it security procedural guide: information security program ......mar 14, 2018 · is based on the...

Office of the Chief Information Security Officer

IT Security Procedural Guide:

Information Security Program Plan

CIO-IT Security-18-90

Revision 2

CIO-IT Security-18-90, Revision 2 Information Security Program Plan

U.S. General Services Administration

EXECUTIVE SUMMARY

The General Services Administration (GSA) agency-wide Assessment and Authorization (A&A) process is based on the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the A&A process as described in NIST Special Publication (SP) 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.”

This Information Security Program Plan (ISPP) was developed in order to provide stakeholders with the detailed information on what GSA considers inheritable common and hybrid controls and who the responsible party is for implementing the control. NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” describes common controls and the responsibility for them as:

Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components—entities internal or external to the organizations where the systems or components reside.

The organization assigns responsibility for common controls to appropriate organizational officials (i.e., common control providers) and coordinates the development, implementation, assessment, authorization, and monitoring of the controls. The identification of common controls is most effectively accomplished as an organization-wide exercise with the active involvement of chief information officers, senior information security officers, the risk executive (function), authorizing officials, information owners/stewards, information system owners, and information system security officers.

The excerpt below from NIST SP 800-53 defines hybrid controls and provides examples:

Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. For example, an organization may choose to implement the Incident Response Policy and Procedures security control (IR-1) as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific. Hybrid controls may also serve as predefined templates for further control refinement. Organizations may choose, for example, to implement the Contingency Planning security control (CP-2) as a predefined template for a generalized contingency plan for all organizational information systems with information system owners tailoring the plan, where appropriate, for system-specific uses.

This plan identifies control origination status and implementation status for all GSA-wide common and hybrid controls. In addition this plan identifies the responsible party for implementing the common control, describes how the common controls are implemented and provides system specific expectations for hybrid controls. Where appropriate, the plan references GSA policies and guides that provide further detail on control implementation.

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf




VERSION HISTORY/CHANGE RECORD

Change Number

Person Posting Change

Change Reason for Change Page Number

of Change

Initial Version – April 23, 2015

N/A Desai/Davis New Plan Document GSA enterprise-wide common and hybrid controls status and implementation guidance.

N/A

Revision 1 – May 2, 2017

1 Klemens/Dean Revised guide to align with current format and style, edited, and updated guide based on current control processes.

Update GSA enterprise-wide common and hybrid controls status and implementation guidance.

Throughout

Revision 2 -

1 Feliksa/ Klemens

Revised guide to address Executive Order (EO) 13800 and the NIST Cybersecurity Framework. Updated control parameters and implementation details based on changes to GSA processes, procedures, and guides.

Comply with EO 13800. Update GSA enterprise-wide common and hybrid controls parameters and implementation details based on changes to GSA processes, procedures, and guides.

Throughout



Approval

GSA’s enterprise-wide Information Security Program Plan, Revision 2, is approved for distribution.

3/15/2018

X Kurt Garbars

Kurt Garbars

Chief Information Security Officer (CISO)

Signed by: KURT GARBARS

Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division, at [email protected].


U.S. General Services Administration i

Table of Contents

EXECUTIVE SUMMARY ............................................................................................................ i

1 Introduction ................................................................................................................... 1

1.1 Purpose ........................................................................................................................................ 3 1.2 Scope ........................................................................................................................................... 3

2 References ..................................................................................................................... 3

3 Security Controls ............................................................................................................ 5

3.1 Access Control (AC) ...................................................................................................................... 7 3.1.1 Access Control Policy and Procedures (AC-1) ........................................................................................ 7

3.2 Awareness and Training (AT) ....................................................................................................... 8 3.2.1 Security Awareness and Training Policy and Procedures (AT-1)............................................................ 8 3.2.2 Security Awareness Training (AT-2) ....................................................................................................... 9 3.2.3 Role-Based Security Training (AT-3)..................................................................................................... 11 3.2.4 Security Training Records (AT-4) .......................................................................................................... 12

3.3 Audit and Accountability (AU) ................................................................................................... 13 3.3.1 Audit and Accountability Policy and Procedures (AU-1) ...................................................................... 13 3.3.2 Audit Events (AU-2) ............................................................................................................................. 14 3.3.3 Content of Audit Records (AU-3) ......................................................................................................... 17 3.3.4 Audit Storage Capacity (AU-4) ............................................................................................................. 19 3.3.5 Response to Audit Processing Failures (AU-5) ..................................................................................... 20 3.3.6 Audit Review, Analysis, and Reporting (AU-6) ..................................................................................... 21 3.3.7 Audit Reduction and Report Generation (AU-7) .................................................................................. 24 3.3.8 Time Stamps (AU-8) ............................................................................................................................. 26 3.3.9 Protection of Audit Information (AU-9) ............................................................................................... 27 3.3.10 Audit Record Retention (AU-11) .......................................................................................................... 30

3.4 Security Assessment and Authorization (CA) ............................................................................ 31 3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1) ............................................ 31 3.4.2 Continuous Monitoring (CA-7) ............................................................................................................. 32

3.5 Configuration Management (CM) ............................................................................................. 34 3.5.1 Configuration Management Policy and Procedures (CM-1) ................................................................ 34 3.5.2 Configuration Settings (CM-6) ............................................................................................................. 35

3.6 Contingency Planning (CP) ......................................................................................................... 37 3.6.1 Contingency Planning Policy and Procedures (CP-1) ........................................................................... 37

3.7 Identification and Authentication (IA) ....................................................................................... 38 3.7.1 Identification and Authentication Policy and Procedures (IA-1) ......................................................... 38

