2. Granting, modifying, disabling, or terminating access to security systems or facilities in accordance with the direction in sections 6683.23 and 6684.2. 3. Resetting any security system passwords or deleting security system accounts, as appropriate, that are assigned to users who no longer require access to Forest Service security systems or facilities. 4. Configure and maintain security tools. 6683.04p - Human Resources Management Human Resources Management (HRM) Directors, and Homeland Security Presidential Directive (HSPD)-12 staff as appropriate, are responsible for: 1. Assisting with the required duties (sec. 6683.21) for critical operational and information security functions by working with Chief Information Office (CIO) Supervisors to include the principles of separation of duties when defining or revising position descriptions. 2. Ensuring that Human Resources Managers or Specialists are available, as needed, to assist with the development and approval of information system contingency plans (CPs). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 24 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Supporting or participating in the testing or execution of information system CPs as required by those plans. 4. Working with Line Officers to ensure that all required employee personnel screenings are completed within the timeframes required by law, regulation, policy, or contract. 5. Working with the Forest Service Information System Security Program Manager (ISSPM) and system owners to determine the position sensitivity levels that are applicable to positions that develop, manage, support, maintain, operate, and use each Forest Service information system. 6. Working with the Forest Service Chief Information Officer to ensure that problems or issues affecting information system personnel screening are promptly addressed and efficiently resolved. 7. Providing guidance and procedural assistance to field staffs on conducting personnel screening. 8. Ensuring that all Forest Service vacancy announcements, outreach notices, and other publications announcing or offering positions include a statement of the need for personnel screening to access Forest Service information and information systems. 9. Ensuring that all Forest Service position descriptions and special program work agreements include a statement of the appropriate level of personnel screening required to perform the designated duties. 10. Submitting the security paperwork requesting an investigation and personnel screening (adjudication) to the U. S. Department of Agriculture (USDA) Personnel and Document Security Division, for positions that: a. Are classified as sensitive; b. Require access to classified national security information; or c. Are classified as moderate and high risk public trust positions. 11. Initiating a background investigation for low-risk, non-sensitive positions if an investigation beyond the one required upon entrance to Federal service is deemed necessary. 12. Adjudicating and making, in cooperation with the Forest Service Chief Information Officer, a suitability determination for employees whose position or duties requires a higher level of screening than has been previously conducted, for positions for which the Forest Service makes the final determination of suitability. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 25 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 13. Ensuring that information system hiring, transfer, and termination procedures are incorporated into Forest Service employee personnel action procedures. 14. Ensuring that Forest Service ISSOs receive timely notification of the hiring, separation, transfer (including temporary detail), suspension, or other change in status of Forest Service employees, including any specific date and time by which access rights must be created, modified, disabled, or terminated. 15. Identifying, in a timely manner, personnel actions that affect a government employee’s information system access rights so Forest Service direction for granting or modifying access, as specified in section 6684.2 and HSPD-12, can be followed without disruption to Forest Service business. 16. Coordinating between the HSPD-12 staff, the Position Classification Branch and the ISSPM to develop position sensitivity prior to beginning the hiring process. 17. Providing, when requested, necessary documents and initiating the proper level of clearance. 18. Working with the ISSPM in determining special access privileges and background investigation criteria. 19. Working with the ISSPM in verifying required sensitivity levels during job rotations, internal transfers, and terminations. 6683.04q - Law Enforcement and Investigations Law Enforcement Personnel are responsible for: 1. Complying with applicable Line Officer responsibilities for their area of responsibility (Director, Deputy Directors, and Special Agents in Charge). 2. Assisting, as needed, with the development and approval of information system contingency and security plans. 3. Supporting or participating in the testing or execution of information system security or contingency plans as required by those plans. 4. Initiating and/or assuming responsibility for investigations of information system security incidents that involve possible criminal activity, cause significant damage to the integrity, confidentiality, or availability of Forest Service information, or that presents a threat to Forest Service employees. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 26 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Informing the Forest Service ISSPM of any investigations involving Forest Service information systems as soon as investigative confidentiality permits. 6. Requesting CIO assistance with investigations through the Forest Service CIRT using established procedures or systems for such requests. 7. Coordinating physical security, HSPD-12 implementation, and emergency planning efforts with information security planning and implementation. 6683.04r - Facility Managers Facility Managers of buildings housing IT restricted or controlled space are responsible for: 1. Where the Facility Manager is a Forest Service Government employee, assisting the Local Site Coordinator (LSC) in the implementation and maintenance of all physical and environmental controls. 2. Where the Facility Manager is NOT a Forest Service Government employee (for example, in leased space), assisting the LSC in the implementation and maintenance of all physical and environmental controls to the extent it is written into the lease agreement. Modifications to existing long-term lease agreements should be considered where it is practicable and has a low (or no) fiscal impact. 3. Managing contract guards. 4. Coordinating with Human Resources Management (HRM), acquisition, and Program Managers for badge issuance. 6683.04s - Facility Engineers Engineers (including architectural staff), whether Forest Service employees or contractors working on behalf of the Forest Service, who are designing facilities that include new or remodeled IT controlled or restricted space are responsible for coordinating with the site’s Facility Manager, as well as the Forest Service ISSPM, LEI (for HSPD-12 and other physical security requirements), and if the space is leased, the Leasing Officer, to ensure that the design incorporates the physical security requirements found in sec. 6683.33. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 27 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.04t - Supervisors Supervisors are responsible for: 1. Ensuring that the requirements of FSM 6680 are applied and executed uniformly. 2. Reviewing and approving or denying requests from employees for formal waivers to any requirement of FSM 6680 with which they cannot comply. Requests for waivers must include compensating controls. 3. Forwarding approved requests for formal waivers to the Forest Service ISSPM. 4. Immediately reporting suspected or alleged IT related security violations, misconduct, or criminal activity to the Information System Security Officer or Forest Service CIRT. 5. Providing information and training to personnel in their units about operational security controls, limited personal use, and the appropriate use of information, information systems, and IT. 6. Participating in the testing or execution of information system contingency plans (CPs) as required by those plans. 7. Knowing their roles and responsibilities in support of CPs. 8. Completing any required training related to CPs. 9. Incorporating required IT security training into training and development plans for information system users under their supervision or management. 10. Providing time and facilities for those personnel under their supervision or management to take required IT security training. 11. Ensuring that completed IT security training for their employees is properly documented in the USDA AgLearn or other official Forest Service training documentation system. 12. Requesting IT equipment and information system access for new users as far in advance of the prospective user’s reporting date as possible, except in cases of emergency, and using the Forest Service approved process for making such requests. 13. Ensuring compliance by their employees with personnel hiring, transfer, and termination procedures. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 28 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 14. Identifying as part of the hiring process the Forest Service information systems and IT facilities to which the new user requires access, and identifying as part of the personnel termination process the Forest Service information systems and IT facilities to which the departing user has been granted access, and providing notice of hiring, transfer, and termination of personnel to: a. ISSOs of affected the Forest Service information systems. b. Facility Managers of sites housing IT facilities to which the user requires or has been granted access. 15. Ensuring that users under their supervision: a. Sign and renew, at least annually, any applicable security agreements, including non-disclosure agreements, before the access that requires the agreement is granted. b. Receive all security-related information and training required for information system users. 16. Determining the disposition of corporate information possessed or managed by departing users prior to their scheduled date of departure. 17. Conducting exit interviews with departing users to establish that all: a. Corporate information under their management or control has been identified and properly turned over to the appropriate entity. b. The Forest Service IT-related property in the user’s custody has been returned to or accounted for by the appropriate entity, and required transfer of custody procedures have been followed. 18. Ensuring that information system users under their supervision or management receive all required training regarding information system security and understand their responsibilities for reporting security incidents and cooperating with incident responses. 19. Ensuring that upon termination and/or reassignment of employees and contractors, Facility Managers are informed to remove and restrict access to these individuals. 20. Ensuring that all information system media (both digital and non-digital) is considered for litigation hold and is sanitized according to the Forest Service policy and regulations before disposal or release for re-use. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 29 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.04u - Employees All employees are responsible for: 1. Keeping personal use of telecommunications and information resources and equipment within the limits set by direction in this section and applicable negotiated agreements regarding such personal use. 2. Taking appropriate measures to protect information from unauthorized access. 3. Taking appropriate measures to protect computer equipment from theft, damage, or unauthorized use. 4. Immediately reporting suspected or alleged IT related security violations, misconduct, or criminal activity to their Supervisor or to the Forest Service CIRT. 5. Obtaining authorization, through their Supervisor, from the appropriate officers in the Information Resources Management staff before moving or exchanging computer equipment. 6. Protecting passwords (do not share or record them in an unsecured location, and do not permit a browser or other application to save passwords). 7. Changing passwords as required by section 6684.11. 8. Verifying that the automatic virus definition file updates to the enterprise antivirus tool are installed on the employee’s computer occur as scheduled. 9. Storing corporate information within the corporate filing system where it is backed up routinely unless a Local Backup Waiver Request has been approved to allow storage elsewhere. 10. Signing off or electronically locking the computer before leaving it unattended. 11. Protecting sensitive information, including personally identifiable information, regardless of media. 12. Seeking out and applying appropriate security measures to protect sensitive information stored on the employee’s computer. 13. When privileges are elevated to allow installation of authorized software, installing only that software for which authorization has been obtained, and performing only those activities that are specifically authorized. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 30 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 14. Participating in the testing or execution of information system CPs as required by those plans. 15. Completing any required training related to CPs. 16. Considering litigation hold before sanitizing all information system media (both digital and non-digital) according to the Forest Service policy and regulations, before disposal or release for re-use. 17. Signing and renewing, at least annually, any applicable security agreements, including non-disclosure agreements, before the access that requires the agreement is granted. 18. Ensuring that all Forest Service information and IT-related property is accounted for and transferred to an appropriate and authorized Forest Service employee prior to termination from the Forest Service. 6683.04v - End Users End users (also called users in this document) of Forest Service information systems are responsible for understanding Forest Service IT security awareness requirements and responsibilities and completing required IT security training. All information system end users are responsible for backing up, or making available for backup, corporate information that they create or are otherwise responsible for, that are stored on a Forest Service laptop or desktop computer, pocket PC, personal digital assistant, or other computing or information recording device by either: 1. Storing copies of the information on assigned Forest Service file servers where it will be available for normal system backups. 2. Storing copies of the information on removable or external storage media, when the requirement to store on Forest Service file servers has been waived, and ensuring that the backup media are securely stored and protected according to the direction in this directive. 3. Preparing a local backup waiver request and forwarding it to the Forest Service ISSPM via the user’s Supervisor requesting permission to store backup copies of corporate information on local removable or external storage media rather than on Forest Service file servers. Notifying the system owner and the system’s ISSO when backup waivers have been granted. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 31 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Informing their Supervisor if they believe the level of personnel screening applied to their position is inappropriate for the duties they have been assigned or the level of information access they require and cooperating with such screening efforts. 5. Refraining from engaging in tasks requiring, but for which they have not received, a favorable personnel screening adjudication. 6. Completing required information system security training. 7. Immediately reporting suspected or alleged IT-related security violations, misconduct, or criminal activity to their Supervisor or to the Forest Service CIRT. 8. When connecting a Forest Service desktop or laptop computer to a home or public non-Forest Service network, ensuring that once network access is obtained the computer is immediately connected to the Forest Service Intranet via an approved VPN connection, and that all access to or through the public Internet using that computer occurs via that Forest Service VPN connection. 9. Considering litigation hold before sanitizing all information system media (both digital and non-digital) according to Forest Service policy and regulations before disposal or release for re-use. 10. Ensuring that media containing sensitive information is protected from accidental or unintended disclosure. a. Position display medium (computer monitors or printer/fax preview panes) away from windows and passersby or use privacy screens to prevent unauthorized individuals from seeing information. b. Use headphones with volume controls to prevent others from hearing content when using screen readers 11. Signing and renewing, at least annually, any applicable security agreements, including non-disclosure agreements, before the access that requires the agreement is granted. 12. Immediately reporting the loss, theft, or unauthorized access or use of any IT asset or information to the Forest Service CIRT, and reporting loss or theft of servers, laptops, or desktop computers to both LEI and Acquisition Management (AQM) in the user’s home unit, and also when on travel to local police. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 32 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 13. Ensuring that all Forest Service information and IT-related property is accounted for and transferred to an appropriate and authorized Forest Service employee prior to termination from the Forest Service. 6683.04w - Local Site Coordinator The Local Site Coordinators (LSCs) are responsible for: 1. Ensuring, to the extent of their authority, that the IT restricted or controlled space under their management or control is physically secure. 2. Preparing, in conjunction with the Forest Service ISSPM, exception requests for each site or facility that does not meet physical security requirements, or for which their authority or control is insufficient to ensure the physical security of the space. 3. Overseeing physical security and access controls of Forest Service facilities housing IT restricted space and ensuring adequate and reliable building environmental controls. 4. Working with the system owners and the ISSPM to provide the physical security for systems, users, and information storage areas that system owners and the Authorizing Official (AO) have identified as necessary. 5. Participating in facilities policy development and maintenance. 6683.04x - Forest Service Computer Incident Response Team Leader The Forest Service Computer Incident Response Team (CIRT) leader is responsible for: 1. Developing and maintaining the Forest Service CIRT Incident Response Plan (IRP). 2. Developing and maintaining an IRP training schedule. 3. Providing a current copy of the IRP to personnel with incident response (IR) responsibilities. 4. Coordinating with ISSOs to ensure that all personnel with IR responsibilities are identified and included in the system specific IRPs. 5. Subscribing to and reviewing security and advisory alerts from reliable sources. 6. Disseminating common threats, vulnerabilities, and incident-related information to IT ISSO and system owners. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 33 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 7. In accordance with section 6683.94, monitoring inbound and outbound communications and responding appropriately to real or perceived threats. 6683.05 - Definitions [Reserved] 6683.06 - References [Reserved] 6683.07 - Team, Committee, and Group Responsibility 6683.07a - Computer Incident Response Team The Computer Incident Response Team (CIRT) is responsible for: 1. Participating, as required, in the development, review, approval, and testing of Contingency Plan (CPs) for their systems. 2. Assisting with the execution of CPs for their systems and the resulting response and recovery efforts. 3. Knowing and understanding its authority and responsibilities, as described in this directive and the CIRT charter, and resolving any questions or conflicts about them. 4. Developing, acquiring, or arranging for the skills, tools, and other resources needed to fulfill its responsibilities. 5. Developing a plan and/or protocols for responding to computer security incidents in accordance with section 6682.9 (Protecting the Confidentiality of Personally Identifiable Information) and section 6683.7 and adjusting plans and protocols, if necessary, as security threats change. 6. Responding to or coordinating the response to all computer security incidents, from discovery to resolution, so as to contain, control, and mitigate the threat or compromise and return the affected systems to normal operation as quickly as possible. 7. Protecting and preserving evidence discovered or developed during a security incident response, including documentation, according to Forest Service procedures. 8. Serving as the Forest Service technical point of contact for law enforcement and administrative investigations of computer security incidents and assisting with investigations to the extent possible. 9. Developing and maintaining a contact list and communication plan for keeping those involved with, affected by, or responsible for security incident responses well-informed throughout a response. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 34 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 10. Documenting and reporting security incidents and the responses to them as required by law, regulation, or policy. 11. Notifying the Forest Service ISSPM and the Director, Law Enforcement and Investigations, when criminal activity is found or suspected in a computer security incident. 12. Notifying Human Resources or Acquisition Management if non-criminal inappropriate use of a Forest Service information system by an employee or contractor is discovered or suspected. 13. To the extent practical, establishing relationships with those who might be involved with security incident responses to make communication and cooperation during a response more efficient and productive. 14. Assisting with the analysis of security incidents and responses and the development of new direction or procedures to reduce risk and improve future responses. 6683.07b - Information System Users 1. Protecting and properly disposing of any and all media, including portable and removable devices, that may contain sensitive information and promptly reporting any incident where media protection requirements may have been compromised to their Supervisor and to the Forest Service CIRT. 6683.1 - Media 6683.11 - Media Protection 1. Develop, disseminate, and provide an overall Media Protection policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal documented procedures to implement this policy and the associated Media Protection controls. These procedures are to be reviewed and updated at least annually in accordance with USDA requirements. 5. Protect all media containing sensitive information, including portable and mobile devices, based on the Federal Information Processing Standards (FIPS) 199 security category of the information recorded on the media. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 35 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.11a - Media Access Allow only authorized users to access information or information system media. 1. Utilize automated mechanisms to restrict access to media storage areas containing restricted media. Access attempts and access granted are audited. 2. Protect access to portable media (for example, USB drives, laptops, personal digital assistants (PDA), and hand-held data gathering devices). 3. Use cryptographic mechanisms to protect and restrict access to information on portable digital media and devices. 4. Information system media consists of all digital and non-digital including backup media, in accordance with USDA requirements. 6683.11b - Media Marking Mark, in accordance with organizational policies and procedures and in accordance with USDA requirements, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings. All removable system media and information system output are exempt from security marking requirements as long as it remains within Forest Service controlled space. 6683.11c - Media Storage Physically control and securely store IT system media. 1. Secure all digital and non-digital media that has sensitive information, including personally identifiable information (PII), in a locked cabinet, container, or drawer when not in use by authorized personnel. 2. Protect all media until the media is destroyed or sanitized using approved methods. 6683.11d - Media Transport 1. Protect all media during transport outside of controlled areas using organizational defined security measures in accordance with USDA requirements. Forest Servicedefined security measures may include a locked container or cryptography. 2. Implement physical and technical security measures for protection of media that are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 36 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Establish documentation requirements for activities associated with the transport of information system media in accordance with the assessment of risk. 4. Document, where appropriate, activities associated with the transport of information system media including accountability for media during transport outside of controlled areas. 5. Restricts the activities associated with transport of media to authorized personnel. 6683.11e - Media Sanitization and Disposal 1. Consider litigation hold guidance before sanitizing media. 2. Sanitize all information system media (both electronic and paper) in accordance with policy and regulations prior to disposal or release for re-use. 3. Use sanitization and disposal methods appropriate for the information’s security categorization following guidelines found in National Institute of Standards and Technology (NIST) SP 800-88 and Forest Service procedures. 6683.2 - Personnel Security 1. Develop, disseminate, and provide an overall Personnel Security policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated personnel security controls. These procedures are to be reviewed at least annually in accordance with USDA requirements. 6683.21 - Separation of Duties 1. Separate work responsibilities so that no individual acting alone can compromise the operational controls affecting the security and/or integrity of an information system or process. 2. In conjunction with HSPD-12 staff, conduct a risk assessment (RA) and assign position risk levels during initial information systems design and immediately following any design changes during the system’s life. Identify the system’s critical operational control functions, processes, and information. The RA must: WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 37 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY a. Analyze position descriptions and temporary task assignments associated with critical operational control functions. Identify requirements for separation of duties and/or the need for compensating controls. b. Evaluate the effectiveness and appropriateness of the separation of duties and/or compensating controls specified in the personnel operating guidelines and procedures associated with the information system’s critical operation control functions. 3. Different individuals should perform each of the following actions for critical operational control functions: authorization/approval; system management; and monitoring or auditing. For example, security personnel who administer access control functions shall not administer audit functions. Examples of critical operational control functions include, but are not limited to: a. Change management, quality assurance, and testing processes implemented in information systems. b. Logical access control processes implemented in information systems. c. Physical access control processes in work spaces housing information technology (IT) or information systems. d. Operational processes in IT management (including network and radio management) as well as information systems management. e. Other similar areas where process integrity and security of information resources are essential. 4. If changes in a position description or duties are necessary to meet separation of duties requirements, work with the Position Management and Classification Branch to ensure those changes do not affect title, series, and grade. 5. In those instances where separation of duties cannot be implemented because of limited staff size, the unit must implement and document other compensating controls such as: a. Establishing external auditing agreements with other units or contract for thirdparty auditing services. b. Supervising activities through operating procedures, review, and documentation. c. Establishing access controls to prevent employees from performing multiple critical operational control functions. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 38 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY d. Performing appropriate background investigations. e. Rotating duties and using temporary details. 6. Maintain documentation of the implementation of separation of duties including any compensating controls. 7. Train all levels of the Forest Service Information Resources Management about the following principles of separation of duties: a. No one individual should ever have all authority or access to information systems. b. The activities of one group or individual should serve as a check on the activities of the other(s). c. Separating duties diminishes the likelihood that errors and wrongful acts would go undetected, and limits the damages that could occur from errors or wrongful acts, particularly when used with RA, security training, and background investigations. d. When limited staff prevents implementing separation of duties, use alternative approaches such as those found in paragraph 4 of this section. e. Always maintain documentation that proves there is a separation of duties. f. Grant employees only the amount of access needed to perform their official duties. 8. Install access control software on information systems to prevent users from having the necessary access to perform fraudulent activities without collusion. 9. Mitigate newly discovered separation of duties deficiencies immediately, using temporary controls. Implement permanent corrections, if different than the compensating controls, within 90 days of discovery of the deficiency. 6683.22 - Personnel Screening Apply the following personnel screening requirements for use of Forest Service information systems in addition to any other criteria or requirements provided for by Forest Service policy or individual position determinations prior to authorizing access to any Forest Service information system. 1. Use the same personnel screening requirements for all users of Forest Service information systems regardless of employment status or relationship with the Forest Service. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 39 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 2. Categorize and determine sensitivity for positions and assignments in accordance with HSPD-12 and approved Forest Service procedures. a. Classify positions at the sensitivity level commensurate with the highest level of information processed by the information systems that the occupant of that position will access. b. Include a statement of the need for contractor personnel screening, including HSPD-12 requirements, in all contracts, purchase orders, memoranda of understanding, memoranda of agreement, and other formal agreements or work order documents that will result in contractor access to Forest Service information and information systems. 3. Initiate required background investigations, through HSPD-12 staff, in accordance with approved Forest Service procedures. 4. Allow users whose assignments are in positions of public trust which have been identified as low risk to begin work or continue performing their duties until the screening process has resulted in an adjudication only if: a. The background investigation along with a request for advanced fingerprint results has been initiated. b. Alternate security controls are implemented in the interim, such as increased monitoring of their computer activity. 5. Allow users whose assignments are in positions of public trust which have been identified as moderate or high risk to perform their duties only after an appropriate background investigation has been conducted, and screening has resulted in a favorable adjudication. a. A person currently occupying a position designated as requiring this level of personnel screening may continue to perform their duties pending completion of the background investigation and a favorable adjudication of that investigation. b. In the case of an emergency, such tasks may be assigned for a limited period to a person for whom the appropriate pre-appointment investigation has not been completed if: (1) The background investigation and request for advance fingerprint results has been initiated. (2) The unit’s line officer finds it necessary to the national interest. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 40 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY (3) The situation is documented. (4) Alternate controls are implemented during the interim, such as increased monitoring of their computer activity. 6. Grant waivers for assignment of tasks prior to completion of personnel screening for no longer than three (3) months unless approved by the Forest Service information system security program manager. 7. Conduct all personnel screenings, including initial and reinvestigations, in accordance with Federal regulations and procedures such as 5 CFR Part 731.106; Office of Personnel, Management policy, regulations, and guidance; FIPS 201 and SPs 800-73, 800-76, 800-78, HSPD-12 requirements, and Forest Service procedures; and the criteria established for the risk designation of the assigned position. The reviews and updates of the position risk designation are to occur at least annually in accordance with USDA requirements. 8. Develop and implement rescreening procedures according to position-defined rescreening frequency and criteria in accordance with USDA requirements. 6683.23 - Personnel Hiring, Transfer, and Separation 6683.23a - Personnel Hiring and Security Awareness For all new or newly assigned Forest Service employees, volunteers, partners, cooperators, contractor employees, and others who will require access to Forest Service information technology (IT) facilities and use of Forest Service information systems and IT equipment: 1. Provide notice to those responsible for arranging and managing access to Forest Service information systems and IT facilities, and provision of IT equipment, as far in advance of the prospective user’s reporting date as possible, except in cases of emergency. 2. Prior to granting access to any Forest Service information system, provide required security awareness training with rules of behavior, and applicable role-based training on the security and appropriate use of Forest Service information systems and equipment. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 41 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.23b - Personnel Termination To the extent possible, use consistent procedures for handling both friendly and unfriendly suspensions and terminations. For any user being suspended or whose employment is being terminated from the Forest Service: 1. Voluntary Separations. Immediately notify Human Resources Management, Information System Security Program Manager (ISSO), and the appropriate management of the user’s departure date to ensure that all access to facilities and systems are terminated. a. Deactivate all user accounts and access rights (network, applications, e-mail, voice, physical access) no later than close of business on the next business day following the date of departure. b. Ensure that the appropriate personnel have continued access to any official records and corporate information created by the employee stored on the Forest Service’s information systems, especially information protected by passwords or encryption. In the case of files containing passwords or encryption, the user shall provide all passwords or keys used to protect the information, and the verification of such keys and passwords must be validated prior to the user’s departure. Password protected files must be changed immediately by an authorized official, or their designee to something unknown once the user has departed. c. Retrieve all Government IT equipment, software, files, keys, and badges issued to the employee, document the retrieval, and provide the user a copy of that documentation. d. Conduct, in conjunction with HSPD-12 staff, an exit interview with the departing system user to review the status of current projects, obtain any security related information that may not be available or apparent in existing documentation, and reiterate the continued obligations under the IT non-disclosure, confidentiality, or user access agreements. 2. Unfriendly Separations. As appropriate, notify Human Resources Management, the CIO staff, the Contracting Officer, the ISSO, LEI, HSPD-12 staff, and the Facility Manager of the user’s departure date to ensure that all access to facilities and systems are terminated. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 42 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY a. For personnel or contracting actions resulting in the separation of the user, deactivate all accounts and restrict physical access to information resources, personnel, and facilities at the time the user is notified of the action, or sooner if so directed by the Forest Service ISSPM, or requested by LEI or the user’s Supervisor when risk of damage to IT resources warrants immediate action. b. Prior to departure, determine the disposition of electronic and printed files owned or managed by the departing employee and that contain corporate information, except as follows: (1) If the employee is under investigation for suspected inappropriate use of Government information systems, leave such files intact. (2) If the disposition of files cannot be determined prior to departure, move them to a secure location for later determination. c. Retrieve all Government IT equipment, software, files, keys, and badges issued to the employee, document the retrieval, and provide the user a copy of that documentation. d. Prior to departure, the Supervisor or HRM staff conducts an exit interview. 6683.23c - Personnel Transfer When personnel are transferred: 1. Follow personnel transfer procedures to properly schedule the transfer and initiate the necessary changes of information system accounts and access privileges. These procedures are to be in accordance with USDA requirements. 2. Review logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions with the Forest Service within 10 days of the transfer. 3. Reissue keys, identification cards, building passes; close old accounts and establish new accounts; and change system access authorizations. 4. Notify HSPD-12 staff of the transfer. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 43 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.23d - Long-term Absence If an information system user will be on extended leave or other long-term absence, such as seasonal employment or a special assignment (detail): 1. Disable access for that user from information systems, IT equipment, and facilities to which they will not require access during their absence. However, a. Allow continued use by the user of a particular information system during the absence only when a need for continued access has been identified to and approved by that system’s ISSO. b. Allow physical access by the user to facilities housing information systems or IT infrastructure during the absence only when a need for continued access has been identified to and approved by the appropriate Facility Manager. 2. Do not delete accounts if it is understood that the user will be returning to employment with the Forest Service and/or their assigned unit. 3. Require the user to remove and appropriately secure or dispose of any sensitive or potentially sensitive information from computers or other IT equipment they will be leaving behind during their absence. 4. Reassign the user’s equipment or allow use by others only when it has been determined that such shared use will not create additional security risks. 5. Require the user to change all of their system passwords immediately after returning from their absence. 6683.23e - Access Agreements Before granting access or providing equipment, the Forest Service: 1. Ensures that individuals take the USDA security awareness training and accept the Rules of Behavior/Statement of Responsibilities. 2. Executes the FS-6600-5 Conditional Access to USDA Sensitive but Unclassified Information - Non-Disclosure Agreement if a non-disclosure agreement is needed from contractors or cooperators before granting access to Forest Service information. 3. Ensures security awareness training and rules of behavior are reviewed annually in accordance with USDA requirements. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 44 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.23f - Third-Party Personnel Security 1. Institute and document personnel security requirements for third-party personnel that identify specific roles and responsibilities for those providers supplying services to the Forest Service. Third-party personnel may include service bureaus, contractors, and other organizations providing information technology (IT) support. 2. Explicitly include personnel security requirements in all acquisition related documents such as statement of work (SOW), request for proposals (RFP), and so forth. 3. Require contractors and other third-party service providers to comply with the requirements set forth by the Forest Service Security Program, and verify their compliance. 4. Subject contractors and other third-party service providers to the same personnel screening requirements as Forest Service personnel in accordance with section 6683.2. The IT system owner may coordinate with the Contracting Officer to tailor the appropriate personnel screening level for contractors or third-party personnel in alignment with the risk level of the information system and the contractor’s planned access roles or responsibilities. 5. Require contractors and other third-party service providers to formally certify that they will notify the Forest Service's Acquisition Management and CIO Office upon the termination or departure of any of their contract employees and accept responsibility for the return of all Government-owned or- furnished equipment, such as keys, tokens, or identification badges. 6. Monitor third-party personnel security compliance. 7. Ensure all Government-provided laptop computers are running USDA Whole Disk Encryption. 6683.23g - Physical Security Computer equipment is a prime target for theft of the equipment itself, the information it contains, or the access it provides. Portable computer equipment is especially vulnerable, both in the office and in travel locations outside the office. 1. Exercise due care to protect Forest Service-owned or -leased IT equipment from the introduction of food, beverages, cigarette ashes, paper clips, staples, or other hazards. 2. When laptop and notebook computers must be left unattended, whether docked or undocked, ensure that they are physically secured. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 45 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Engage the screen lock whenever any computer is left unattended. 4. Enable password protected screensavers on all computers, so that the computer automatically locks itself when the user is away for unexpectedly long periods. 5. Protect all personal computers from extreme environmental conditions, such as extreme dust and dirt from construction or outdoor exposure, or extreme heat, cold, or moisture. 6. When traveling: a. Keep laptops in carry-on luggage. b. Make every reasonable effort to keep laptops and other IT equipment assigned to the employee in sight during security screening at security checkpoints. c. Except for security checkpoints, never entrust laptop and notebook computers, however briefly, to anyone who is not working with the Forest Service in some capacity. Only employees, contractors, or others working on behalf of the Forest Service should be granted even temporary custody of Forest Service equipment. d. When staying in hotels, exercise due diligence in securing and/or concealing laptops to protect them, based on the employee’s assessment of the risk at the particular location. e. Do not leave laptops in hotel baggage hold rooms, unless reasonably assured of the safety of the equipment. f. Attach identification to laptops. g. When traveling overseas, do not leave your laptop and mobile devices unattended. Use encryption to protect sensitive files and perform regular backups to ensure no loss of vital information in case of theft. 7. Immediately report the loss, theft, or destruction of any IT asset or information to the Forest Service CIRT. Immediately report loss or theft of servers, laptops, desktop computers, or other hardware devices or media containing Forest Service information to both LEI and AQM following home unit procedures. When on travel, also report such loss or theft to local police, and if possible, obtain a copy of the police report and furnish it with the report to CIRT, LEI, and AQM. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 46 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.24 - Appropriate Use of Information Technology Resources This section provides direction on the appropriate use of Forest Service-owned or -leased IT resources. 1. This direction in no way limits Forest Service personnel in the use of Forest Service IT for official and authorized activities. 2. If some job function seems to be hampered by this policy, personnel should contact their Supervisor for assistance. 3. Hereafter, the terms “employee,” “employees,” and “personnel” refer to all who use Forest Service-owned or -leased information resources. 4. In some instances, emergency incident operations may be granted waivers to some provisions of the direction in this section related to operational security controls. 5. Do not remotely activate collaborative computing mechanism and devices unless authorized to do so. Exceptions to the prohibiting of collaborative devices where remote activation is allowed are to follow departmental policy and are defined in the SSP of the information system in accordance with USDA requirements. 6. Do not access Forest Service information systems, other than those that are publicly available, using personally-owned equipment unless authorized to do so. 7. Although the direction in this section focuses primarily on computers, the direction also applies to other electronic, telecommunications, and information resources, technology, services, and devices. 8. The system will provide an explicit indication of use to users physically present at the devices. 9. For individuals who develop, administer, or have access to information systems containing PII of moderate or high confidentiality impact level, the Forest Service will receive signed acknowledgement from the users indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to information and the information system. The signed acknowledgments are to be reviewed annually. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 47 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.24a - Limited Personal Use Department Regulation (DR) 3300-1 and the policy for “Limited Personal Use of Telecommunication Resources and Office Equipment” negotiated between the Forest Service and the Forest Service Partnership Council authorize limited personal use of telecommunications resources and equipment by employees in the workplace on an occasional basis, provided that the use involves minimal expense to the Government and does not interfere with official business. The telecommunications resources and equipment covered by this directive include telephones, facsimile equipment, electronic messaging services and systems, computer equipment, World Wide Web/Internet, Forest Service Web/Intranet, and related equipment, systems, and services. Employees may use Forest Service IT resources for non-Forest Service purposes when such use involves minimal additional expense to the Forest Service, is normally performed on the Employee’s non-work time, does not interfere with the mission or operations of the Forest Service, and does not violate the Standards of Ethical Conduct for Federal Employees. 6683.24b - Proper Representation When using Forest Service equipment for non-Forest Service purposes, employees shall ensure it is clear they are acting in a personal, and not an official, capacity. If there is a possibility that such a personal use could be interpreted as representing the Forest Service, then an adequate disclaimer must be used. One acceptable disclaimer is: “The contents of this message are mine personally and do not reflect any position of the Government or the Forest Service.” 6683.24c - Inappropriate Personal Uses All personnel are expected to conduct themselves professionally in the workplace and to refrain from using Forest Service telecommunications and information technology (IT) resources for inappropriate activities. See the Standards of Ethical Conduct for Employees of the Executive Branch (5 CFR part 2635) and DR 4070-735-001, Employee Responsibilities and Conduct, for further direction and examples (Also, for additional direction, see sec. 6680.01e). Inappropriate activities include, but are not limited to, the following: 1. Illegal activity, such as, but not limited to, copyright violations, unauthorized access to Forest Service or other systems, possession or transmittal of child pornography, use of Forest Service computer systems to facilitate a crime, or assistance to others in gaining unauthorized access to Forest Service or other systems. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 48 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 2. Use of Forest Service telecommunications and IT resources for activities that are inappropriate or offensive to fellow employees or the public. Such activities include, but are not limited to, hate speech or material that ridicules others on the basis of race, creed, religion, color, sex, disability, national origin, or sexual orientation. 