3.8 Incident Response (IR) ............................................................................................................... 39 3.8.1 Incident Response Policy and Procedures (IR-1) ................................................................................. 39 3.8.2 Incident Response Training (IR-2) ........................................................................................................ 40 3.8.3 Incident Response Testing and Exercises (IR-3) ................................................................................... 42 3.8.4 Incident Handling (IR-4) ....................................................................................................................... 44 3.8.5 Incident Monitoring (IR-5) ................................................................................................................... 47 3.8.6 Incident Reporting (IR-6)...................................................................................................................... 48 3.8.7 Incident Response Assistance (IR-7) .................................................................................................... 52 3.8.8 Incident Response Plan (IR-8) .............................................................................................................. 54

3.9 Maintenance (MA) ..................................................................................................................... 55 3.9.1 System Maintenance Policy and Procedures (MA-1) ........................................................................... 56

3.10 Media Protection (MP) .............................................................................................................. 57


U.S. General Services Administration ii

3.10.1 Media Protection Policy and Procedures (MP-1) ................................................................................. 57 3.11 Physical and Environmental Protection (PE) ............................................................................. 58

3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1) ................................................ 58 3.12 Planning (PL) .............................................................................................................................. 59

3.12.1 Security Planning Policy and Procedures (PL-1) ................................................................................... 59 3.12.2 Rules of Behavior (PL-4) ....................................................................................................................... 60

3.13 Program Management (PM) ...................................................................................................... 62 3.13.1 Information Security Program Plan (PM-1) ......................................................................................... 63 3.13.2 Senior Information Security Officer (PM-2) ......................................................................................... 64 3.13.3 Information Security Resources (PM-3) ............................................................................................... 65 3.13.4 Plan of Action and Milestones Process (PM-4) .................................................................................... 66 3.13.5 Information System Inventory (PM-5) ................................................................................................. 67 3.13.6 Information Security Measures of Performance (PM-6) ..................................................................... 68 3.13.7 Enterprise Architecture (PM-7) ............................................................................................................ 69 3.13.8 Critical Infrastructure Plan (PM-8) ....................................................................................................... 71 3.13.9 Risk Management Strategy (PM-9) ...................................................................................................... 71 3.13.10 Security Authorization Process (PM-10) .............................................................................................. 72 3.13.11 Mission/Business Process Definition (PM-11) ..................................................................................... 75 3.13.12 Insider Threat Program (PM-12) .......................................................................................................... 76 3.13.13 Information Security Workforce (PM-13) ............................................................................................ 77 3.13.14 Testing, Training, and Monitoring (PM-14).......................................................................................... 78 3.13.15 Contacts with Security Groups and Associations (PM-15) ................................................................... 79 3.13.16 Threat Awareness Program (PM-16) ................................................................................................... 80

3.14 Personnel Security (PS) .............................................................................................................. 82 3.14.1 Personnel Security Policy and Procedures (PS-1) ................................................................................ 82 3.14.2 Position Risk Designation (PS-2) .......................................................................................................... 83 3.14.3 Personnel Screening (PS-3) .................................................................................................................. 84 3.14.4 Personnel Termination (PS-4) .............................................................................................................. 86 3.14.5 Personnel Transfer (PS-5) .................................................................................................................... 87 3.14.6 Access Agreements (PS-6).................................................................................................................... 88 3.14.7 Third-Party Personnel Security (PS-7) .................................................................................................. 89 3.14.8 Personnel Sanctions (PS-8) .................................................................................................................. 90

3.15 Risk Assessment (RA) ................................................................................................................. 91 3.15.1 Risk Assessment Policy and Procedures (RA-1) ................................................................................... 91 3.15.2 Vulnerability Scanning (RA-5) .............................................................................................................. 92

3.16 System and Services Acquisition (SA) ........................................................................................ 96 3.16.1 System and Services Acquisition Policy and Procedures (SA-1) ........................................................... 96 3.16.2 Acquisition Process (SA-4) ................................................................................................................... 98

3.17 System and Communications Protection (SC) ........................................................................... 99 3.17.1 System & Communications Protection Policy and Procedures (SC-1) ................................................. 99 3.17.2 Denial of Service Protection (SC-5) .................................................................................................... 100 3.17.3 Boundary Protection (SC-7) ............................................................................................................... 101 3.17.4 Secure Name / Address Resolution Service (Authoritative Source) (SC-20) ...................................... 106 3.17.5 Secure Name / Address Resolution Service (Recursive or Caching Resolver) (SC-21) ....................... 107 3.17.6 Architecture and Provisioning for Name-Address Resolution Service (SC-22) .................................. 108

3.18 System and Information Integrity (SI) ..................................................................................... 109 3.18.1 System & Information Integrity Policy & Procedures (SI-1) ............................................................... 109 3.18.2 Malicious Code Protection (SI-3) ....................................................................................................... 110 3.18.3 Information System Monitoring (SI-4) ............................................................................................... 113 3.18.4 Security Alerts, Advisories, and Directives (SI-5) ............................................................................... 118 3.18.5 Software, Firmware, and Information Integrity (SI-7) ....................................................................... 119 3.18.6 Spam Protection (SI-8) ....................................................................................................................... 121


U.S. General Services Administration iii

4 Privacy Controls ......................................................................................................... 124

4.1 Authority and Purpose (AP) ..................................................................................................... 124 4.1.1 Authority to Collect (AP-1) ................................................................................................................. 124 4.1.2 Purpose Specification (AP-2) .............................................................................................................. 125

4.2 Accountability, Audit, and Risk Management (AR) ................................................................. 126 4.2.1 Governance and Privacy Program (AR-1) ........................................................................................... 126 4.2.2 Privacy Impact and Risk Assessment (AR-2) ...................................................................................... 127 4.2.3 Privacy Requirements for Contractors and Service Providers (AR-3) ................................................ 128 4.2.4 Privacy Monitoring and Auditing (AR-4) ............................................................................................ 129 4.2.5 Privacy Awareness and Training (AR-5) ............................................................................................. 130 4.2.6 Privacy Reporting (AR-6) .................................................................................................................... 131 4.2.7 Privacy Enhanced System Design and Development (AR-7) .............................................................. 132 4.2.8 Accounting of Disclosures (AR-8) ....................................................................................................... 133

4.3 Data Quality and Integrity (DI) ................................................................................................ 134 4.3.1 Data Quality (DI-1) ............................................................................................................................. 134 4.3.2 Data Integrity and Data Integrity Board (DI-2) .................................................................................. 137

4.4 Data Minimization and Retention (DM) .................................................................................. 139 4.4.1 Minimization of Personally Identifiable Information (DM-1) ............................................................ 139 4.4.2 Data Retention and Disposal (DM-2) ................................................................................................. 141 4.4.3 Minimization of PII Used in Testing, Training, and Research (DM-3) ................................................ 143

4.5 Individual Participation and Redress (IP) ................................................................................. 145 4.5.1 Consent (IP-1) .................................................................................................................................... 145 4.5.2 Individual Access (IP-2) ...................................................................................................................... 147 4.5.3 Redress (IP-3) ..................................................................................................................................... 148 4.5.4 Complaint Management (IP-4) .......................................................................................................... 149

4.6 Security (SE) ............................................................................................................................. 150 4.6.1 Inventory of Personally Identifiable Information (SE-1) .................................................................... 150 4.6.2 Privacy Incident Response (SE-2) ....................................................................................................... 151

4.7 Transparency (TR) .................................................................................................................... 152 4.7.1 Privacy Notice (TR-1) .......................................................................................................................... 152 4.7.2 System of Records Notices and Privacy Act Statements (TR-2) ......................................................... 154 4.7.3 Dissemination of Privacy Program Information (TR-3) ...................................................................... 156

4.8 Use Limitation (UL) .................................................................................................................. 157 4.8.1 Internal Use (UL-1) ............................................................................................................................. 157 4.8.2 Information Sharing with Third Parties (UL-2) ................................................................................... 158

Appendix A: Acronyms ...................................................................................................... 160

Appendix B: GSA Common Control Workbook ................................................................... 162

Appendix C: Program Level POA&M ................................................................................... 163

Table of Figures and Tables

Table 1-1: Functions and Categories/Unique Identifiers ......................................................... 1

Table 3-1: Definitions of Key Terms ........................................................................................ 6


U.S. General Services Administration 1

1 Introduction

Information security is vital to our infrastructure and systems, and their effective performance and protection is a key component of our overall security program. Proper management of information technology systems is essential to ensure the confidentiality, integrity and availability of the data transmitted, processed or stored by GSA information systems.

Executive Order (EO) 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” requires all agencies to use “The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by NIST or any successor document to manage the agency’s cybersecurity risk.” This NIST document is commonly referred to as the Cybersecurity Framework (CSF).

The five core CSF Functions are:

Identify (ID): Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect (PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The CSF functions, category unique identifiers, and category descriptions are listed in Table 1-1. Each NIST SP 800-53 control family section in the remainder of this guide will list the CSF Category and subcategory identifiers addressed by that section’s control family.

Table 1-1: Functions and Categories/Unique Identifiers

CSF Function

Category Unique Identifier - Category

Category Description

IDENTIFY (ID)

ID.AM - Asset Management

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.BE – Business Environment

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

ID.GV - Governance The policies, procedures, and processes to manage and monitor the organization’s

regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk

ID.RA - Risk Assessment

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.



CSF Function

Category Unique Identifier - Category

Category Description

ID.RM - Risk Management Strategy

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.SC – Supply Chain Risk Management

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

DETECT (DE)

DE.AE - Anomalies and Events

Anomalous activity is detected in a timely manner and the potential impact of events is understood.

DE.CM - Security Continuous Monitoring

The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.

DE.DP - Detection Processes

Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

PROTECT (PR)

PR.AC - Identity Management, Authentication and Access Control

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AT - Awareness and Training

The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements

PR.DS - Data Security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.IP - Information Protection Processes and Procedures

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.MA - Maintenance Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

PR.PT - Protective Technology

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

RESPOND (RS)

RS.RP – Response Planning

Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity incidents.

RS.CO - Communications

Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.

RS.AN - Analysis Analysis is conducted to ensure adequate response and support recovery activities.

RS-MI - Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and

resolve the incident.

RS-IM - Improvements

Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

RECOVER (RC)

RC.RP – Recovery Planning

Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents.

RC.IM - Improvements

Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.CO - Communications

Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

The CSF complements, and does not replace, GSA’s risk management process and cybersecurity program. GSA uses NIST’s RMF as its foundation for managing information



system risk. More detailed information on how the CSF relates to GSA’s use of the NIST RMF is contained in GSA IT Security Procedural Guide 06-30, “Managing Enterprise Risk.”

1.1 Purpose

The purpose of this Information Security Program Plan is to provide an overview of the common and hybrid security requirements for the information systems operating at the GSA. This document describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored by GSA systems.