3. The creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings, regardless of the subject matter (for example, sending to lists of multiple unknown recipients where no official business relationship exists). This is also known as “spam.” 4. The creation, download, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials. 5. The creation, download, viewing, storage, copying, or transmission of materials related to gambling. 6. Posting of Forest Service information to external news groups, bulletin boards, or other public forums without authorization. This includes any use that could create the perception that the communication was made in one's official capacity as a Forest Service employee (unless appropriate Agency approval has been obtained). 7. Destruction or modification of corporate information or information except in the course of executing assigned duties or with authorization. 8. Intentional introduction of malicious software (viruses or worms) or infected files onto Government equipment. 9. Any personal use that could cause congestion, delay, or disruption of service to any Forest Service system or equipment, such as, but not limited, to large file attachments, “streaming” technology such as stock or news tickers, continuous sports feeds, Internet radio, or administration of non-Forest Service websites. 10. Any use that could generate more than minimal additional expense to the Forest Service, such as frequent or lengthy personal local phone calls or faxes, or more than occasional use of a copier to make one or two personal copies. 11. Commercial purposes in support of "for-profit" activities or in support of other outside employment or business activity, such as consulting for pay, sales or administration of business transactions, sale of goods or services, or Website administration. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 49 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 12. Engagement in any outside fundraising activity, endorsement of any product or service, participation in any lobbying activity (except for activities permitted under Article 5 of the Master Agreement between USDA Forest Service and the National Federation of Federal Employees), or engagement in any prohibited partisan political activity. 13. Installation or use of unauthorized software, including personally-owned software, on Government equipment (see sec. 6683.24c and sec. 6683.24g). 14. Use of Forest Service equipment to administer non-business related personal mailing lists. 15. Use of the Forest Service network as a substitute for obtaining an Internet service provider for home Internet access. 16. Automated forwarding of Forest Service e-mail to a non-Forest Service domain e-mails account (because all Forest Service work is considered “official business” and as such should not be forwarded to a personal e-mail account). 6683.24d - Peer-to-Peer Networking, Networked Collaboration Tools, and Instant Messaging 1. Forest Service employees are prohibited from installation and use of any peer-to-peer networking, networked collaboration, or instant messaging tools, other than the Forest Service’s authorized enterprise collaboration, or instant messaging tools. 2. Do not install or use on any Forest Service system any unauthorized peer-to-peer or instant messaging software. 3. Re-imaging is required when such unauthorized peer-to-peer networking or instant messaging software as described in the preceding paragraph is found on a computer. 4. Any Forest Service machine that does not have the Forest Service image installed (such as various point solution servers and computers that are not a part of the Forest Service computer base) on which unauthorized peer-to-peer networking software is found must be re-imaged immediately from pristine media (see the definition at FSM 6680.05). The System Administrator or individual computer user should be provided the opportunity to salvage information or personal files before the machine is re-imaged. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 50 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.24e - “Back Door” Access 1. Forest Service personnel utilizing Forest Service-owned or -leased information resources shall access Forest Service networks or equipment only via authorized connection through the Forest Service network. 2. “Back door” access through unauthorized use of remote control software that permits access to Forest Service equipment from outside the Forest Service network is prohibited, unless technical approval (see FSM 6615) has been obtained for installation of such software. 3. Modems: a. Modems are prohibited on desktop computers unless expressly authorized. If a modem is authorized for use on a desktop computer, do not connect the desktop computer to an analog line at the same time it is connected to the network via LAN cable.) b. On laptop computers, do not connect modems to an analog line at the same time as the laptop is connected to the network via LAN cable. 6683.24f - Elevated Privileges 1. When an employee’s privileges are temporarily elevated to permit installation of nonstandard but authorized software, install only software that has been approved for installation. 2. Do not use access to an account with administrative privileges to elevate the rights on personal accounts or to perform any other activity that is not specifically authorized. 6683.24g - Software Usage/User Installed Software Restrictions, Including Freeware and Shareware All software installed on Forest Service computer equipment that is not part of the Forest Service image requires technical approval (TA) in accordance with FSM 6615. 1. Unless explicitly authorized for execution of authorized job related functions, do not install software intended to identify or exploit IT vulnerabilities. 2. Because new versions of software and software upgrades often either generate unexpected problems or do not always function as intended, the CIO staff tests all such upgrades to standard corporate software before allowing the upgrades to be installed on machines with standard Forest Service images. This prevents disruption of Forest Service information systems. Employees, therefore, do not: WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 51 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY a. Install unauthorized freeware or shareware on Forest Service computer equipment. b. Upgrade standard corporate software without authorization. (See FSM 6615 for clarification), including but not limited to the following: (1) Adobe Acrobat Reader/Adobe Reader, (2) MS Windows, (3) MS Internet Explorer, (4) MS Office, (5) IBM Lotus Notes, and (6) Symantec (Norton) Antivirus. Note this prohibition is in reference to updates to the software itself, not to the virus definitions file. The automatic updates of the virus definitions are required and should continue. c. Either download or install patches of any kind to standard corporate software without authorization. d. Install add-ins or plug-ins. e. Install, download, or run peer-to-peer software (see sec. 6683.24d). 3. Employees shall keep security patches installed and up to date on all nonstandard commercial off-the-shelf (COTS) software, provided the original software installation was approved. 4. Do not use unlicensed software. Abide by software copyright laws. Do not copy licensed software for use on systems other than those for which it was purchased (see sec. 6683.24g) 5. Use software and associated documentation in accordance with contract agreements and all applicable intellectual property laws, such as copyright. 6. Employ tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution. 7. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for unauthorized distribution, display, performance, or reproduction of copyrighted work. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 52 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.24h - Privacy Expectations The responsible Forest Service Line Officers and Program Managers shall take the following actions whenever necessary for the proper management of information technology (IT) resources or to meet legal requirements. By using Forest Service IT equipment, employee consent is implied for the following: 1. Monitoring and recording of activities as necessary to ensure the smooth, reliable performance and secure operation of information systems as required by law and in accordance with Article 4 of the Master Agreement between the USDA Forest Service and National Federation of Federal Employees, including, but not limited to, monitoring and recording of Internet access and e-mail transmissions or receipts. 2. Disclosure of the contents of any files or information maintained on or passed through Forest Service IT resources to employees who have a need to know in the performance of their duties. Forest Service officials, such as system managers and supervisors, may access any electronic communications as necessary to maintain reliable and secure information system operation or to investigate reports or indications of improper use. 3. The understanding that any use of Forest Service communications resources generally is not secure, is not private, and is not anonymous, and that system managers do employ monitoring tools to detect improper use. There is no right to privacy when using government information systems. 4. The potential for investigation of files stored on an employee’s computer for reasons unrelated to the employee. Although Supervisors shall not investigate files stored on an employee’s computer without cause, employees should be aware that circumstances external to the employee can generate such a cause. The course of a security incident investigation, for example, may require that all computers in a specific unit be searched, thus possibly exposing personal files to management scrutiny (see FSM 5300, 6170, 6270; FSH 6209.13). 6683.24i - Sanctions for Misuse 1. Each suspected incident of unauthorized or improper use of Forest Service equipment, or of failure to take prudent physical security measures to protect Forest Service equipment, will be investigated as prescribed by FSM 6170 and DPM 751 (see FSM 6680.01). 2. Findings of culpability will result in disciplinary action consistent with the provisions of FSM 6170 and DPM 751, which may include the employee’s loss of use or limitations on use of equipment, disciplinary or adverse action, criminal penalties, and/or financial liability for the cost of improper use. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 53 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.3 - Physical and Environmental Protection 1. Develop, disseminate, and provide an overall Physical and Environmental Protection policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated Physical and Environmental Protection controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 6683.31 - Physical Access Authorizations 1. Develop and keep a current list of personnel with authorized access to facilities containing information systems (except those areas within the facilities officially designated as publicly accessible). 2. Review, approve, and update the access authorization list at least quarterly in accordance with USDA requirements. If a user’s access is no longer warranted, or if that user is no longer with the Forest Service, remove that user’s access privileges immediately. 3. Issue an authorization credential (security badge or other personal identity verification (PIV) device) to each person allowed unescorted access to Forest Service’s IT controlled or restricted space or facilities. 4. PIV devices must: a. Be worn or attached at or above the waistline of the individual so as to be visible at all times when viewing the individual from the front. b. Conform to the requirements of Homeland Security Presidential Directive 12 (HSPD-12). c. Clearly indicate if the wearer is a Forest Service employee, contractor, or authorized visitor. 5. Train Forest Service personnel and contractors to recognize and report potential security threats such as individuals whom they do not recognize or suspicious packages entering or exiting the IT Facility. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 54 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6. Document and report security violations or suspicious activity to the Forest Service CIRT. a. In the event of unauthorized access to an IT facility, contact the proper enforcement officials, and ensure that the individual is escorted from the facilities. b. Document all incidents and take appropriate action according to security policies. 7. Permit uniformed and/or credentialed law enforcement, fire, or emergency medical services (EMS) personnel responding to an emergency call to deviate from any part of the requirements in this chapter that inhibit their emergency response efforts. 6683.32 - Visitor Control 1. For access to areas containing information systems or network components, consider all individuals without permanent authorization credentials to be visitors, document their visit, and for IT restricted space issue temporary identifications (IDs) for the duration of their visit. 2. Verify that all visitors have a legitimate reason to enter information technology (IT) restricted or controlled space before allowing access. Escort visitors and monitor visitor activity when required. 3. Require visitors to sign a log upon entering IT restricted or controlled spaces and sign out upon exiting. The log must record the visitor’s name, organization, purpose of visit, and identity of escort or person/office being visited, as appropriate. a. Review the visitor access logs at least quarterly in accordance with USDA requirements. b. Retain the logs for at least 1 year or in accordance with official records management and retention requirements. 4. Designate and control access to areas officially designated as publicly accessible in accordance with the facility’s assessment of risk. 5. Monitor physical access to the information system to detect and respond to physical security incidents. At least quarterly in accordance with USDA requirements, review physical access logs and coordinate the results of reviews with Forest Service CIRT and LEI, as applicable. Provide real-time physical intrusion alarms and surveillance equipment for IT controlled or IT restricted space. Utilize real-time physical intrusion alarms and surveillance equipment where practical. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 55 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6. Conduct annually inventories of all physical access devices in accordance with USDA requirements. 7. Re-key or change the combinations of high security locks at least annually in accordance with USDA requirements, or when the keys and/or combinations are lost or compromised, or when individuals in possession of the keys or combinations are transferred or terminated. 6683.33 - Information Technology Facilities 1. Physically secure all Forest Service information technology (IT) facilities commensurate with their importance to the ability of the Forest Service to accomplish its mission, excluding those areas within the facility that are officially designated as publicly accessible. At a minimum, locate IT equipment in locked rooms or enclosures secure enough to create a minimal risk of unauthorized physical access. 2. Incorporate physical security requirements into all plans and designs for new or remodeled IT space or facilities. 3. Periodically test environmental protection devices or systems required by section 6683.33 to ensure they are operating and will function as intended. 4. For any site or facility that does not meet the physical security requirements of section 6683.33, submit a request for policy exception to the USDA Associate Chief Information Officer for Cyber Security. Include with the request an action plan, milestones, and timeline for achieving compliance or mitigating the deficiencies. 5. Protect power equipment and power cabling for information systems from damage and destruction. 6. Regulate temperature and humidity in facilities housing Forest Service IT components. The levels maintained are defined by the Forest Service and conducive to the optimal operation of the information system in accordance with USDA requirements. Monitor temperature and humidity levels continuously if automatic and twice a day if manual in accordance with USDA requirements. 7. Protect Forest Service IT equipment from potential water damage. Master shutoff valves are provided that are accessible, working properly, and known to key personnel. 8. Assess the feasibility of employing appropriate management, operational, and technical controls at Forest Service alternate work sites. Implement and assess the effectiveness of all applicable NIST- and USDA-compliant security controls in accordance with USDA requirements, including but not limited to management, WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 56 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY operational, and technical controls at all Forest Service alternate work sites. Alternate work sites provide means for Forest Service employees and collaborators to communicate with the Forest Service CIRT in case of a security incident. 9. Locate medium and output devices which display sensitive information or PII in the interior of the building away from exterior windows and positioned so as not to be visible from passersby. Position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. 10. For controlled access areas, shut doors and ensure windows are screened to prevent unauthorized viewing of the monitor. 11. Implement an emergency shutoff process and capability in accordance with available, standard CIO approved procedures. Ensure that emergency shutoff switches or devices are located to facilitate safe and easy access for personnel and are protected from unauthorized activation. 12. Provide emergency backup power sufficient to maintain automatic emergency lighting for facility interior and entrances/exits as specified in the local emergency evacuation plan. 13. For IT controlled space (see FSM 6680.05): a. To the extent possible, locate the space in the interior of the building away from exterior windows. b. Secure IT equipment in a locked room or closet or in locking cabinets with tamperproof hinges. c. Do not identify equipment locations in building directories or on orientation floor plans accessible by visitors or the general public. If lockers, cabinets, or entrances to rooms or closets housing IT equipment must be located in publicly accessible areas, do not apply external markings indicating their function. d. Provide appropriate detection of and protection from fire that activate automatically and notify emergency responders when the facility is both staffed and unstaffed. Fire detection and suppression devices/systems are supported by an independent energy source and deployed in accordance with local fire codes. e. Provide uninterruptible power supply (UPS) or equivalent emergency backup power systems if warranted by the nature of the components in the space. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 57 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY f. Ensure that the environment provides temperature and humidity control sufficient to meet manufacturer operating parameters for the IT equipment contained in the space. The levels maintained are defined by the Forest Service and conducive to the optimal operation of the information system in accordance with USDA requirements. g. Implement access controls that: (1) Provide an audit trail of all physical access to the space and/or equipment. (2) Prevent access by unauthorized individuals. h. Make a risk-based decision concerning environmental and physical hazards when positioning Forest Service-owned or -leased information system components within IT restricted or controlled space. 14. For IT restricted space (see FSM 6680.05): a. Meet the physical security requirements for IT controlled space (see previous paragraphs). b. In addition, physically secure the space in accordance with section 6683.33, exhibit 01, IT Restricted Space Specifications. c. Include those requirements and specifications in all leases or contracts for IT restricted space, including contracts for design and construction of such spaces. 15. Prepare occupant emergency plans for all IT restricted space if not already covered by an existing plan. Test the occupant emergency plan at least once a year. 16. Control physical access to information system distribution and transmission lines within Forest Service facilities. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 58 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.33 - Exhibit 01 IT Restricted Space Specifications 1. For facilities that are or contain IT restricted space: a. Provide well-lit, controlled parking areas, including arrangements for removal of unauthorized vehicles. b. Monitor and control access to the facility at all times using security guards and intrusion detection systems with central monitoring capability maintained to current life safety standards, as specified in DM 3510-001 (see FSM 6680.01f). 2. Equip all IT restricted space entrances/exits with high security locks inspected at least every 6 months by IT personnel. a. Re-key or change the combinations of high security locks at least annually, or when the keys and/or combinations are lost or compromised, or when individuals in possession of the keys or combinations are transferred or terminated. b. Maintain a current inventory of these high security locks and secure all keys and combinations and other access devices. 3. Provide surveillance cameras with time-lapse recording capability at all entrances and exits. 4. Provide lighting with emergency backup at all IT restricted space perimeter entrances/exits and between facility entrances/exits and IT restricted spaces. 5. Require security guards or equivalent personnel to X-ray or otherwise inspect all packages not mailed or shipped from a trusted source before delivery within the facility. Log all deliveries. 6. To the extent possible, locate the space in the interior of the building away from exterior windows, and at least 50 feet from and not directly above or below visitor activity areas, mailrooms, or loading docks. 7. Protect the space using a fire suppressant system in accordance with local fire codes, preferably dry-pipe. Test and monitor all fire suppression and prevention devices at least every 90 days and immediately replace defective devices. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 59 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.33 - Exhibit 01--Continued IT Restricted Space Specifications 8. Provide only the minimum number of entrances/exits allowed by local fire codes and use metal or solid wood doors with at least a 2-hour fire rating and tamperproof hinges. Do not use glass doors or windows. 9. Enclose the space with hard walls extending from the fixed floor to the fixed ceiling. Do not terminate perimeter walls at the surface of a floating (raised) floor or hanging ceiling. 10. Use an electronic, preferably biometric, control for access to IT restricted space that: a. Provides an audit trail. b. Is removed from any master key systems for the facility. c. Includes a centrally monitored intrusion detection system active on all IT restricted space perimeter entrances and exits. 11. Provide the space with automatic emergency backup power sufficient to: a. Maintain physical access controls and emergency interior lighting for at least 24 hours during power outages. b. Maintain server, information/voice/video/radio or other communications, and heating/ventilation/air conditioning (HVAC) operations during a power outage in accordance with the system security plan or operation guide for the systems involved, but at a level at least sufficient to accomplish an orderly shutdown of all equipment within the space once available backup power declines to 40 percent of its rated capacity. 12. Provide the space with temperature control, using redundant HVAC systems if necessary, sufficient to: a. Keep all equipment operating within manufacturer recommended temperature ranges during normal operation. b. Keep equipment within the space that is designated as mission-critical in its system security plan operating within manufacturer recommended temperature ranges during a failure of either the primary IT restricted space HVAC system or one of the redundant HVAC systems, if installed. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 60 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.34 - Delivery and Removal of IT Related Items 1. Authorize and control all designated information system components in accordance with USDA requirements (for example, hardware, firmware, software) entering or exiting information technology (IT) restricted space. a. Items may be authorized by designated officials or system owners only. b. Control packages by knowing what the items will be used for, the information system to which the items are assigned, and the final location where these items will reside. 2. Maintain appropriate records of such items, including delivery logs. 3. Control access to loading docks and other delivery or receiving/shipping areas, and isolate such areas from the information system and media libraries to reduce the risk of unauthorized physical access. 6683.4 - Information Technology Contingency Planning 1. Develop, disseminate, and provide an overall Contingency Planning policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated contingency planning controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 5. Establish a Forest Service-wide information technology (IT) contingency planning process and incorporate contingency planning into the SDLC for all information systems. 