1.2 Scope

This plan includes the NIST SP 800-53 security controls GSA has designated as enterprise-wide, common, hybrid, and all of the privacy controls. The implementation guidance provided in this plan is applicable to GSA Federal Employees, contractors and vendors of GSA who oversee/protect GSA information systems and data.

2 References

Federal Laws, Regulations, Publications:

5 USC 552a, “Privacy Act of 1974 Privacy Act of 1974”

44 USC 31, “Records Management by Federal Agencies”

CNSSI 4009, “Committee on National Security Systems (CNSS) Glossary”

EO 13556, “Controlled Uncalssified Information”

EO 13800, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”

HSPD-12, “Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors”

OMB Circular A-123, “Management’s Responsibility for Enterprise Risk Management and Internal Control”

OMB Circular A-130, “Managing Information as a Strategic Resource”

OMB M-06-16, “Protection of Sensitive Agency Information”

OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”

OMB M-07-12, “Preparing for and Responding to a Breach of Personally Identifiable Information”

Public Law 113–283, “Federal Information Security Modernization Act of 2014’’

FIPS Publications:

FIPS PUB 140-2, “Security Requirements for Cryptographic Modules”

FIPS PUB 199, “Standards for Security Categorization of Federal Information and Information Systems”

https://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/pdf/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf

https://www.gpo.gov/fdsys/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap31.pdf

https://www.cnss.gov/CNSS/issuances/Instructions.cfm

https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

https://www.dhs.gov/homeland-security-presidential-directive-12

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2006/m06-16.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2006/m06-19.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-12_0.pdf

https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf



FIPS-PUB 200, “Minimum Security Requirements for Federal Information and Information Systems”

FIPS PUB 201-2, “Personal Identity Verification (PIV) of Federal Employees and Contractors”

NIST Publications:

NIST Cybersecurity Framework, “Framework for Improving Critical Infrastructure Cybersecurity”

NIST SP 800-18, Revision 1, “Guide for Developing Security Plans for Federal Information Systems”

NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems”

NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”

NIST SP 800-53A, Revision 4, “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”

NIST SP 800-60, Volume 1, Revision 1, “Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories”

NIST SP 800-60, Volume 2, Revision 1, “Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories”

NIST SP 800-61, Revision 2, “Computer Security Incident Handling Guide”

NIST SP 800-64, Revision 2, “Security Considerations in the System Development Life Cycle”

NIST SP 800-115, “Technical Guide to Information Security Testing and Assessment”

NIST SP 800-128, “Guide for Security-Focused Configuration Management of Information Systems”

NIST SP 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”

GSA Directives, Policies, and Procedures:

GSA Order OAS P 1820.1, “GSA Records Management Program”

GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy”

GSA Order CIO 2100.3, “Mandatory Information Technology (IT) Security Training Requirement for Agency and Contractor Employees with Significant Security Responsibilities”

GSA Order CIO 2104.1, “GSA Information Technology (IT) General Rules of Behavior”

GSA Order CIO 2110.4, “GSA Enterprise Architecture Policy”

GSA Order CIO P 2181.1, “Homeland Security Presidential Directive-12 Personal Identity Verification and Credentialing”

GSA Order ADM 2400.1, “Insider Threat Program”

GSA Order ADM P 9732.1, “Suitability and Personnel Security”

GSA Order CPO 9751.1, “Maintaining Discipline”

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf



http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf



http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf



https://insite.gsa.gov/portal/content/629686











The following IT Security Procedural Guides are available on the GSA IT Security Procedural Guide InSite page. To obtain the current version of a guide go the link provided, find the guide needed, and download it.

CIO-IT Security-01-01, “Identification and Authentication”

CIO-IT Security-01-02, “Incident Response”

CIO-IT Security-01-05, “Configuration Management”

CIO-IT Security-01-07, “Access Control”

CIO-IT Security-01-08, “Auditing & Accountability”

CIO-IT Security-03-23, “Termination and Transfer”

CIO-IT-Security-04-26, “FISMA Implementation”

CIO-IT Security-05-29, “IT Security Awareness and Role Based Training”

CIO-IT-Security 06-29, “Contingency Planning”

CIO-IT Security 06-30, “Managing Enterprise Risk”

CIO-IT Security 06-31, “Firewall Change Request”

CIO-IT Security 06-32, “Media Protection”

CIO-IT Security 08-41, “Web Server Log Review”

CIO-IT Security-09-43, “Key Management”

CIO-IT-Security-09-44, “Plan of Action and Milestones”

CIO-IT Security-09-48, “Security and Privacy Requirements for IT Acquisition Efforts”

CIO-IT-Security-10-50, “Maintenance”

CIO-IT Security-11-51, “Conducting Penetration Test Exercises”

CIO-IT Security-11-62, “GSA’s Security Implementation of the Salesforce Platform”

CIO-IT Security-12-63, “System and Information Integrity”

CIO-IT Security-12-64, “Physical and Environmental Protection”

CIO-IT Security-12-66, “Information Security Continuous Monitoring Strategy”

CIO-IT Security-12-67, “Securing Mobile Devices and Applications”

CIO-IT Security-14-68, “Lightweight Security Authorization Process”

CIO-IT Security 14-69, “SSL/TLS Implementation”

CIO-IT Security-16-72, “Software Security Testing”

CIO-IT-Security 16-75, “Security Reviews for Low Impact Software as a Service (SaaS) Solutions”

CIO-IT Security-16-76, “Building Monitoring & Control (BMC) Device Security Assessment Process”

CIO-IT Security-17-80, “Vulnerability Management Process”

3 Security Controls

The security controls within this document are from NIST SP 800-53, Revision 4. All of the security controls and their enhancements designated by GSA as enterprise-wide common or hybrid are included in this plan. Table 3-1 provides definitions with examples of key terms used within this plan.




Table 3-1: Definitions of Key Terms

Key Term Definition Example

Common Control Security controls that can be inherited from GSA OCISO and/or any other GSA Service/Staff Office by one or more GSA or Vendor/Contractor Operated information systems.

For GSA/Internally Operated Systems, GSA implements the Access Control Policy and Procedures (AC-1) security control as a common control provided by GSA OCISO.

Hybrid* Security controls where one part can be inherited from GSA OCISO and/or any other GSA Service/Staff Office and another part requires system-specific implementation.

For Vendor/Contractor Operated System, GSA implements the Access Control Policy and Procedures (AC-1) security control as a hybrid control with the policy portion of the control designated as common and the procedures portion of the control designated as system-specific.

System Specific Control Security controls that require system-specific implementation and are the primary responsibility of information system owners and their respective authorizing officials.

For Vendor/Contractor Operated Systems, the Denial of Service Protection (SC-5) security control is a system-specific control, since implementation is primarily the responsibility of Vendor/Contractor Operated System owners.

Federal System (i.e., Agency System)

An information system processing or containing GSA or Federal data where the infrastructure and/or applications are NOT wholly operated, administered, managed, and maintained by a Contractor.

Enterprise Server Services (ESS) is a major information system that is owned by GSA and operated internally by GSA employees and contractors.

Vendor/Contractor Operated System

An information system processing or containing GSA or Federal data where the infrastructure and applications are wholly operated, administered, managed, and maintained by a Contractor in non-GSA facilities.

An application that processes GSA data but is not owned by GSA. The system is located at a Vendor/Contractor’s facility and is operated and managed by the Vendor/Contractor.

*Note: Controls noted as Implemented and Hybrid within this plan indicates that only the Common part of the Hybrid control is implemented. System Owners are still responsible for ensuring the implementation of the system specific part of the control. Hybrid controls are only considered fully implemented when both the Common and System Specific parts are implemented.

The NIST SP 800-53 controls within a control family and their CSF Subcategory Unique Identifier- Subcategory are identified in a table at the beginning of each control family.



3.1 Access Control (AC)

NIST Control CSF Category Unique Identifier – Subcategories AC-1 ID.GV-1, ID.GV-3, PR-AC.1, PR-AC.3, PR.AC-4.

3.1.1 Access Control Policy and Procedures (AC-1)

The organization:

a. Develops, documents, and disseminates to [Information System Security Manager, Information System Security Officer, System Owners]:

1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the access control policy and associated access controls; and

b. Reviews and updates the current: 1. Access control policy [biennially]; and 2. Access control procedures [biennially].

AC-1 Control Summary Information

Implementation Status:

Implemented

Partially implemented

Planned

Not Implemented

Not applicable

GSA/Internally Operated System Control Type:

Common Control Provided by GSA OCISO

System Specific Control

Hybrid Control

Vendor/Contractor Operated System Control Type:



Hybrid Control

AC-1 Control Implementation

GSA/Internally Operated System Common Control Implementation:

Access Control policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). Access Control Policy is included in CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 5, Policy on Technical Controls. The policy states: "All GSA systems must implement logical access controls to authorize or restrict the activities of users and system personnel to authorized transactions and functions." GSA OCISO ISP has also defined agency-wide access control procedures in GSA IT Security Procedural Guide: CIO-IT Security-01-07,



AC-1 Control Implementation

“Access Control.” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.

CIO 2100.1 and CIO-IT Security-01-07 are reviewed and updated at least biennially.

GSA/Internally Operated System System-Specific Expectation: None.

Vendor/Contractor Operated System Control Expectation:

Vendors/contractors may defer to the GSA policy and guide or implement their own access control policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.2 Awareness and Training (AT)

NIST Control CSF Category Unique Identifier – Subcategories AT-1 ID.GV-1, ID.GV-3

AT-2 PR.AT-1

AT-3 PR.AT-2, PR.AT-4, PR.AT-5

3.2.1 Security Awareness and Training Policy and Procedures (AT-1)

The organization:

a. Develops, documents, and disseminates to [Information System Security Manager, Information System Security Officer, System Owners]:

1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

b. Reviews and updates the current: 1. Security awareness and training policy [biennially]; and 2. Security awareness and training procedures [biennially].

AT-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control



https://insite.gsa.gov/portal/category/534722





Hybrid Control

AT-1 Control Implementation


Security Awareness Training Policy and Procedures is a common control provided by GSA OCISO/ISP. Security Awareness and Training Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "A security awareness, training and education program must be established by the OCIO to ensure all GSA, other agency, and contractor support staff involved in the management, design, development, operation, and use of IT systems are aware of their responsibilities for safeguarding GSA systems and information.” GSA OCISO ISP has also defined agency-wide security awareness training and awareness procedures in GSA IT Security Procedural Guide: CIO-IT Security-05-29, “IT Security Awareness and Role Based Training.” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page. Security training for personnel with significant security responsibilities is provided in GSA Order CIO 2100.3, “Mandatory Information Technology (IT) Security Training Requirement for Agency and Contractor Employees with Significant Security Responsibilities.”




Vendors/contractors may defer to the GSA policy and guide or implement their own security awareness and training policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO) and concurrence from the CISO.