6. Identify and prioritize critical IT resources for emergency response and recovery, and determine the minimum actions necessary to restore mission critical core business functions. 7. Identify preventive measures that could be taken to reduce the effects of information system disruptions. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 61 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 8. For all major information systems and systems that support critical business functions, develop and implement ITCPs that: a. Provide clear and specific activation criteria. b. Provide clear, understandable, sufficiently detailed guidance to allow orderly and efficient restoration and reconstitution of disrupted information systems and the business functions they support. c. Include recovery and reconstitution strategies to ensure disrupted systems can be reconstituted and recovered quickly and effectively following an incident. d. Clearly assign individual responsibilities, roles, and authorities with associated lines of succession for response and recovery efforts and contact information. e. Identify resources or facilities that must be arranged in advance to ensure ITCPs can be executed. f. Define communication procedures and priorities to be used during an emergency or crisis, including key contacts. g. Are approved by the principal parties affected by or involved with the plan. h. Identify essential missions and business functions and associated contingency requirements. i. Provide recovery objectives, restoration priorities, and metrics. j. Address eventual, full information system restoration without deterioration of security measures originally planned and implemented. 9. Review ITCPs on an annual basis in accordance with USDA requirements or at least every 6 months for financial systems, and update as necessary. 10. Coordinate ITCP development with Forest Service elements responsible for related plans, such as COOP. 11. Define the specific types of teams and assign individuals to these teams that will be needed for implementing the ITCP based on the systems affected. 12. Distribute updates and make available copies of ITCPs at least annually in accordance with USDA requirements to all those with a role or responsibility in executing them. The key personnel are to be defined in the information system CP in accordance with USDA requirements. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 62 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 13. Coordinate related ITCPs to avoid conflict or duplication of effort. See section 6683.4, exhibit 01 for types of CPs that might be related. 14. Develop an ITCP update strategy to accommodate changes identified by testing and training or implementation. Revise the plan to address changes in the information system. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 63 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.4 - Exhibit 01 Types of Contingency Plans Contingency Plan Purpose Function Information Technology Contingency Plan (ITCP) Recover IT (broad range of disruptions) Provides guidance for recovering information systems Continuity of Operations Plan (COOP) Sustain National and Regional Headquarters Focuses on restoring essential functions at an alternate site Disaster Recovery Plan (DRP) Recover IT (major disruption) Applies to major events that deny access to the facility for an extended period of time Cyber Incident Response Plan Recover IT (malicious attack) Establishes procedures to address cyber-attacks against information systems Crisis Communications Plan Communications Establishes internal and external communications procedures Occupant Emergency Plan (OEP) Personnel Safety Provides the response procedures for occupants in the event of a situation requiring evacuation WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 64 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.41- Continuity of Operations Plan 1. Develop a Continuity of Operations Plan (COOP) for Forest Service headquarters, Regional Offices, and Research Station headquarters that provides for the restoration of mission essential and critical functions at an alternate site for up to 30 days following a disaster, or other events that makes the primary site unusable. 2. Identify in the COOP those IT requirements necessary to support the primary function, such as emergency communications, authorities, and establishment of the chain of command. 3. Design the plan to take maximum advantage of existing Forest Service IT infrastructures. 4. Review and test the COOP IT components twice annually to ensure that the IT functions operate as planned. 5. Arrange in advance, through solicitations, contracts, and agreements, for the use of the alternate sites, facilities, or other resources required by the COOP. 6683.42 - Contingency Training 1. Provide training to all personnel with contingency roles and responsibilities with respect to the information systems. 2. Ensure that training results in participants’ understanding of both the applicable contingency plans and their roles defined within the plans. 3. Provide refresher training at least annually in accordance with USDA requirements. 6683.43 - Contingency Plan Testing 1. Unless otherwise specified below, test ITCPs for information systems annually in accordance with USDA requirements or after significant system changes. 2. Test or exercise ITCPs for mission essential and critical (including financial) systems at least every 6 months or after significant system changes to ensure the plans are executable. 3. Conduct tests using Forest Service-defined tests and/or exercises (tabletop for low systems and functional for moderate and high systems in accordance with USDA requirements) in order to determine the plan’s effectiveness and the Agency’s readiness to execute the plan. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 65 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Review ITCPs test/exercise results and initiate corrective actions to include correcting any deficiencies found during testing. 5. Coordinate ITCP testing with other Forest Service elements with responsibilities in related plans such as a Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan. 6683.43a - Continuity of Operations (COOP) Plan Testing Requirements 1. Review and test the Continuity of Operations Plan (COOP) on an annual basis or after a significant system change, to ensure that it: a. Can be executed with or without warning within 12 hours of disruption. b. Will protect essential assets and provide continuous operation of essential functions for up to 30 days. 2. Arrange in advance, through solicitations, contracts, and agreements, for the use of the alternate sites, facilities, or other resources required by the COOP. 6683.43b - Business Resumption Plan Testing Requirements Review and test, at least as a tabletop exercise, each Business Resumption Plan (BRP) every 6 months to ensure that it can be executed and that it will, in fact, restore normal business operations as intended. Correct any deficiencies in the plan discovered during testing. 6683.43c - Backup and Recovery Plan Testing Requirements Test recovery procedures at least annually. The test must include full system and/or database restoration from backup media. 6683.44 - Alternate Storage Sites 1. Appropriate to system categorization, identify an alternate storage site and initiate necessary agreements to permit the storage of systems backup information. 2. Ensure that the frequency of information systems backups and the transfer rate of backup information to the alternate storage site (if so designated) are consistent with the Forest Service’s recovery point objectives. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 66 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Ensure that the alternate storage site is geographically separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary storage site and is not likely to be affected by the same event that rendered the primary storage site backup media unavailable. 4. Ensure that the Forest Service identifies potential accessibility problems to the alternate storage site in the event of an area wide disruption or disaster and outlines explicit mitigation actions. 5. Ensure that the alternate storage site provides a level of security and protection no less stringent than provided for the primary site, and has a safe environment providing temperature and humidity regulation, water damage protection, fire prevention, and power management controls. 6. Ensure that the alternate storage site protects the confidentiality and integrity of the backup information at the alternate storage site. 6683.45 - Alternate Processing Sites 1. Appropriate to system categorization, identify an alternate processing site and initiate necessary agreements to permit and in accordance with USDA requirements support the organization-defined time period for the resumption of information systems, in accordance with the system’s ITCP, when the primary processing capabilities are unavailable. 2. Make available equipment and supplies required to resume operations in accordance with the systems’ ITCP. 3. Develop a Memorandum of Understanding/Agreement (MOU/A) or a service level agreement specific to the organization’s needs. 4. Establish contracts as required to support Forest Service established recovery time objectives. 5. Ensure that the alternate processing site is geographically separated from the primary processing site so as not to be susceptible to the same hazards as identified at the primary processing site. 6. Ensure that the Forest Service identifies potential accessibility problems to the alternate processing site in the event of an area wide disruption or disaster and outlines explicit mitigation actions. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 67 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 7. Ensure that the alternate processing site agreements contain priority-of-service provisions in accordance with the Forest Service availability requirements. 8. Ensure backup copies of ITCPs are available at alternate processing locations. 9. Ensure that the alternate processing site provides information security measures equivalent to those of the primary site. 6683.46 - Telecommunications Services 1. Identify primary and alternate telecommunications services to support information systems and, when the primary telecommunications capabilities are unavailable, initiate necessary agreements to permit the resumption of those information systems’ operations within the maximum of 48 hours in accordance with USDA requirements or as defined in the information system’s contingency plan (CP). 2. In the event that the primary and/or alternate telecommunications services are provided by a common carrier, request that the Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness. (See http://tsp.ncs.gov for an explanation of the TSP program). 3. Ensure that primary and alternate telecommunications services agreements contain priority-of-service provisions in accordance with the Forest Service availability requirements. 4. Ensure that alternate communications services do not share a single point of failure with the primary telecommunications services. 6683.47 - Information System Backup 1. Back up Forest Service corporate data and information systems in a way that enables information or system recovery within a time period dictated by the relevant System Security Plan (SSP); applicable Contingency Plans (CPs); and in accordance with applicable policies, regulations, or service level agreements. This includes system-level data, system-state information, OS and application software. 2. Ensure that backups are sufficient to provide immediate, full, and accurate restoration of information systems and corporate information after a disruption or disaster. 3. Use onsite storage of backups to ensure ability to recover systems or information quickly in the event of disruptions or damage that does not render the normal production site unusable. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 68 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Store all corporate information on Forest Service file servers unless a Local Backup Waiver Request has been approved to allow storage elsewhere. For waived laptop or desktop computers, pocket personal computers (PC), personal digital assistants (PDAs), or other computing or information/data recording devices provide point solution backup and recovery mechanisms and procedures that follow the same minimum standards as major applications (MAs). 5. Perform regular, scheduled backups of systems and information in conformance with any applicable policies and any approved service level agreements for information systems operation and maintenance. 6. At a minimum, perform backups according to the following requirements: a. Perform backups before and after any significant system configuration changes. b. Perform full backups of mission essential or mission critical corporate databases, daily, on all normal workdays. c. Perform backups of other corporate information incrementally on a daily basis. This includes system documentation backups (including security-related information to support recovery time objectives and recovery point objectives). d. Perform full system backups to support recovery time objectives and recovery point objectives monthly or on a schedule as defined in the SSP. e. Perform user-level backups as scheduled in the information system SSP and/or CP in accordance with USDA requirements. 7. Check each backup for successful completion and verify where possible and practical. 8. Document backup media storage locations and retention dates in the information SSPs and CPs. 9. Document procedures for testing backup media/information. Testing of backup information to verify media reliability and information integrity is to be conducted quarterly in accordance with USDA requirements. 10. Clean, store, and rotate backup media to guard against media failure according to vendor or software recommendations. 11. Ensure backup and recovery equipment maintenance meets levels no less than the minimum manufacturer recommendations. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 69 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 12. Sanitize or destroy backup media before it is transferred, sold, or otherwise disposed of or allowed to be used for other purposes. Use sanitization and disposal methods appropriate for the information’s FIPS 199 security categorization, following guidelines found in NIST SP 800-88. 13. Properly label all backup media with creation date and contents. 14. Ensure sufficient backup storage capability is available where needed in order to meet the requirements of all Forest Service information systems. 15. Physically secure backup and recovery systems and media, restricting access to only those that require it for their official duties. Protect the confidentiality and integrity of the backup information at the storage location. 16. Maintain a list of personnel or positions authorized to access backup media in applicable information SSPs and CPs. 17. Perform periodic security checks to verify media are being properly handled and stored according to the requirements of the security plan. 18. Use an alternate storage site (see FSM 6683.44) to ensure ability to recover from disasters or disruptions that render the primary production site unusable or that damage or destroy onsite backup media: a. Store monthly or full system backups at an alternate storage site and retain them for 1 year and in accordance with applicable record management and retention policy unless otherwise required by the information system’s ITCP. b. Rotate backup files to an alternate storage site as required by the information system’s security plan. 19. Control and document all removal, use, and return of backup media, including access to backup media storage areas or facilities to include person, reason, specific media, where the media will be taken, and date/time of removal and return. 6683.48 - Information System Recovery and Reconstitution 1. Develop recovery and reconstitution strategies, activities, and detailed procedures to recover and reconstitute processing capabilities to a known state after a disruption, compromise, or failure, repair damage to the original system, restore operational capabilities at the primary or alternate facility, and recover from information system compromise. These strategies, goals, and detailed procedures should include: a. Obtaining and installing necessary hardware components. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 70 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY b. Obtaining and loading backup media. c. Restoring critical operating system, application software, and information. d. Testing system functionality including security controls. e. Connecting system to network or other external systems. f. Testing system operations to ensure full functionality. g. Backing up operational information on the contingency system and uploading to the restored system. h. Shutting down the contingency system. i. Terminating contingency operations. j. Securing, removing, and/or relocating all sensitive materials at the contingency site. k. Arranging for recovery personnel to return to the original facility. 2. Complete a Business Impact Analysis (BIA) to determine the appropriate recovery priority and allowable outage times for information systems, applications, and system components. 3. Assign contingency roles and responsibilities to personnel and teams responsible for information systems. 4. Ensure the information system implements transaction recovery for systems that are transaction-based. 5. Employ compensating controls for circumstances that would prevent recovery to a known state. 6683.48a - Disaster Recovery and Reconstitution 1. Develop a disaster recovery and reconstitution (DRP) for each major information system when an emergency or other event makes the system inoperable or inaccessible for more than 30 days, using the USDA enterprise contingency planning software tool or an approved comparable tool. a. Develop DRPs using the USDA enterprise contingency planning software tool or an approved comparable tool. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 71 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY b. Develop DRPs in conjunction with BRPs so that the transition from system recovery to business resumption during and after an emergency or disruption is orderly and efficient. c. Coordinate DRPs with Continuity of Operations Plans (COOPs) so there are no conflicts of responsibility or authority. 2. Review and test, at least as a tabletop exercise, each DRP twice a year to ensure that it can be executed and will fulfill its intended purpose, of quickly returning a disrupted or damaged information system to operability. Perform functional tests annually of each mission essential or mission critical application and general support systems (GSSs), unless not cost effective, in which case the system owner shall request and obtain a waiver from the ISSPM to conduct partial functional tests or other less costly tests that can accurately gauge effectiveness of the recovery plan. Correct any deficiencies in the plan discovered during testing. 6683.5 - Hardware and System Software Maintenance 1. Develop, disseminate, and provide an overall IT maintenance policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated maintenance controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 6683.51 - Controlled and Remote Maintenance and Maintenance Tools Schedule, perform, document, and review preventive and regular maintenance activities: 1. Maintain a maintenance log for the life of each IT system component. Maintenance logs include, at a minimum: a. Date and time of maintenance. b. Name of the individual performing the maintenance. c. Name or escort, if necessary. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 72 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY d. A description of the maintenance performed. e. A list of equipment removed or replaced, including applicable identification numbers. 2. Control all maintenance activities utilizing the IT system’s documented procedures for unscheduled and scheduled maintenance and ensuring designated officials explicitly approve the removal of any information system from a Forest Service facility. 3. Follow emergency maintenance activities in the IT system’s emergency maintenance procedures. 4. Test maintenance activities in advance of implementation to ensure the action may not harm the IT environment. 5. Inform all users of scheduled, unscheduled, and emergency maintenance on the IT system that may impact their use of the system, and notification should be provided as far in advance as feasible. 6. Obtain approval for all hardware and software introduced to the system specifically for diagnostic/repair actions (maintenance tools) prior to use, and monitor use of the tools. 7. Schedule, perform, and document maintenance of maintenance tools. 8. Test and verify maintenance tools to ensure they cannot or will not cause any damage to Forest Service systems. 9. Complete non-local maintenance activities in accordance with available, standard CIO-approved procedures and without significantly affecting information system security, availability, or performance. Ensure that all non-local maintenance and diagnostic activities are authorized, logged, and audited. The Forest Service will employ strong identification and authentication techniques for non-local maintenance and diagnostic sessions. Document the installation and the use of non-local maintenance and diagnostic connections in the information system SSP. 10. Terminate all sessions and remote connections when remote maintenance is completed. 11. Sanitize equipment to remove all information from associated media prior to removal from Forest Service facilities for off-site repair or maintenance. 12. Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 73 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.52 - Maintenance Personnel 1. Perform timely and complete maintenance of Forest Service systems by personnel authorized to perform such hardware and system maintenance. 2. Establish a process for maintenance personnel authorization. Maintain a list of all authorized personnel who perform maintenance on information systems. 3. Subject authorized maintenance personnel to all policies and procedures for access to systems they are performing maintenance on; whether maintenance is performed locally or remotely and will be granted the appropriate level of access to perform such maintenance. 4. Escort and continuously supervise maintenance personnel who do not have the required level of access to the information system(s) being serviced. 5. Authenticate non-Forest Service maintenance personnel through the use of preplanned appointments and identification checks. 6. Require that non-Forest Service maintenance personnel have continuous supervision by a Forest Service authorized individual who has the appropriate level of access to the system(s) undergoing maintenance and technical competence deemed necessary. 7. Detail maintenance personnel screening and access requirements in the statement of work (SOW) or contract covering the information system’s maintenance. 6683.53 - Timely Maintenance 1. Identify key information system components. Document in the information system SSP for which components it will obtain maintenance support and/or spare parts and the time frame required. 2. Review service provider contracts or service level agreements for information system maintenance to ensure that they provide: a. Regular, scheduled preventative maintenance and key component replacement parts. b. Emergency maintenance support and key component replacement parts within 24 hours of component failure or as defined in the SSP. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 74 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Provide regularly scheduled maintenance in accordance with the information system component manufacturer’s recommendations (at a minimum) and as specified in the SSP. 4. Maintain an adequate inventory or contract provisions for replacement that ensure key component spare parts are available within a specified period of time. 6683.6 - Security Awareness and Training 1. Establish an overall Forest Service information technology (IT) security training program. The Forest Service will develop, disseminate, and review/update the IT security training program on an annual basis in accordance with USDA requirements. 2. Ensure that those involved with information systems understand their role, the Forest Service security policies and procedures, and the security controls and techniques available to them. These procedures are to be reviewed and updated at least annually in accordance with USDA requirements. 6683.6a - Security Awareness 1. Ensure that all information system users (including Managers, Senior Executives, Contractors, and temporary employees) receive basic security awareness training and accept the rules of behavior before they are authorized to access the system. 2. Provide this training immediately when beginning employment and yearly thereafter in accordance with USDA requirements, and whenever required by information system changes. 