3.2.2 Security Awareness Training (AT-2)

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

a. As part of initial training for new users; b. When required by information system changes; and c. [Annually] thereafter.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control








Hybrid Control



Security Awareness Training is a common control provided by the GSA Information Security Policy and Compliance Division (ISP) of the Office of the Chief Information Security Officer (OCISO). All GSA Federal employees and contractors with a GSA account will be provided training by the GSA OCISO for all GSA/internally operated systems. The ISP division is responsible for the management and coordination of security related training for GSA. For new users entering GSA, employee or contractor, ISP ensures new users take the required training within 30 days of receiving network access using GSA OLU and the Comprehensive Human Resources Integrated System (CHRIS). ISP utilizes OLU to provide training to all GSA users.

If significant changes occur requiring additional training, ISP will coordinate the development and tracking of training.

ISP develops and updates training materials for security awareness training on an annual basis. Users are required to complete annual training after the update is complete.



Vendors/contractors with GSA email accounts are required to receive training by OLU. Individuals without a GSA email account receive training using hardcopy materials. GSA’s mandatory training may be supplemented by the vendors/contractors. Ensuring the required training is accomplished is administered and tracked by the program office utilizing the vendors/contractors.

3.2.2.1 Security Awareness Training | Insider Threat (AT-2 (2))

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

AT-2(2) Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable


Common Control Provided by GSA OMA


Hybrid Control



AT-2(2) Control Enhancement Summary Information




Hybrid Control

AT-2(2) Control Implementation


GSA Order ADM 2400.1A, “Insider Threat Program,” describes GSA’s roles, responsibilities, and policy regarding its insider threat program (ITP). ITP personnel, under the Associate Administrator for Mission Assurance, are responsible for ensuring insider threat information and training is provided at a minimum annually.



Vendors/contractors are required to comply with the control statement.

3.2.3 Role-Based Security Training (AT-3)

The organization provides role-based security-related training to personnel with assigned security roles and responsibilities:

a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Annually] thereafter.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Role-Based Security Training is a common control provided by OCISO/ISP for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. ISP is responsible for the management and coordination of role-based security training for GSA. ISP develops and updates training materials (e.g., CBTs, slides) for role-based security training). In the event ISP employs vendors to provide role-based training, ISP will coordinate with the vendor on the type of training that is required. Users with security roles and responsibilities are trained prior to performing their duties.

Periodically, as the need arises (e.g., a system change requires new training), ISP will develop/update training materials (e.g., CBTs, slides) for role-based security training.

Users with security roles and responsibilities are required to complete role-based training at least annually.

GSA/Internally Operated System System-Specific Expectation:

System Owners are required to provide system specific role based training to users of the information system, as appropriate.


Vendors/contractors may supplement GSA mandatory role based training with additional role based training for their employees or personnel with security roles and responsibilities. The program office utilizing a vendor/contractor is required to track the administration and completion of role-based training by the vendor/contractor.

3.2.4 Security Training Records (AT-4)

The organization:

a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

b. Retains individual training records for [three years].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Security Training Records is a common control provided by OCISO/ISP for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. ISP is responsible for the management and retaining of security awareness and role based security training records. If the security training is provided using GSA OLU, then OLU provides reports to ISP on the completion status of training for individuals requiring the security training. If OLU is not used, a tracking spreadsheet is used to track completion status. If ISP employs a vendor for training, ISP coordinates with the vendor to determine a method of tracking the completion status of individuals assigned to take specific training.

ISP retains training records of individuals, either via OLU or in an electronic record, for at least three years.


System Owners are required to maintain training records for any system specific role based training provided to users of the information system.


In addition to GSA-provided training, vendors/contractors are required to track and retain the completion of security training that is provided to their employees.

3.3 Audit and Accountability (AU)

NIST Control CSF Category Unique Identifier – Subcategories AU-1 ID.GV-1, ID.GV-3, PR.PT-1

AU-2 PR.PT-1

AU-3 PR.PT-1

AU-4 PR.DS-4, PR.PT-1

AU-5 PR.PT-1

AU-6 PR.PT-1, DE.AE-2, DE.AE-3, DE.DP-4, RS.CO-2, RS.AN-1

AU-7 PR.PT-1, RS.AN-3

AU-8 PR.PT-1

AU-9 PR.PT-1

AU-11 PR.PT-1

3.3.1 Audit and Accountability Policy and Procedures (AU-1)

The organization:

a. Develops, documents, and disseminates to [Information System Security Manager, Information System Security Officer, System Owners, Acquisitions/Contracting Officers, Custodians]:

1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

b. Reviews and updates the current: 1. Audit and accountability policy [biennially]; and 2. Audit and accountability procedures [biennially].



AU-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

AU-1 Control Implementation


GSA Order CIO 2100.1 “GSA Information Technology (IT) Security Policy,” describes the scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance requirements for GSA’s security program, including AU controls. Chapter 5, paragraph 2 c., Audit records, of CIO 2100.1 identifies specific audit requirements for all GSA systems. Audit and accountability procedures are documented in GSA IT Security Procedural Guide: CIO-IT Security-01-08, “Audit and Accountability.” The procedures facilitate the implementation of the audit policy and associated controls. GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own audit and accountability policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.3.2 Audit Events (AU-2)

The organization:

a. Determines that the information system is capable of auditing the following events: [successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events; Web applications should log all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes; for technologies with limited auditing features, the capabilities will be recommended by the




GSA S/SO or Contractor, based on an industry source such as vendor guidance or Center for Internet Security benchmark, and approved by the GSA AO];

b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

d. Determines that the following events are to be audited within the information system: [audit configuration requirements as documented in applicable GSA IT Security Technical Guides and Standards (i.e., hardening and technology implementation guides); for web applications see GSA IT Security Procedural Guide: CIO-IT Security-07-35, “Web Application Security,” Section 2.8.10, What to Log; for technologies where a Technical Guide and Standard does not exist, events from an industry source such as vendor guidance or Center for Internet Security benchmark, recommended by the GSA S/SO or Contractor and approved by the GSA AO].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA OCISO Security Operations (ISO) division provides an Enterprise Logging Platform which may be used by the System Owner to forward all auditable Operating System events. These events will be retained by ISO Security Operations for a period of time which meets or exceeds GSA records retention policies. These events may be requested for review of system performance, analysis, or incident response, but are not reviewed on a regular basis.

All auditable events for web applications, database systems, non-system utilities, and Operating Systems not enrolled in the Enterprise Logging Platform will be retained by the System Owner for a period of time which meets




or exceeds GSA records retention policies.

The ISO division uses host-based intrusion detection (HIDS) systems in order to correlate Operating System auditable events which may trigger alerts on security events which are further analyzed and correlated with other security systems in the Enterprise Logging Platform. FISMA System Owners may request HIDS implementation on an individual Operating System, and, if supported, HIDS security events will be forwarded to the Enterprise Logging Platform. These security events are maintained, managed, and correlated by ISO Security Operations and reviewed in the Enterprise Logging Platform by the ISO Security Operations Center (SOC).

Additional guidance for logging of auditable events and correlation of security alerts can be found in the GSA Logging and Audit Compliance Guidance document for meeting NIST SP 800-53 AU controls.

GSA defined audit policy settings can be found within GSA system hardening guides on the IT Security Technical Guides and Standards InSite page. Where a Technical Guide and Standard does not exist, events from an industry source such as vendor guidance or Center for Internet Security benchmark, recommended by the GSA S/SO or Contractor to be approved and accepted by the GSA AO will be used.


ISSOs retain the responsibility of verifying that logging is correctly configured and processed. Auditable events that are not forwarded to the Enterprise Logging Platform will need to be managed by the ISSO on the system where they are stored (e.g., locally on the server or a separate log system).



3.3.2.1 Audit Events | Reviews and Updates (AU-2 (3))

The organization reviews and updates the audited events [annually or whenever there is a change in the system’s threat environment as communicated by the GSA S/SO AO or the GSA OCISO].

AU-2 (3) Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

https://docs.google.com/a/gsa.gov/document/d/1MkaYZr6633vobLkYpNZcqPfQTvCUgR4XNahcmeryXgg/edit?usp=sharing

https://docs.google.com/a/gsa.gov/document/d/1MkaYZr6633vobLkYpNZcqPfQTvCUgR4XNahcmeryXgg/edit?usp=sharing





AU-2 (3) Control Implementation


GSA reviews and updates the audited events annually or whenever there is a change in the system’s threat environment as communicated by the GSA S/SO AO or the GSA CISO.


When auditable events are managed locally on the server or a separate log server, audited system events must be reviewed and updated by the ISSO/System Owner annually or whenever there is a change in the system’s threat environment.



3.3.3 Content of Audit Records (AU-3)

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Audit records that are forwarded to the Enterprise Logging Platform must be formatted as such that they can be properly processed by the Enterprise Logging Platform, e.g., in a standard syslog format or the Common Event Format. The Enterprise Logging Platform may have different requirements depending on the data source vendor, version, etc., to ensure it meets the base requirements. Generally, if an audit record can be parsed by the




Enterprise Logging Platform, it will meet the base requirements.


The FISMA System Owner is responsible for ensuring that audit records meet the base requirement and that the formatting can be processed by the Enterprise Logging Platform. This could involve working with the vendor or OCISO ISO division to fund creation of, or create log parsers; or alternatively work with the vendor of the audit record source to ensure the records are formatted in a parsable common event format.



3.3.3.1 Content of Audit Records | Additional Audit Information (AU-3 (1))

The information system generates audit records containing the following additional information: [

i. Session, connection, transaction, or activity duration. ii. For client-server transactions, the number of bytes received and bytes sent. This gives

bidirectional transfer information that can be helpful during an investigation or inquiry.

iii. For client-server transactions, unique metadata or properties about the client initiating the transaction. This could include properties such as an IP address, user name, session identifier or browser characteristics (e.g. a ‘User-Agent’ string).

iv. Details regarding the event ‘type’: the type of method (for HTTP: GET/POST/HEAD, etc.) or action (Database INSERT, UPDATE, DELETE).

v. Characteristics that describe or identify the object or resource being acted upon. vi. Additional informational messages to diagnose or identify the event].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





For parameters i and ii, only traffic that traverses the GSA perimeter firewall or Intrusion Prevention Systems (IPS) devices is captured by the Enterprise Logging Platform. For AU-3(1) parameters iii, iv, v, and vi, only HTTP traffic and HTTPS traffic (when the HTTPS private key is available for session decryption) where the traffic traverses the perimeter firewalls or IPSs is also captured by the Enterprise Logging Platform.


For enhancement AU-3(1), the FISMA System Owner is responsible for ensuring that the system is configured and meets the requirements. Typically, this means that a web server has W3C extended logging enabled and includes the required fields, including any significant GET/PUT parameters used in the application. For Enhancement AU-3(1), PII data and sensitive data such as credit card data shall NOT be stored in the logs, unless they are obfuscated.