3. Develop, implement, and maintain a Forest Service-wide IT security awareness program of information and training. a. Focus the program on making users aware of the security risks created by their use of an information system and how those risks can be minimized. b. Maintain the level of security awareness among users by using frequent reminders, updates, tips, and other forms of regular communication. c. As part of the security awareness program, require all system users to complete the USDA security awareness course immediately upon beginning employment with the Forest Service, and a refresher course at least yearly thereafter for continued access. d. Document the security awareness program in a Forest Service Computer Security Awareness and Training plan that is updated annually, and is included or incorporated in the Forest Service’s master System Security Plan. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 75 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Works with the USDA to ensure that the IT Security Awareness Training program is consistent with the relevant National Institute of Standards and Technology (NIST) and Federal guidance. 5. Works with the USDA to determine the appropriate content of security awareness training based on the specific requirements of the Forest Service and the information systems to which personnel have authorized access. 6. Employ security awareness techniques such as displaying posters, offering supplies inscribed with security reminders, displaying logon screen messages. 7. Ensure there is a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. 6683.6b - Security Training 1. Identify personnel who have significant information system security roles and responsibilities during the system development life cycle; document those roles and responsibilities. 2. Provide appropriate role-based information system security training: a. Before authorizing access to the system or performing assigned duties; b. When required by system changes; and c. Annually, thereafter in accordance with USDA requirements. 3. Develop, implement and maintain a Forest Service-wide program of role-based security training for those with additional information system security responsibilities. 4. Clearly convey the rules and requirements pertaining to security of the systems and applications being accessed, operated, or managed. 5. Ensure that those involved in the design, development, operation, management, or maintenance of an information system or application are aware of their security responsibilities based on their level of access, and are trained to fulfill those responsibilities. 6. Require and provide appropriate role based security training: a. For all new or newly assigned system users or Managers, System and Network Administrators, and other personnel with access to system level software and having additional information system security responsibilities. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 76 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY b. Whenever there is a significant change in direction, a major system modification, a significant software change, or a change of duties. 7. Develop new informational and training materials only if suitable USDA provided or other materials are not already available. 8. Design security training programs to take advantage of current technology that provides ease of use, scalability, accountability, and reliable support, to the extent possible. 9. Incorporate assessments or evaluations into training and information materials to help determine their effectiveness. Make adjustments, as necessary, to improve effectiveness. 10. Ensure that the instructional materials address the specific requirements of the Forest Service and the information systems to which personnel have authorized access. 11. Ensure that the role-based IT security training program is consistent with NIST and Federal guidance, addressing management, operational, and technical roles. 6683.61 - Security Training Records 1. Document and monitor individual information system security training activities including basic security awareness training and specific (role-based) information system security training. Retain security training records for a period of 3 years (this is in accordance with USDA requirements of a minimum of 1 year as defined by NARA). 2. Verify and document completion of security awareness and role-based security training courses by each trainee. 3. Monitor and document each individual’s information technology (IT) security training record to include specialized information system security training activities for personnel with significant IT security roles and responsibilities. 4. Ensure Forest Service individuals take required training or work with system Managers to disable access until training is completed. 6683.7 - Computer Incident Response Capability 6683.71 - Incident Handling, Monitoring, and Reporting 1. Develop, disseminate, and provide an overall Incident Response policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 77 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Address within the policy the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated incident response controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 5. Establish and maintain a Forest Service-wide plan to rapidly identify, contain, monitor, and respond to any security incident or other adverse event that creates a threat to some aspect of a Forest Service information system. Ensure designated officials review, update, and approve this plan on an annual basis in accordance with USDA requirements. a. Provide information system users and Managers with an understanding of what constitutes a security incident, provide a way to easily report incidents to those responsible for responding, and identify a resource that users can contact for assistance. b. Ensure that the incident response plan provides a roadmap for implementing the incident response capability and describes the structure and organization of the incident response capability. c. Ensure that a high-level approach for how the incident response capability fits into the overall organization is included in the plan and that the plan meets the unique requirements of the organization’s mission, size, structure, and function. d. Ensure that the plan defines reportable incidents and includes metrics for measuring the incident response capability within the Forest Service. e. Ensure that the incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability. f. Establish incident response procedures to control and minimize damage, preserve evidence, provide quick and efficient system recovery in accordance with the recovery and reconstitution portion of the system’s Contingency Plan (CP) and help better understand threats and prevent similar future events. g. Develop a communication plan, including a current contact list, for those who might be involved with or need to be informed about security incidents and responses, including owners of other information systems that might be affected. h. Document reporting requirements and responsibilities for security incidents. Incidents are to be reported promptly in accordance with USDA requirements. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 78 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY i. Give the integrity and confidentiality of Forest Service information assets priority over system availability in all incident response decisions and actions. 6. Create and maintain a Forest Service CIRT to respond to, manage, monitor, or coordinate all computer security incidents from discovery through resolution, using automated mechanisms to support incident handling where practicable. a. Clearly identify the responsibilities and authority of the Forest Service CIRT, and the services they will provide. Communicate that information to the Forest Service CIRT and to others who might be involved in or affected by a security incident response. b. Provide the Forest Service CIRT with the technical, communication, management, and teamwork skills necessary for carrying out their responsibilities or with immediate access to those skills. c. Appoint a Forest Service CIRT Team Leader and a Deputy Forest Service CIRT Team Leader for coordinating Forest Service CIRT activities and acting as the point of contact for the team. d. Assist the Forest Service CIRT in building working relationships with those who might be involved with security incident responses to help make communication and cooperation more efficient during a response. e. Provide the Forest Service CIRT with access to scanning, diagnostic, or other tools sufficient to determine whether or not a security threat has been eliminated or reduced to an acceptable level of risk or with immediate access to those tools. 7. Develop and document response protocols, including the ability to enlist incident response support resources, as part of the distributed, Forest Service-wide incident response capability within an incident response plan which includes, but is not limited to: a. Procedures for reporting security incidents to the Forest Service CIRT. b. Expected response time for receiving and responding to security alerts, advisories, and incident reports. c. Guidelines for rating incident severity and prioritizing multiple incidents. d. Mechanisms for monitoring and tracking security incidents from initial report through resolution and for reporting incident handling and follow-up actions. e. Automated mechanisms and guidelines for sharing incident-related information with appropriate entities including, but not necessarily limited to: WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 79 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY (1) Owners of connected and interconnected systems, (2) U.S. Computer Emergency Readiness Team (U.S. CERT) (via USDA), (3) Forest Service Law Enforcement and Investigations personnel, and (4) Other law enforcement agencies. f. Procedures for analyzing and modifying, as necessary, incident handling procedures and control techniques based on lessons learned from an incident response. g. Procedures and guidelines for maintaining incident related documentation required by law, regulation, or policy. 8. Update the IRP as the nature and scope of security threats change. 9. Coordinate incident handling with contingency planning activities. 10. Distribute copies of the IRP to the key personnel as defined in the IRP in accordance with USDA requirements. 6683.72 - Incident Response Training and Testing 1. Train all users, Managers, and others involved with Forest Service information systems on how to identify and report security incidents or suspicious activity. 2. Provide annual role-based training in accordance with USDA requirements to all individuals with IR responsibilities. 3. Test and exercise the IRPs at least annually in accordance with USDA requirements or after significant system changes to ensure the plans are executable; develop and maintain response testing procedures and protocols. 4. Conduct tests using Forest Service defined tests and/or exercises in order to determine the plan’s effectiveness and the Forest Service’s readiness to execute the plan. Tests to be performed are functional tests and simulated security incidents in accordance with USDA requirements. 5. Coordinate IRP testing with other Forest Service elements with responsibilities related to IRPs. 6. Document and review IRP test/exercise results and initiate corrective actions to include correcting any deficiencies found during testing. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 80 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.8 - System and Services Acquisition 1. Develop, disseminate, and provide an overall System and Services Acquisition policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated system and services acquisition controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 6683.8a - Allocation of Resources 1. Include a determination of information security requirements for the information system in mission/business process planning. 2. Determine, document, and allocate the resources required to protect the information system as part of the Forest Service’s capital planning and investment control process. 3. Establish a discrete line item for information security in organizational programming and budgeting documentation. 6683.8b - Acquisitions The Forest Service includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, and standards: 1. Security functional requirements and specifications. 2. Security-related documentation requirements. 3. Developmental and evaluation-related assurance requirements. 4. The requirement that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 81 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. The requirement that each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. 6683.9 - Security Engineering Principles The Forest Service will apply information system security engineering principles in the specification, design, development, implementation, and modification of the information system. 6683.91 - External Information System Services 1. Require providers of external information system services to comply with Forest Service information security requirements and employ appropriate security controls in accordance with the applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. 2. Define and document government oversight and user roles and responsibilities with regard to external information system services. 3. Monitor security control compliance by external service providers. 6683.91a - Developer Configuration Management The Forest Service will require that information system developers/integrators will: 1. Perform configuration management during information system design, development, implementation, and operation, 2. Manage and control changes to the information system, 3. Implement only organization-approved changes, 4. Document approved changes to the information system, and 5. Track security flaws and flaw resolution. 6683.91b - Developer Security Testing The Forest Service requires that information system developers/integrators, in consultation with associated security personnel (including security engineers): 1. Implement a security test and evaluation plan; WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 82 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 2. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and 3. Document the results of the security testing/evaluation and flaw remediation processes. 6683.91c - System and Information Integrity The Forest Service will: 1. Develop, disseminate, and provide a System and Information Integrity policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated system and information integrity controls have been developed. These procedures are to be updated annually in accordance with USDA requirements. a. Develop and implement controls and procedures for flaw remediation, malicious code, spam, and spyware protection; intrusion detection; and security alerts in accordance with sections 6683.43b, 6683.94, 6684.3 and USDA and NIST policy and regulations. See exhibit 01 for system integrity controls on all information systems. b. Review procedures and controls during annual security assessments. (See FSM 6682.07a) WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 83 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.91c - Exhibit 01 System Integrity Controls on All Information Systems 1. Implement IDS, and malicious code detection and elimination software. 2. Implement reconciliation routines on systems that support this capability (that is, checksums, hash totals, record counts). 3. Periodically confirm the integrity of system controls using password crackers and checkers. 4. Confirm the integrity of system boundary protections from external attack(s) using periodic system penetration testing. 5. Use message authentication in systems that support this capability to ensure that the sender of a message is known and that the message has not been altered during transmission. 6. Use encryption methods specified in DM 3530-005 Security Encryption Standards to protect information transferred over any private information carrier to and from USDA network access points. 7. Encrypt Sensitive but Unclassified (SBU) information before it leaves the Forest Service network when it is traversing external connection. 8. If an information system breach is suspected, use integrity verification programs to look for evidence of information tampering, errors, and omissions. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 84 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6683.92 - Flaw Remediation 1. Promptly install or apply security updates to correct software flaws and vulnerabilities in accordance with Forest Service configuration management (CM) and emergency change policy. 2. Centralize and automate flaw remediation to the extent possible. Determine with automated mechanisms the state of information system component flaw remediation monthly in accordance with USDA requirements. 3. Test software updates, patches, fixes, or similar corrective updates for effectiveness and potential side effects before applying them. 4. Devise a patch back out plan in case the installation of the vulnerability or weakness mitigation action results in an information system failure or degradation. 5. Use available automated tools to check the status of flaw remediation at least quarterly. 6683.93 - Malicious Code Protection and Spam Control 1. Employ and update automatically on a regular basis a protection mechanism on Forest Service information systems—primarily at entry and exit points, workstations, servers, or mobile computing devices on the network—to detect and eradicate malicious code (that is, viruses, worms, Trojan horses): a. Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means, or b. Inserted through the exploitation of information system vulnerabilities. 2. Ensure that, when detected, malicious code will be quarantined and blocked and a notification will be sent to the System Administrator in accordance with USDA requirements. 3. Configure malicious code protection mechanisms to perform weekly scans of the information system in accordance with USDA requirements and to send an alert to a System Administrator in response to malicious code detection. 4. Employ, maintain, and periodically and automatically update spam and spyware protection mechanisms at critical information system entry and exit points and workstations, servers, or mobile computing devices on the network to detect unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means in accordance with NIST SP 800-53 guidance. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 85 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Ensure action is taken on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means in accordance with NIST SP 800-53 guidance. 6. Provide for centrally managed malicious code protection. 7. Have the System Administrator determine if the malicious code is a false positive and the impact to the system if it is. 8. Ensure adequate security for malicious code protection so that non-privileged users cannot circumvent the controls. 6683.94 - Information System Monitoring 1. Identify types of activities or conditions considered unusual or unauthorized. 2. Maintain a documented list of approved tools and use only approved tools. 3. Monitor inbound and outbound communications for activities and conditions identified as unusual or unauthorized in accordance with NIST SP 800-61, NIST SP 800-83, NIST SP 800-92, NIST SP 800-94, and USDA guidance. This monitoring will occur: a. At strategic points within the information system to collect information systemdetermined essential information. b. At ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. Respond as appropriate to any real or perceived threat disclosed by monitoring activities. 5. Identify unauthorized use of the information system. 6. Deploy monitoring devices and capabilities to collect essential information necessary to monitor the information system to detect information system attacks and unauthorized use. Employ near real-time alerts via the use of automated tools when indications of compromise or potential compromise occur, as defined by US-CERT, in accordance with USDA requirements. 7. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to Forest Service operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 86 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 8. Obtain legal opinion with regard to information system monitoring activities in accordance with applicable Federal laws, Executive Orders, directives, policies, or regulations. 9. Ensure the information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities. 6683.95 - Security Alerts and Advisories 1. Subscribe to reliable alert and advisory sources. 2. Review security alerts and advisories as they are received. 3. Implement applicable alerts and advisories in accordance with established time frames, and document actions taken. As directed, notify issuing organization of the degree of compliance. 4. Generate internal security alerts, advisories, and directives as deemed necessary. 5. Receive and disseminate security alerts, advisories, and directives to the CIO, the ISSPM, ISSOs, Network and System Administrators, and other Agency-designated individuals with security roles or responsibilities. 6683.96 - Software and Information Integrity 1. Information systems detect unauthorized changes to software and information. 2. The information system reassesses the integrity of software and information by performing quarterly integrity scans of the information system in accordance with USDA requirements. 6683.97 - Information Input Restrictions 1. Configure information systems to allow input only by authorized personnel. 2. Based on specific operation/project responsibilities, define roles that are authorized to extend typical access controls (see sec. 6684.2) to input information. Include limitations based on specific operation/project responsibilities. Document the roles and responsibilities in the SSP. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 87 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Develop and implement procedures for input restrictions that enforce the extended access, if any, to roles authorized and documented in the SSP. 4. Document, in the SSP, system-level access controls to protect information stored locally in the application. Assign system access in accordance with the least privileged requirement. 5. Design and configure system-level access controls to protect information, assigning write and delete privileges only to authorized, privileged users. 6683.98 - Information Input Validation 1. Design the system to check information for validity as close to the point of information input as possible, in accordance with organizational policy and operational requirements. 2. Design the system to prescreen inputs to ensure the content is not unintentionally interpreted as commands. 3. Design the system to employ rules for checking the valid syntax of information system inputs (for example, character set, length, numerical range, acceptable values) to ensure that inputs match specified definitions for format and content. 4. Configure Web server applications to prohibit invalid information from Web clients in order to mitigate Web application vulnerabilities such as buffer overflow, cross-site scripting, null byte attacks, SQL injection attacks, and Hypertext Transfer Protocol (HTTP) or HTTP header manipulation. 5. Ensure invalid inputs or error statements do not give the user sensitive information, storage locations, database names, or information about the application or IT system’s architecture. 6683.98a - Error Handling 1. Design systems to identify and handle error conditions in an expeditious manner. Error messages provide timely and useful information without providing information that could be exploited by adversaries. 2. Reveal error messages only to authorized personnel. 3. Develop error messages and/or associated administrative messages and error logs so that they do not contain sensitive information (for example, account numbers, social security numbers, and credit card numbers). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 88 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Ensure the information system identifies potentially security-relevant error conditions and generates error messages that provide information necessary for corrective actions without providing information that could be exploited by adversaries. 6683.99 - Information Output Handling and Retention 1. Handle and retain both information within and output from the information system in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. 2. Label output from the information system in accordance with USDA DR 3440-2, Control and Protection of Sensitive Security Information, when appropriate. 3. Handle output from the information system in accordance with: a. Labeled or marked instructions on the output (including paper and digital media) that includes, but is not limited to, special instructions for dissemination, distribution, transport, or storage of information system output. b. Direction in this policy and operational requirements/procedures. 4. Retain output from the information system; direction in FSM 6230 Records Creation, Maintenance, and Disposition; and operational requirements/procedures. 6683.99a - Risk Assessment 1. Develop, disseminate, and provide an overall Risk Assessment policy. 2. Review, update, and approve the policy on an annual basis. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated Risk Assessment controls. 6683.99b - Security Categorization 1. Categorize information and the information system in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and applicable guidance. 2. Document the security categorization results in the security plan for the information system. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 89 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Ensure the security categorization is reviewed and approved by the Authorizing Official or their representative. 6683.99c - Vulnerability Scanning 1. Scan for vulnerabilities in the information system and hosted applications monthly in accordance with USDA policies and when new vulnerabilities that potentially may affect the system and application are identified and reported. 2. Employ vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: a. Enumerating platforms, software flaws, and improper configurations; b. Formatting and making transparent checklists and test procedures; and c. Measuring vulnerability impact. 3. Analyze vulnerability scan reports and results from security control assessments. 4. Remediate legitimate vulnerabilities within the USDA-established time limits in accordance with the Forest Service assessment of risk. 5. Share information obtained from the vulnerability scanning process across the Forest Service to help eliminate similar vulnerabilities in other information systems. 6. Employ vulnerability scanning tools that include the capability to readily update the list of vulnerabilities scanned. 6684 - TECHNICAL CONTROLS 6684.01 - Authority [Reserved] 6684.02 - Objective The objective of technical security controls is to protect the confidentiality, integrity, and availability of the information, information systems, and information technology (IT) that support the Forest Service mission by: 1. Implementing safeguards which are executed by the operating system in the hardware, software, or firmware components of information systems. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 90 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 2. Ensuring that responsible employees are clearly and explicitly informed about technical requirements and procedures within their realm of influence that secure IT resources. 3. Providing an effective Forest Service response to technical security threats and breaches. 6684.04 - Responsibility 6684.04a - Chief Information Officer The Washington Office, Chief Information Officer is responsible for: 1. Ensuring that servers and other IT, including networks, have the appropriate level of password protection. 2. Ensuring that all Forest Service IT personnel involved in implementing or maintaining password and other access control requirements have the appropriate background investigation or clearance, and that appropriate separation of duties is maintained. 3. Ensuring that formal procedures and practices for controlling access to Forest Service information systems are in place and being followed. 4. Monitoring and protecting Forest Service IT and networks in accordance with the direction of this directive. 5. Approving the use of wireless networks and associated wireless devices. 6. Providing the authority and responsibility for the usage of Voice over Internet Protocol (VoIP) within the Forest Service. 7. Approving use of an Agency certificate authority or PKI service provider. 6684.04b - Information System Security Program Manager The Agency Information System Security Program Manager (ISSPM) is responsible for: 1. Verifying the implementation of USDA’s C2 Level of Trust policy for Forest Service information systems processing or for maintaining mission critical or sensitive information. (See the USDA DM 3535-001, referenced in section 6680.01f). 2. Reviewing Forest Service access policy at least annually and updating policy as necessary to ensure compliance with legislative and regulatory requirements and with industry best practices, where not in conflict. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 91 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Including password strength testing of randomly selected user accounts as part of the ongoing Forest Service vulnerability assessment program. 4. Notifying users with inadequate or non-compliant passwords that they must immediately change such passwords. 5. Ensuring that access to all Forest Service information systems is controlled in accordance with this directive. 6. Ensuring that system owners review access rights of users of their systems, according to the provisions of this directive. 7. Ensuring that security monitoring of the Forest Service IT infrastructure is occurring and being performed according to the direction of this manual. 8. Conducting monthly reviews of security vulnerabilities identified by security monitoring processes, including the presence of software identified as unauthorized, prohibited, or malware, and coordinating remediation of these vulnerabilities, including removal as appropriate, with those responsible for system administration or in possession of affected systems. 9. Immediately, upon detection, notifying end users of the presence on computers they possess or control of software identified as being: a. Unauthorized, and requesting its removal or business justification for its continued use. b. Prohibited or malware and directing its removal. 10. Resolving disputes with end users regarding whether software identified as being unauthorized serves a legitimate business purpose and should be granted approval to operate. 11. Reviewing results of system monitoring processes (see sec. 6684.3) on a daily, weekly, and monthly basis to detect suspicious or anomalous activity affecting the security, performance, or availability of Forest Service systems and networks. 12. Investigating reports of alleged or suspected security violations and: a. If indications make it immediately clear that the violation is accidental or unintentional, either taking no action or if appropriate, issuing a non-disciplinary instruction describing how to avoid such violations in the future. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 92 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY b. If indications are that the violation is intentional, or it is not immediately clear it was unintentional, reporting the violation in accordance with departmental and Forest Service procedures regarding investigation of employee misconduct. Refer to USDA Departmental Personnel Manual (DPM) 751, subchapter 3, and FSH 6109.41 for procedures regarding investigation of employee misconduct. 13. Reporting alleged or suspected employee misconduct discovered during routine system monitoring (see section 6684.3) in accordance with Departmental and Forest Service procedures. Refer to USDA Departmental Personnel Manual (DPM) 751, subchapter 3, and FSH 6109.41 for procedures regarding investigation of employee misconduct. 14. Reporting alleged or suspected criminal activity discovered during routine system monitoring (see sec. 6684.4) to LEI in accordance with Departmental and Agency procedures (see FSM 5300). 15. Approving procedures, mechanisms, or protocols that are used for host or device authentication. 16. Ensuring that IT devices are configured with synchronized internal information system clocks. 17. Ensuring a common time source is available for IT systems to synchronize. 18. Ensuring separation of duties exists between information system personnel who administer the access control function and those who administer the audit trail. 19. Developing procedures for preserving the integrity of audit logs that must be used once an investigation is started or a potential incident is known. 20. Ensuring that Forest Service wireless access and WLAN are compliant with Federal Regulations and Standards. 21. Reviewing and approving wireless technical requests and security plans. 22. Overseeing WLAN and wireless device security at the Forest Service, including: a. Providing NIST, USDA, and Forest Service guidance to the CIO. b. Establishing and periodically reviewing standards, processes, practices, and policies for use and monitoring of Forest Service wireless devices and WLAN. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 93 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY c. Periodically assessing Forest Service wireless technology risk and tracking corrective actions to mitigate these risks. d. Implementing the responsibilities identified in FSM 6640 Telecommunications for wireless access control guidance. 23. Ensuring that all critical personnel are properly trained on the use and security of wireless technology, per USDA Departmental Notice 3300-016, Commercial Wireless Technologies. 24. Overseeing planning and implementation of PKI management is in keeping with USDA policy 3530-003. 6684.04c - Information System Security Officers Information System Security Officers (ISSO) is responsible for: 1. Supporting the implementation of USDA’s C2 Level of Trust policy as requested by the Forest Service ISSPM. (See USDA DM 3535-001, referenced in section 6680.01f). 2. Verifying that information system access is assigned appropriately. 3. Ensuring that user accounts are: a. Current and accurate. b. Created, modified, or deleted only when properly requested by a Supervisor or other authorized person. c. Configured to comply with section 6684.2. d. Using the process explained in the system security plan or operations guide for the individual information system. 4. Ensuring that sessions to IT systems are configured to automatically lock or terminate after a specified period of inactivity in accordance with section 6684.2, or as specified in the SSP if more restrictive. 5. Ensuring that the creation, modification, or deletion of user accounts and the access granted to each account are documented using Forest Service provided forms, databases, or other available methods. 6. Ensuring that system users are informed of initial or reset passwords or other authenticators according to the provisions of this directive. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 94 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 7. Informing all system users and their Supervisors of any system specific or unique requirements regarding password expiration periods and procedures when they are requesting additions, modifications, or deletions of access rights. 8. Reviewing access rights for all system users, including external cooperators and outside contractors, for need, appropriateness, and compliance with this directive, as specified by the system security plan, but at least annually. 9. Ensuring that operations resulting in the archiving, deletion, or sharing of an information system’s information do not violate the integrity of the security controls applicable to the information as determined by the information system’s security plan. 10. Reconciling discrepancies between system users and their access by adding, removing, or changing accounts as required. 11. Immediately reporting evidence of suspected or alleged employee security violations detected during system operation to the Agency’s Computer Incident Response Team (CIRT). 12. Immediately reporting evidence of suspected or alleged employee misconduct detected during system operation to appropriate authorities in accordance with Departmental and Forest Service procedures. Refer to USDA Department Personnel Manual (DPM) 751, subchapter 3, and Forest Service Handbook (FSH) 6109.41 for procedures regarding investigation of employee misconduct. 13. Immediately reporting alleged or suspected criminal activity discovered during routine system monitoring (see sec. 6684.3) to LEI in accordance with Departmental and Agency procedures (see FSM 5300). 14. Supporting the implementation of device identification and authentication in accordance with section 6684.5. 15. Documenting a mechanism, either automated or manual, for managing all cryptographic keys. 16. Ensuring that a default audit configuration setting is specified in the SSP and configured on the information systems to facilitate audit processing failures. 17. Ensuring the system is designed and configured to protect against Denial of Service (DoS) attacks and maintaining a list of appropriate patches to protect against vulnerabilities. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 95 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.04d - Supervisors Supervisors requesting access to information systems on behalf of their employees, contractors, and cooperators, shall follow the procedures of the system security plan and/or operations guide and are responsible for: 1. Requesting system access using the process referenced in the system security plan or operations guide for the individual information system and verifying that the level of access requested is the minimum necessary for the individual to accomplish assigned tasks. 2. Requesting transfer or termination of system access when an employee transfers or leaves the Forest Service. 3. Requesting immediate termination of system access in cases of termination for cause. 4. Requesting modification of system access when a change of duties to a position necessitates a change in the employee’s access rights. 5. Holding employees accountable for removal of software identified as being prohibited, unauthorized, or malicious software (malware) from Forest Service computers in their possession or under their control, and for which direction has been issued by the ISSPM requiring its removal. 6. Assisting in the resolution of disputes between employees and the ISSPM over whether software on end user computers identified as being unauthorized serves a legitimate business purpose. 7. Immediately reporting suspected or alleged IT-related security violations, misconduct, or criminal activity to the information System Security Officer or the Agency CIRT. 6684.04e - End Users Information system end users are responsible for: 1. Selecting and changing passwords or other authenticators in accordance with section 6684.1 and the security plan or operations guide for the information system they are accessing. 2. Reporting any known or suspected password or other authenticator compromise or loss to the Agency CIRT, their supervisor or Contracting Officer, and the appropriate management officials identified in the system’s operations guide. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 96 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Changing any password or other authenticator as required by section 6684.1 or immediately upon suspicion or detection of its compromise. 4. Maintaining and using a separate system account and password for any privileged access to systems or applications that they are given. 5. Notifying their Supervisor of any instance in which they do not have the necessary access rights to an application or system to perform the official duties of their position. 6. Acknowledging receipt of direction from the ISSPM to remove software identified as being unauthorized, prohibited, or malware, and after such acknowledgment, removing or requesting assistance through the Customer Help Desk (CHD) to remove such software from Forest Service-owned desktop and laptop computers in their possession or control. a. Within 1 week for unauthorized software. b. Immediately for prohibited software or malware. 7. Immediately reporting suspected or alleged IT related security violations, misconduct, or criminal activity to their Supervisor or the Agency CIRT. 6684.04f - System Administrators System Administrators are responsible for: 1. Maintaining and using a separate user account and password for system administration or other privileged system or application access. 2. Ensuring that server system logs are configured, maintained, and available for review by authorized individuals, according to the direction in this manual. 3. Processing requests to create, modify, or delete accounts on Forest Service information systems when requested by a Supervisor or other authorized person, using the process required by the system security plan or operations guide. 4. Ensuring that routine system monitoring processes (see sec. 6684.3) are operational. 5. Immediately reporting evidence of suspected or alleged employee security violations detected during system operation or monitoring to the Agency CIRT. 6. Immediately reporting evidence of suspected or alleged employee misconduct detected during system operation or monitoring to appropriate authorities in accordance with departmental and Forest Service procedures. Refer to USDA DPM 751, subchapter 3, and FSH 6109.41 for procedures regarding investigation of employee misconduct. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 97 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 7. Immediately reporting alleged or suspected criminal activity to LEI in accordance with Departmental and Agency procedures (see FSM 5300). 8. Configuring password protected systems or devices to lock user accounts automatically in accordance with section 6684.2, or as specified in the SSP, if more restrictive. 9. If possible, configuring all blackberry or similar personal electronic devices to automatically wipe (destroy) all information held on the device after 10 unsuccessful login attempts. 10. Remotely wiping (destroying) all information held on Blackberry, Windows Mobile, Palm, or other personal electronic devices that are reported as lost or stolen, to the extent possible. 11. Configuring laptop, desktop, or handheld computing or personal electronic devices containing corporate information to automatically lock or terminate an active session after a period of inactivity as specified in section 6684, by the ISSPM, or in the system security plan. 12. Configuring password protected systems or devices to comply with sections 6684.11 and 6684.12. 13. Configuring information systems to prevent the unauthorized transfer of shared system resources. 14. Ensuring that all information storage devices have been rendered unreadable prior to disposal. 15. Implementing C2 Level of Trust controls and configurations on the information system (USDA DM 3535). 16. Assisting with the system account review process. 17. Implementing security controls regarding remote access as defined by the SSP. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 98 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.04g - System Owners System owners are responsible for: 1. Determining the sensitivity of the information processed by or contained in the systems, programs, or files for which they are responsible. 2. Determining the security categories of the systems, programs or files for which they are responsible, as described in NIST FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems.” 3. Determining which additional auditing information will be collected, based on the security categories of the systems for which they are responsible. 4. Ensuring only ISSPM approved procedures, mechanisms, or protocols are used for host or device authentication. 5. Documenting in the SSP all procedures, mechanisms, or protocols utilized. 6. Ensuring that the Forest Service information system generates time stamps for use in audit record generation. 7. Utilizing a common time source to ensure the enterprise IT system clocks are synchronized. 8. Ensuring that audit trails and audit logs are protected from unauthorized modification, access, or destruction while online and during offline storage. 9. Ensuring that privileges to disable auditing are restricted to authorize personnel. 10. Ensuring hardcopies or unalterable media of information system audit logs, such as Digital Versatile Disks (DVDs) or write once media, are retained so they can be used to reconcile electronic versions that would prevent alteration of original data. 11. Ensuring audit logs are retained, which include system, application, and databaselevel audit logs, for 1 fiscal year to provide support after the fact investigations of IT security incidents, and to meet regulatory and organizational information retention requirements. 12. Determining how long audit logs should be maintained and archived to provide support after the fact investigations of IT security incidents, and to meet departmental and National Archives and Records Administration (NARA) retention periods. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 99 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 13. Maintaining SSP documentation regarding wireless devices and systems under their control. 14. Approving user roles and the associated privileges/permissions for the systems they are accountable for. 15. Overseeing the system account review process. 6684.04h - Information Owners Information owners are responsible for: 1. Identifying and safeguarding sensitive and personal identifiable information. 2. Ensuring the identification of appropriate security controls pertaining to information for publicly accessible system components. 3. Providing input in coordination with the system owners regarding the security requirements and security controls for the information system(s) where the information resides. 6684.04i - Account Requesters Account requesters and Forest Service employees are responsible for reviewing requested system access to information systems at least annually using the process referenced in the SSP or when requested by the system owner or ISSPM. 6684.04j - Generic System Access Account Managers Generic system access account Managers are responsible for: 1. Requesting the generic access account from their Supervisor. 2. Assigning one (and only one) user to the specific account at a time. 3. Changing account passwords prior to assignment and after assignment. 4. Limiting system access when the account is not assigned to an individual. 5. Documenting who has access to the account and when. 6. Ensuring that users conform to applicable policies and procedures. 7. Monitoring the actions performed by those persons using these accounts. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 100 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.04k - Account Sponsors Account Sponsors are Forest Service employees requesting access to Forest Service information systems on behalf of their volunteers, cooperators, and contractors. Account Sponsors shall follow the procedures of the CIO centralized Account Management program, system security plan and/or operations guide and are responsible for: 1. Requesting system access using the process referenced in the system security plan or operations guide for the individual information system and verifying that the level of access requested is the minimum necessary for the individual to accomplish assigned tasks. 2. Requesting transfer or termination of system access when a volunteer, cooperator, or contractor transfers or leaves the Forest Service. 3. Requesting immediate termination of system access in cases of termination for cause. 4. Requesting modification of system access when a change of duties to a position necessitates a change in the volunteer, cooperator, or contractor’s access needs. 5. Holding volunteers, cooperators, and contractors under their responsibility accountable for removal of software identified as being prohibited, unauthorized, or malicious software (malware) from Forest Service computers in their possession or under their control, and for which direction has been issued by the ISSPM requiring its removal. 6. Assisting in the resolution of disputes between volunteers, cooperators, and/or contractors under their responsibility and the ISSPM over whether software on end user computers identified as being unauthorized serves a legitimate business purpose. 7. Immediately reporting suspected or alleged IT-related security violations, misconduct, or criminal activity to the Information System Security Officer or the Forest Service CIRT. 8. Ensuring that volunteers, cooperators, and contractors under their responsibility are notified of all Forest Service information security responsibilities and formally accept those responsibilities before gaining access to any Forest Service information system. 9. Ensuring that volunteers, cooperators, and contractors under their responsibility undergo required personnel screening commensurate with their assigned responsibilities in accordance with sections 6683.22 and 6683.23. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 101 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 10. Entering and maintaining relationship information on behalf of volunteers, cooperators, and contractors under their responsibility into the USDA Non-Employee Information System in accordance with established Forest Service Centralized Account Management (CAM) procedures. 6684.1 - Password Management 6684.11 - Password Procedures For all password-protected Forest Service information technology (IT) resources: 1. Require all users to: a. Select, protect, and manage passwords in accordance with section 6684.1, including the password content requirements of section 6684.12. b. Report any known or suspected loss or compromise of a password immediately to the Agency Computer Incident Response Team (CIRT) and the employee’s Supervisor or the contractor’s Contracting Officer. c. Change their passwords immediately if compromised, suspected of being compromised, or if instructed to do so by the ISSPM or CIRT. d. Immediately report any lost or stolen password protected IT device in accordance with section 6683.23f. 2. Require privileged users to: a. Maintain and use separate accounts and associated passwords for privileged and non-privileged access to IT systems and devices. b. Change their privileged account passwords in accordance with Departmental direction. 3. Require non-privileged users (those without administrative access to systems, devices, or applications) to change their account passwords in accordance with Departmental direction. 4. Require users of blackberry or similar mobile electronic devices to change their password in accordance with Departmental direction. 5. Issue generic or group passwords only pursuant to waivers granted by the USDA Office of the Chief Information Officer (OCIO) as described in DM 3535-001 section 3.a.(1). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 102 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6. Immediately change default, vendor issued, or manufacturer issued passwords during initial software installation and during software system maintenance as required. 7. Immediately change passwords upon initial activation or access of a new system, program, account, or device if the initial account setup does not automatically force the user to create or change passwords. 8. Communicate or distribute passwords in such a way that only the intended user may see or obtain the password, such as through encrypted electronic mail or secured surface mail. Do not distribute passwords through unencrypted electronic mail or by voice mail. 9. If it is necessary to keep a written record of a password, either on paper or in an electronic file: a. Store the record so it is accessible only by the user, such as in a locked container or as an encrypted file. b. Protect the stored record to the level of security required by the type of information the password protects. 10. Restrict access to system level files containing passwords to those individuals who are authorized to manage or administer the information system, and who require access to such files in the performance of their official duties. 11. Do not share passwords except in emergency circumstances or when there is an overriding operational necessity. a. After the necessity for sharing has ended, immediately inform the applicable Information System Security Officer (ISSO) and request that the shared password be reset. b. Inform the user of the reset password as directed in paragraph 8 of this section. c. Where authority must be delegated by one individual to another, and the delegate requires additional information system access rights to exercise the delegated authority, use the delegation facilities within applicable systems or applications or request temporary access rights in accordance with system operating procedures. Do not share passwords with the delegate. 12. All passwords must NOT be: a. Reused until after the password has been changed at least 5 times. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 103 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY b. Sample passwords published in various locations such as on the Internet and in text books. c. Stored in or by a program, such as the “Remember Password” feature supplied by browser and dialing software, except for Forest Service provided, single sign on systems, such as the HRM Dashboard. d. Readable during the authentication process, (that is, passwords and other authenticators must be obscured from possible view and exploitation by unauthorized individuals). 6684.12 - Password Content Requirements Follow organizational defined requirements for password requirements in accordance with USDA password formation rules. 6684.2 - Access Controls 1. Document and disseminate the specific procedures and practices for requesting, granting, and controlling logical access to each Forest Service information system, including general support systems in the system operations guide. Include procedures for adding, modifying, and deleting that access. The Forest Service shall annually review and update these procedures and practices. 2. Develop and disseminate a formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. This policy will be reviewed and/or updated on an annual basis. 3. Allow logical access to Forest Service information systems only with user identification and authentication, except for systems intended for public access, such as web based applications delivering general information approved for distribution to the public. a. For each user, issue a unique user account which verifies the user’s identity. b. Only appropriate Forest Service officials may issue user accounts including but not limited to eAuthentication passwords, RSA tokens, and other types of hardwaretype access devices, after the Supervisor has established the identity of the user. c. Deactivate user accounts after the period of inactivity documented in section 6684.21. Deactivate user identifiers if the user no longer requires access to the system due to a change in job responsibility or termination of employment, unless an WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 104 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY extension has been granted by the ISSO. Deactivate accounts no later than close of business on the next business day following the date of departure. Archive information associated with inactive user identifiers until the account is finally deleted. d. Manage authenticator devices used to access information systems, including, but not limited to: tokens, PKI certificates, passwords, and key cards. In accordance with USDA requirements employ secure 2-factor authentication mechanisms for network access to non-privileged accounts and local access to privileged accounts in accordance with USDA policy and capabilities. Non-local access to privileged accounts employs replay-resistant authentication mechanisms in accordance with NIST SP 800-53 guidance. e. For PKI authentication, the information system: (1) Validates certificates by constructing a certification path with status information to an accepted trust anchor; (2) Enforces authorized access to the corresponding private key; and (3) Maps the authenticated identity to the user account. f. Develop procedures for authenticator distribution, dealing with lost, compromised, or damaged authenticators, for revoking authenticators, changing default authenticators upon information system installation, and for changing/refreshing authenticators every 90 days for a general user and every 60 days for an Administrator, and prohibiting password reuse for 24 generations. g. In accordance with USDA requirements take reasonable measures to safeguard authenticators from unauthorized disclosure and modification, including, but not limited to: maintaining possession of authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators in a timely manner. h. Do not reuse user identifiers within the same system. i. Supervisors will notify account managers when temporary accounts are no longer required and when information systems users are terminated, transferred, or when changes are made to a user’s information system usage, need-to-know, or need-toshare. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 105 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Grant access to Forest Service information systems, including any general support system, under the following conditions. a. The requested access is based on the intended system use and on a valid need-toknow basis, determined by assigned official duties. b. All personnel security screening criteria have been satisfied, including execution of any user security agreements or statements required by section 6683.23. c. Access is properly requested through the required procedures in the information system operations guide or the SSP. d. Verify the identity of the person to whom the access will be granted. 5. For privileged users, grant and require use of separate accounts and associated passwords for privileged and non-privileged access to IT systems and devices. Privileged accounts should not allow direct access to the internet or email. 6. Comply with separation of duty requirements (sec. 6683.21) when granting system access and associated privileges. 7. Immediately remove, disable, or otherwise secure unnecessary or inactive accounts. 8. In accordance with NIST SP 800-53 guidance before granting access to users, configure all password-protected information systems to display the approved system use notification warning banner stating the following; a. Users are accessing a U.S. Government information system; b. System usage may be monitored, recorded, and subject to audit and; c. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording, 9. Retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information system. 10. In accordance with USDA requirements configure all password-protected IT resources to automatically lock user accounts after five attempts during 15 minutes until released by an Administrator, and/or delay the next logon prompt for a minimum of 15 minutes. Exceptions or deviations from this lockout process and lockout time duration must be approved by the ISSPM and documented in the SSP along with the accompanying compensating control. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 106 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 11. When no interaction occurs between a user and an information system for a period in excess of the inactivity time limit specified in the system’s security plan, ensure that the information system either: a. Locks the session so that users must reenter their passwords to resume the session. b. Terminates the session, requiring users to log back into the application. 12. When no interaction occurs between a user and the user’s computer or workstation (desktop or laptop) for a period of time not to exceed 15 minutes, ensure that the computer’s operating system invokes a screen saver that requires the user to re-enter their password to regain access to the computer. 13. Configure all blackberry or similar mobile devices to automatically wipe (destroy) all information held on the device after 10 unsuccessful login attempts, if possible. 14. When no interaction occurs between a user and the user’s blackberry, Windows Mobile, Palm, or other personal digital assistant (PDA) or personal electronic device (PED) for a period of time not to exceed 30 minutes, if the PDA or PED contains Forest Service corporate information (including email) and can be password protected, ensure that the PDA or PED’s operating system requires the user to re-enter their password to regain access to the corporate information stored in the device. 15. Remotely wipe (destroy) all information held on personal electronic devices such as BlackBerries, Windows Mobile, Palms, or others as soon as possible after they are reported as lost or stolen, to the extent possible. 16. Allow remote access to Forest Service information systems only through Forest Service controlled Virtual Private Network (VPN) and portal facilities located in the Forest Service DMZ, or equivalent trusted authentication devices or procedures. 17. Allow access through wireless connections in accordance with Departmental policy and FSM 6640. The information system will protect wireless access to the system using authentication and encryption. 18. Whenever feasible, isolate systems used for testing (test systems) and systems used for development (development systems) systems so that they run on separate servers and mainframes from those hosting production systems. When it is infeasible to separate test environments and development environments from production environments, and they must run on the same host, implement logical and procedural controls to prevent test and development activities from affecting the supporting production environment. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 107 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 19. Ensure that operations resulting in the archiving, deletion, or sharing of an information system’s information are performed only by authorized individuals or processes, and that if appropriate, as determined by the information system’s security requirements, the same access controls are applied to archived or shared copies of information as are applied to the original. 20. Verify the identity of system users using current Federal standards. a. Authenticate user identity through the use of passwords, tokens, biometrics, or a combination of the three based on the impact level assigned to the system. b. Ensure that authentication mechanisms for information systems meet standards appropriate to the system categorization per NIST guidance. 21. Verify the information system identifies specific user actions that can be performed on the information system without identification and authentication, including access to public web-based content. The system documents and provides supporting rationale in the security plan for the information system user actions not requiring identification and authentication. 22. For publicly accessible systems: a. Display the system use information when appropriate before granting further access. b. Display references to monitoring, recording, or auditing that are consistent with privacy accommodations for those systems that generally prohibit such activities. c. Include in the notice given to public users of the information system a description of the authorized uses of the system. 6684.21 - Account Management 1. Manage all information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. Review all information system accounts quarterly in accordance with USDA requirements. 2. Employ automated mechanisms to support the management of information system accounts. 3. Configure all Forest Service information system emergency accounts such that they automatically terminate as soon as not needed, but not to exceed 14 days. 4. Configure all Forest Service information system accounts to have expiration dates. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 108 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Configure all Forest Service information systems such that they automatically disable accounts after 90 days of inactivity. Terminate inactive accounts after an additional 270 days of inactivity except as specified in section 6683.23d, Long-Term Absence. 6. Employ automated mechanisms to audit account creation, modification, disabling, and termination actions and notify, as required, appropriate individuals. 7. Ensure the information system uniquely identifies and authenticates nonorganizational users (or processes acting on behalf of non-organizational users.) 6684.22 - Access Enforcement 1. Configure all Forest Service information systems such that they enforce assigned authorizations for controlling logical access to the system in accordance with applicable policy. If encryption of stored information is used as an access enforcement mechanism, use only cryptography that is compliant with Federal Information Processing Standards (FIPS) 140-2. If a token based access control is used, and the Federal Personal Identity Verification (PIV) credential is used as the identification token, use only access control systems that conform to the requirements of FIPS 201 and NIST SP 800-73, and that employ either cryptographic verification or biometric verification. 2. In accordance with USDA requirements configure all Forest Service information systems such that access to privileged functions as listed in the system security plan (deployed in hardware, software, and firmware) and to security relevant information is restricted to explicitly authorized personnel (for example, Security Administrators, System and Network Administrators, and other privileged users). 3. Implement a controlled, audited, and manual override of automated mechanisms, when appropriate, to handle an emergency or other serious event. 4. Configure the information system to enforce approved authorizations for controlling the flow of information within the system and between interconnected systems. 6684.23 - Separation of Duties and Least Privilege 1. Restrict access to security systems and information to those personnel authorized to perform security related functions on the particular information system or equipment as defined in the system security plan in accordance with USDA requirements. 2. Grant users, or automated processes acting on behalf of users, the most restrictive rights, privileges, or access needed to perform assigned or specified tasks. Limit access to the resources that a user needs to complete or facilitate official duties. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 109 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Configure the information system to enforce the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. 4. Separate duties of individuals as necessary to prevent malevolent activity without collusion. 5. Document and implement separation of duties through assigned information system access authorizations. 6684.24 - Management of Generic and Guest Accounts 1. Create guest system access accounts only under the following conditions: a. The access is needed for carrying out the Forest Service mission and an individually identifiable account access is impractical. b. Network privileges for the guest or anonymous account only allow access to the public internet. 2. Create generic system access accounts, standing, managed accounts available for short-term use only under the following conditions: a. The accounts are necessary for carrying out the Forest Service mission. b. The accounts are centrally managed and documented. c. The accounts are assigned to one individual at a time and tracked in a way that definitively links use of the account to a specific individual. d. Passwords are changed immediately by the Manager of Generic System Access Accounts when the account is transferred to another user. 6684.25 - Public Access Content 1. Configure all publicly available Forest Service information systems such that they protect the integrity and availability of the information and applications they support. 2. Identify and document all publicly accessible system components in the SSP. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 110 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 3. Configure all publicly accessible system components according to security control documentation in the SSP. 4. Ensure that publicly accessible systems do not contain non-public information, including personally identifiable information. 6684.26 - Wireless Access Restrictions 1. Allow access through wireless connections in accordance with Departmental policy and FSM 6640. 2. Establish usage restrictions and implementation guidance for wireless access. 3. Continuously monitor for unauthorized wireless access. 4. Authorize wireless access to the information system prior to granting access and enforce requirements for wireless connections to the information system. 6684.27 - Remote Access 1. Allow remote access to Forest Service networks only from Forest Service-issued devices using only documented and allowed methods. a. Document all requests and resulting authorization for remote access using the Forest Service approved system for such documentation. b. Allow remote access only for those employees, including students, co-ops, and volunteers, already approved for internal network access and only with concurrence of the employee’s Supervisor. For others, such as vendors or contractors, requiring remote access for official business, grant only temporary, time-limited access not to exceed the period of business need, and only with concurrence of the Program Manager for whom the vendor or contractor is working. c. Revalidate the requirement for all users authorized for remote user access annually. d. Revalidate the requirement for all users authorized for remote administrator access to network devices quarterly. e. Enforce the revalidation requirement through an automated renewal process. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 111 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY f. Immediately deactivate remote access accounts for users upon separation or determination that the access is no longer required. g. Disable system functionality that provides the capability for automatic execution of code on mobile devices without user direction. 2. Use two-factor authentication for remote access, when available, and other Forest Service-approved methods, unless otherwise approved by the Information System Security Program Manager (ISSPM). All remote session activity for both regular and security-related functions must be audited in accordance with USDA requirements. 3. For all remote access, allow access only through Forest Service approved encrypted Virtual Private Network (VPN) or equivalently secure, encrypted connections. a. Employ automated mechanisms to facilitate the monitoring and control of remote access on a continual basis in accordance with USDA requirements. b. Require separate, individual approval and authentication for VPN connections. c. Control all remote accesses through a limited number of managed access control points. d. For access to privileged functions, permit such access only for compelling operational need, and document the rationale for such access in the information system SSP. e. Other than the Internet connection required for the VPN connection to the Forest Service network, ensure that no other network connections, adapters, or communications ports, are active while the VPN session to the Forest Service network is active. f. Ensure that desktop and laptop VPN configurations block access to all other networks, except access provided via the Forest Service network itself, while the VPN session to the Forest Service network is active. g. When connecting a Forest Service computer (desktop or laptop) to a non-Forest Service public or home wired or wireless network, open a VPN connection between the computer and the Forest Service Intranet immediately after connecting the computer to the non-Forest Service network, and maintain that VPN connection in an active state for as long as the computer is connected to the non-Forest Service network. Use the Forest Service VPN connection for all access to the public Internet. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 112 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. For remote access, allow access only through Forest Service-approved connections. a. Manage all connections and remote access to Forest Service information systems centrally to ensure network integrity. b. Establish remote service at the outermost perimeter (DMZ) of the Forest Service network. c. Establish strict authentication procedures for remote users. d. Locate virtual private network (VPN) services in a Forest Service-controlled DMZ, so that VPN traffic also must pass through perimeter firewalls. e. Configure remote access service to terminate connections automatically after a period of inactivity as specified in the applicable system security plan. 5. Do not modify or alter remote connection software or hardware, or the connections themselves, unless specifically approved by an Information System Security Officer or the Agency ISSPM. 6. Immediately deactivate remote access accounts or privileges for anyone found to be in violation of this policy and report the violation to the Network Operations Manager. 7. In accordance with USDA requirements the system owner is responsible for updating the SSP with networking protocols that are deemed to be non-secure. 6684.28 - Portable and Mobile Devices 1. Establish and document restrictions and implement guidance for access of writable, removable, portable, and mobile devices on the information systems. 2. Authorize connection of mobile devices meeting organizational usage restrictions and implementation guidance to Forest Service information systems. 3. Monitor for unauthorized connections of mobile devices. 4. Enforce requirements for the connection of mobile devices. 5. Disable system functionality that provides the capability for automatic execution of code on mobile devices without user direction. 6. Issue specially configured mobile devices to individuals traveling to locations that the Forest Service deems to be of significant risk. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 113 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 7. Apply enhanced analysis and cleaning measures to devices returning from locations deemed by the Forest Service to be of significant risk in accordance with USDA requirements. 8. Prohibit the use of personally-owned removable media in Forest Service information systems. 9. Prohibit the use of removable media in Forest Service information systems where the media has no identifiable owner. 6684.29 - Use of External Information Systems and Publicly Accessible Content 1. The Forest Service establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems allowing authorized individuals to access the information system from the external information system and process, store, and/or transmit organization-controlled information using the external information system. 2. The Forest Service must be able to verify the implementation of the required security controls as specified in the Forest Service information security policy and security plan. 3. The Forest Service designates individuals authorized to post information onto publicly accessible information systems. Designated individuals are trained to ensure that publicly accessible information does not contain non-public information. All proposed content of publicly accessible information is reviewed to ensure non-public information is removed prior to posting. 4. In accordance with USDA requirements, all content on publicly accessible information systems is reviewed quarterly and non-public information is removed, if discovered. 5. The Forest Service limits the use of Forest Service portable storage media by authorized individuals on external information systems. 6684.3 - Security Monitoring/Audit Controls 1. Develop, disseminate, and provide an overall audit and accountability policy. 2. Review, update, and approve the policy on an annual basis in accordance with USDA requirements. 3. Address within the policy the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 114 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 4. Develop formal, documented procedures to implement this policy and the associated audit and accountability controls. These procedures are to be reviewed and updated annually in accordance with USDA requirements. 5. Monitor and review user activity on Forest Service information systems and networks in accordance with applicable laws, regulations, contractual obligations, and best practices (as described in NIST special publications referenced in sections 6680.01a and 6680.06) on an annual basis in accordance with USDA requirements. 6. Investigate unusual information system related activities. 7. Regularly scan or otherwise monitor Forest Service endpoints (desktop and laptop computers) to detect the presence of unauthorized software and take appropriate action to remove or mitigate in accordance with section 6683.24. 8. Continuously monitor Forest Service networks and computer activity to: a. Ensure that technical controls required by law or regulation for safeguarding the confidentiality, integrity, and availability of corporate information, information systems, and networks are effective and operating as intended. b. Detect, report, disable, and/or cause the repair, removal, or mitigation of: (1) Intrusions by or the presence of malware (computer viruses, worms, or Trojans), spyware, or other unauthorized software that attempts to install itself and operate on Forest Service networks or computers without Forest Service authorization. (2) Unauthorized access to internal or external network or computing devices. (3) Unsolicited or offensive electronic messaging content that violates Forest Service policy on appropriate use of IT resources, as referenced in section 6683.24. (4) Known vulnerabilities in the software or hardware configurations of Forest Service-owned or operated IT. 9. Use data collected through security monitoring only to: a. Assist the Forest Service in achieving audit compliance. b. Monitor service levels. c. Support official administrative or criminal investigations. d. Limit Forest Service liability. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 115 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY e. Measure system and network performance. f. Perform system and network capacity planning activities. g. Troubleshoot system and network problems. h. Safeguard the confidentiality, integrity, and availability of corporate information and protect information systems, networks, and users from inappropriate or unauthorized use. 10. Use automated monitoring tools when they provide exception based, real time notification of threats, vulnerability exploitations, and unauthorized or inappropriate system or network usage detected by monitoring: a. Traffic originating from or destined for the Internet. b. Electronic messaging traffic (including, but not limited to, electronic mail, instant messaging, and mobile communication device text messaging) received by or sent from Forest Service information systems. c. Forest Service intranet, local area, and wide area network traffic, and protocols. d. Operating system and other system software security indicators, including system activity logs, on Forest Service-owned or operated IT. 11. Perform the following actions for data collected to meet system monitoring requirements, regardless of whether it contains personally identifying information: a. Allow the collection and analysis of data in its raw state only by System Administrators, Network Administrators, security personnel, or their Managers in the authorized performance of their official duties. b. Treat the data as confidential and reveal the data to others only pursuant to legal, regulatory, or investigatory requirements, and in a redacted format omitting any personally identifying information, unless or until the data becomes part of an authorized investigation. c. Immediately report evidence of suspected or alleged misconduct discovered through routine system monitoring in accordance with departmental and Forest Service procedures regarding investigation of employee misconduct (FSH 6109.41; DPM 751, subch. 3). d. Destroy the data immediately once the administrative need or legal requirement for its retention has expired. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 116 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 12. Provide annual notification to employees regarding security monitoring activities, privacy expectations, and appropriate use. 6684.31 - Auditable Events 1. In accordance with the organizational assessment of risk, the information system risk assessment and mission/business needs ensure information systems audit and produce records for the events as identified in the system’s SSP. Execution of privileged functions must be included in the list of events to be audited by the information system. 2. Provide the capability for audit reduction and audit report generation in compliance with requirements of applicable laws, Executive Orders, directives, policies, regulations, and standards. 3. Review and update the list of defined auditable events at least annually. 4. Secure all audit logs, in accordance with NIST SP 800-92, Guide to Computer Security Log Management. 5. Coordinate the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. 6. Provide a rationale for why the list of auditable events is deemed to be adequate. 6684.32 - Content of Audit Records 1. For auditable events, as described in section 6684.31: a. Show time/date of user logon and logoff, and the workstation internet protocol (IP) address, name, or identifier of the location used. b. Record the unique identifier; the workstation IP address, name, or identifier of the location used to initiate the action; the function or file operation being performed; the time and date of all server system administration functions and file operations; and the outcome (success or failure) of the event. c. Permit read only access to the audit log by authorized individuals. d. If practical and applicable, show the use of individual system communication ports. e. At all times contain the most recent 30 days of activity; use a longer period if needed to support requirements of a particular information system. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 117 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY f. Include in the routine backup procedure. g. Record every invalid attempt to logon to applications, systems, or networks, along with time/date of attempt, and the workstation IP address, name, or identifier of the location used to attempt logon, if available. 2. For auditable events, as described in section 6684.31, provide information capable of supporting an after-the-fact investigation of an event as defined in the system security plan in accordance with USDA requirements. 6684.33 - Response to Audit Processing Failures and Audit Review, Analysis, and Reporting and Audit Reduction and Report Generation 1. Review and analyze information system audit records, at least weekly or as identified in the SSP, for indications of inappropriate or unusual activity in accordance with USDA requirements. 2. Investigate suspicious activity or suspected violations and report findings in accordance with Agency-mandated incident reporting procedures. 3. For auditable events, as described in section 6684.31, employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications. 4. Maintain subscription for automated alert mechanisms to keep the lists of inappropriate or unusual activities updated. 5. Maintain evidence of audit log reviews and changes to the list (or subscription) of auditable events. 6. In accordance with USDA requirements alert designated Forest Service officials in the event of an audit processing failure and take corrective action. In the event of audit log overflow, the oldest audit records will be overwritten. 7. Provide audit reduction and report generation capability. 8. Adjust the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. 9. Upon discovery of an unauthorized connection, use automated notification to the System Administrator(s) and take appropriate action in accordance with USDA requirements. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 118 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.34 - Time Stamps 1. For auditable events, as described in section 6684.31: a. Configure the information system to generate time stamps for use in audit record generation. b. Show time/date of user logon and logoff and the workstation IP address, name, or identifier of the location used. 2. Ensure all systems synchronize to a USDA- or Forest Service-authorized time source (such as Network Time Protocol (NTP) source). 3. Ensure the time stamps are generated using internal IT system clocks that are synchronized daily at a minimum enterprise wide in accordance with USDA requirements. 4. Use internal system clocks to generate time stamps for audit records. 6684.35 - Protection of Audit Information 1. Separate duties between IT system personnel who administer the access control function and those who administer the audit trail. (Refer to sec. 6683.21 for additional information on separation of duties): a. Document specific measures that provide chain of custody to ensure data is not altered and to preserve the integrity of specific audit logs. b. Restrict privileges to disable auditing to authorized personnel. 2. Retain hardcopies or copies on unalterable media (such as DVDs or write once media) of IT system audit logs for use in reconciling with electronic versions to verify there has been no alteration of original data. 3. Configure IT systems to protect all audit trails from actions such as unauthorized access, modification, and destruction. 4. Permit only authorized personnel to have access to the audit logs and audit tools. 5. Use appropriate controls to protect the confidentiality and integrity of all audit logs. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 119 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.36 - Audit Storage Capacity and Retention 1. Ensure the information system allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. 2. Retain system, application, and database-level audit logs for a minimum of 30 days online and 1 year offline for after-the-fact investigations of IT security incidents in accordance with USDA requirements. At all times, ensure the most recent 30 days of activity are readily accessible; use a longer period if needed to support requirements of a particular information system. Ensure that all audit records are retained in accordance with official records management and retention requirements and applicable litigation requirements. 6684.37 - Audit Generation 1. The information system provides audit record generation capability for the identified auditable events, and the system is capable of creating audit records as defined in the system security plan in accordance with section 6684.31. 2. The information system allows designated Forest Service personnel to select which auditable events are to be audited by specific information system components. 3. The information system generates audit records for the list of identified auditable events in accordance with section 6684.31. 6684.4 - System and Communications Protections 1. Develop, disseminate, and provide an overall Systems and Communications Protection policy. 2. Review, update, and approve the policy on an annual basis. 3. Address within the policy, the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and their compliance. 4. Develop formal, documented procedures to implement this policy and the associated Systems and Communications Protection controls. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 120 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.41 - Public Key Infrastructure Certificates When using public key infrastructure to facilitate the interoperability of trust and nonrepudiation, use an Agency certificate authority or an approved PKI service provider. 6684.42 - Mobile Code 1. Use only approved mobile code on the information system. 2. Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. 3. Authorize, monitor, and control the use of mobile code within the information system. 6684.43 - Use of Cryptography 1. If cryptography is used, document in the SSP. 2. If or when cryptographic mechanisms are used, ensure they are compliant with the current version of FIPS 140 and approved by the department in accordance with USDA requirements. 3. Whole disk encryption is to be utilized on all portable Forest Service computers. Document how cryptographic keys are established and managed in the SSP. 6684.5 - Device Identification and Authentication 1. Configure information systems to identify and authenticate specific devices before establishing connection. 2. Verify that only ISSPM approved procedures, mechanisms, or protocols are used for host or device authentication. 3. Clearly document, in the SSP, the procedures, mechanisms, or protocols used, including diagrams. 4. Implement device authentication controls mechanisms in keeping with the FIPS 199 security categorization of the information system. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 121 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.6 - Network Security 1. Implement Voice over Internet Protocol (VoIP) only in accordance with current guidance through usage restrictions based on the potential to cause damage to the information system if used maliciously and only when the use is authorized, monitored, and controlled. 2. Limit access, including remote access, to the management features of any electronic network infrastructure equipment owned and/or managed by the Forest Service to specifically authorized individuals. 6684.61 - Network Perimeter Management/Boundary Protection Monitor and manage the network perimeter and key internal boundaries, in accordance with NIST SP 800-53 guidance, to prevent unauthorized access, verify and control authorized access, detect attempts at intrusion or harmful behavior and repel such behavior where possible, and ensure that sensitive Forest Service information is not visible across the network perimeter unless the visibility is intended, as follows: 1. Allow Internet access from Forest Service networks only through the managed interfaces provided by the U.S. Department of Agriculture (USDA) approved Internet access nodes. 2. Allow public Internet access to Forest Service information systems only via servers that are in a demilitarized zone (DMZ) controlled by the Forest Service or otherwise isolated from Forest Service networks. Do not place servers that are directly accessible by entities on the public Internet, including Web servers, inside the Forest Service intranet. 3. Protect the authenticity of all communications sessions. 4. Activate network services only as required to meet the Forest Service mission. a. Remove or deactivate all services on all servers that are not needed or not approved for use. b. Document in the system security plan any services allowed to pass through Forest Service network security controls, including a description of the service, ports used, reason the exception is required, and associated security controls. c. Prevent remote devices and services that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks (that is, split-tunneling technologies are prohibited). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 122 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Implement network based security tools designed to notify System Administrators of unauthorized access or attempted access to Forest Service networks and, if possible, configured to prevent such access through automated interaction with perimeter firewalls or other security controls. 6. Partition the information system into components residing in separate physical domains as necessary. 7. Select security features and mechanisms to provide in depth defense through management of internal activities and external connections. Include, as applicable, the following devices, systems, or functions in the security architecture: a. IT security appliances, Firewalls, Network Intrusion Detection System (NIDS), Host Intrusion Detection System (HIDS), or Intrusion Prevention System (IPS). b. Router security. c. Access control lists (ACLs). d. Firewall and application level proxies. e. Demilitarized zone (DMZ) for publicly accessible services. f. Design and operate each security tool so it does not significantly impact network and system performance. g. See exhibit 01, for direction on requirements for configuring internal and external devices. h. See exhibit 02, or direction on configuring perimeter security device filtering rules. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 123 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.61 Exhibit 01 Configuring Internal and External Devices 1. Full content network traffic is visible to a sensor. 2. Virtual private networks (VPN) traffic terminates where the traffic may be processed by a NIDS, HIDS, or IPS and does not bypass the security architecture. 3. Allow changes to perimeter firewalls only when authorized by the Agency ISSPM or designated representative. 4. Document all permitted IP addresses and ports. 5. VPN communications to or from the network to employ, at a minimum, a FIPS 140-2 approved data encryption module (for example, Advanced Encryption Standard [AES]). 6. Perimeter security devices maintain a separate access password and conform to the requirements set forth in section 6684.2. 7. Design and configure information systems to protect against denial of service (DoS) attacks. 8. Monitor and log the operation of network perimeter security systems to the extent necessary to substantiate investigations of real or perceived security violations. At a minimum, record client transaction information such as source and destination IP address, date and time, port used or requested, and uniform resource locator (URL), if available. 9. Maintain components responsible for monitoring and ensuring network security, including but not limited to routers, firewalls, intrusion detection/prevention systems, spam and antivirus filters, and vulnerability scanning systems, as follows: a. Update or patch network security components as recommended by the manufacturer. b. Test changes to network security components, including reconfigurations, updates, or patches, offline whenever possible, before placing them into production status. 10. Control the flow of information within the information system(s) and between interconnected information system(s). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 124 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.61 Exhibit 01--Continued 11. Document each exception to the traffic flow policy with a supporting mission/business need and the duration of that need. Review the exceptions to the traffic flow policy on an annual basis. Remove the traffic flow policy exemptions that are no longer supported. 12. Ensure the information system at the managed interfaces denies network traffic by default and allows network traffic by exception (that is, deny all, permit by exception). WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 125 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.61 - Exhibit 02 Configuring Perimeter Security Devices Filtering Rules 1. Packets coming from an external source into the IT system do not have a source address of the IT system’s internal network. 2. Packets leaving the internal network do not have a destination address of the IT system’s internal network. 3. Packets coming into the IT system from the Internet or leaving the IT system’s network to the Internet do not have a private source or destination address or an IP address listed in Request for Comments (RFC) RFC1918 reserved space. All packets reference only the IT system’s external public IP address. 4. As applicable, block any source routed packets or any packets with IP options that are not specifically allowed (for example, multicast, IP Security [IPSEC], and so forth.). 5. Actively manage devices that are connected to the Forest Service network, and all Forest Service provided services available via the network to ensure the integrity, performance, and availability of the network and network services. 6. Locate Web servers and information that are accessible to the general public on a screened subnet; such as a DMZ that is protected by a firewall that is enabled to be accessed by external Internet clients. The DMZ may also contain other servers, such as mail servers, remote access machines, or Web servers. 7. Identify and document the defined boundary of the information system in the SSP and RA. 8. Implement Interconnection Security Agreements (ISAs) or Memorandum of Understanding/Agreements (MOU/As), in compliance with section 6682.42 - Information System Connections for IT systems with connections that are external to the Forest Service. 9. Conduct periodic testing of incoming perimeter filtering protection mechanisms. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 126 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 6684.62 - Secure Name/Address Resolution Service and Session Authenticity 1. Configure all information system servers that provide name/address resolution in accordance with current guidance and available USDA Secure Name/Address Resolution capabilities. Provide mechanisms where possible to protect the authenticity of communications sessions. 2. Configure the information system, when operating as part of a distributed, hierarchical namespace, to provide the means to indicate the security status of child subspaces and enable verification of a chain of trust among parent and child domains. 3. Configure the information system to perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. 4. Ensure that the information systems that collectively provide name/address resolution service are fault tolerant, for example, single points of failure are eliminated, and implement internal/external role separation in accordance with NIST SP 800-53 guidance. 6684.63 - Transmission Integrity and Confidentiality 1. Protect the integrity and confidentiality of transmitted information when that information traverses external connections by employing cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures in accordance with NIST SP 800-53 guidance. 2. Require transmission integrity and confidentiality controls in contracting vehicles and agreements for external connections. 3. When using commercial service providers that lack transmission integrity and confidentiality service level agreements, use transport integrity and confidentiality security mechanisms that are in accordance with guidance from NIST and NSTISSI No. 7003 regarding Transport Layer Security (TLS), IPSec, and Domain Name Systems. 4. Implement appropriate compensating security controls on any systems transmitting information that traverse external connections without protecting the integrity and confidentiality of the information transmitted or accept and document the additional risk incurred. WO AMENDMENT 6600-2015-2 EFFECTIVE DATE: 02/05/2015 DURATION: This amendment is effective until superseded or removed. 6683-6684 Page 127 of 127 FSM 6600 – SYSTEMS MANAGEMENT CHAPTER 6680 - SECURITY OF INFORMATION, INFORMATION SYSTEMS, AND INFORMTION TECHNOLOGY 5. Ensure the information system separates user functionality (including user interface services) from information system management functionality. 6. Ensure the system protects the confidentiality and integrity of data at rest. 6684.7 - Public Access Protections 1. Ensure the information system protects the integrity and availability of publicly available information and applications. 2. Configure the information system to terminate the network connection associated with a communications session at the end of the session or after 30 minutes of inactivity. 6684.8 - Information in Shared Resources 1. Configure all information systems to prevent unauthorized and unintended information transfer via shared system resources. 2. Activate the security system’s object reuse function: a. Ensure that unauthorized access to a user’s residual data cannot be obtained. b. Ensure that any previous information content of the system is made unavailable upon the allocation of the resource to all subjects. c. Render all storage devices unreadable by degaussing or overwriting in accordance with Information Technology Security Requirements for Media Protection, reference section 6683.11. 3. Enforce or execute the deletion of temporary files created: a. Clear, purge, or destroy all computers, disk drives, printers, copiers, scanners, and so forth upon removal from the general support system (GSS) in accordance with Information Technology Security Requirements for Media Protection, as referenced in section 6683.11. b. Configure all systems not to default to core dumps when the system fails. c. Render all storage devices unreadable by degaussing or overwriting in accordance with Information Technology Security Requirements for Media Protection, as referenced in section 6683.11.