Note: The System Owner may choose to manage and configure the content to be captured locally unless enhancement AU-3(2) is required. The System Owner may also elect to coordinate with the GSA OCISO ISO division to manage and configure content to be captured, regardless of FIPS 199 security categorization.



3.3.4 Audit Storage Capacity (AU-4)

The organization allocates audit record storage capacity in accordance with [GSA policies and guidance: audit log sizes are documented in applicable GSA IT Security Technical Guides and Standards (i.e., hardening and technology implementation guides) available on the IT Security Technical Guides and Standards webpage (https://insite.gsa.gov/portal/content/627210)].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control






Desktops and servers that are members of the GSA Active Directory are managed through group policy objects and will be automatically configured to follow the GSA auditing policy and hardening guides for OS audit records once they are joined to the enterprise domain. Current setting for Windows servers and desktops is 65538 kilobytes (KB) for the System Log and Application Log and 196608 KB for the Security Log.

For system logs that are forwarded to the Enterprise Logging Platform, the Enterprise Logging Platform storage will be configured with enough storage to store the logs for the duration of time specified in control AU-11, Audit Record Retention, in raw or aggregated form.


System Owners are responsible for ensuring that systems are configured consistent with the IT Security policy, including application and database logs.

Detailed technical guidance for configuring log storage size for each of the common Operating Systems used within GSA, as well as web and database applications may be obtained from the internal GSA audit policies and on the IT Security Technical Guides and Standards InSite page.

System Owners should configure auditing, whenever possible, so that records cannot exceed storage capacity and potentially negatively impact the OS or application.



3.3.5 Response to Audit Processing Failures (AU-5)

The information system:

a. Alerts [the GSA ISO Division via the Enterprise Logging Platform for systems integrated with the Enterprise Logging Platform; Administrators (Application, System, Network, etc.) for systems not integrated with the Enterprise Logging Platform)] in the event of an audit processing failure; and

b. Takes the following additional actions: [shut down information system, overwrite oldest audit records, or stop generating audit records].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control









Hybrid Control



Logging sources managed in the Enterprise Logging Platform may be configured to alert if auditing or event logging ceases for a system.


The System Owner must define the action to be taken upon log failure and must coordinate any Enterprise Logging Platform alerting with the GSA OCISO ISO division. The System Owner should troubleshoot the cause of the logging failure and work with the GSA OCISO ISO division to restore logging to the Enterprise Logging Platform.



3.3.6 Audit Review, Analysis, and Reporting (AU-6)

The organization:

a. Reviews and analyzes information system audit records [daily when security related events are forwarded to the Enterprise Logging Platform for automated analysis and correlation; otherwise on a periodic basis (specific period recommended by the GSA S/SO or Contractor and approved by the GSA AO;] for indications of [GSA S/SO or Contractor recommended inappropriate or unusual activity as approved by the GSA AO]; and

b. Reports findings to [Information System Security Manager, Information System Security Officer, System Owner, Custodians, as designated and approved by the GSA AO, via a dashboard when security related events are forwarded to the Enterprise Logging Platform; otherwise via manual reporting mechanisms].


Implementation Status :

Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



Aggregated and correlated logs and security-related events within the Enterprise Logging Platform are reviewed by GSA OCISO ISO division for indications of compromise on business days. GSA OCISO ISO division will manually report indications of compromise if they are not presented on the Enterprise Logging Platform dashboard.


The System Owner maintains the responsibility of reviewing information system logs on their systems for unusual activity on a periodic basis defined on a system by system basis, and should keep a log that such a review has taken place.



3.3.6.1 Audit Review, Analysis, and Reporting | Process Integration (AU-6 (1))

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





For enhancement AU-6 (1), as necessary, the GSA OCISO ISO division’s analysis will support investigations and response to suspicious activities conducted by the GSA Incident Response Team, IAW GSA IT Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).”


For enhancement AU-6 (1), System Owners should ensure that their system is covered by the Enterprise Logging Platform. In consultation with the GSA OCISO ISO division, this may include ensuring that the appropriate encryption ciphers are implemented and that the private Secure Sockets Layer (SSL) key and certificate are provided to the GSA OCISO ISO division. These steps will allow for SSL inspection of website traffic by the GSA perimeter firewalls and that appropriate audit records relevant to the system are forwarded to the Enterprise Logging Platform.



3.3.6.2 Audit Review, Analysis, and Reporting | Correlate Audit Repositories (AU-6 (3))

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.



Implemented


Planned

Not Implemented

Not applicable


Common Control Provided by GSA


Hybrid Control




Hybrid Control



The Enterprise Logging Platform (ELP) correlates security-related records across different security components and logging sources across GSA to gain organization-wide situational awareness.





System Owners must ensure that logs are forwarded to the ELP.



3.3.7 Audit Reduction and Report Generation (AU-7)

The information system provides an audit reduction and report generation capability that:

a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

b. Does not alter the original content or time ordering of audit records.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Enterprise Logging Platform (ELP) supports retrievable records for audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and is configured to aggregate logs and can be configured to generate reports as required.

Given the high volume of audit records collected, records of a similar nature may be aggregated such that only a subset of the data is retained, such as time of first and last event, number of events, along with the associated and relevant data points, if the majority of the data is identical.


Logs that are not maintained in the ELP must be maintained by appropriate tools that facilitate audit reduction and report generation that can be provided to the GSA Incident Response Team in a timely fashion and in




accordance with the GSA incident response policy.



3.3.7.1 Audit Reduction and Report Generation | Automatic Processing (AU-7 (1))

The information system provides the capability to process audit records for events of interest based on: [

Source IP

Destination IP

Account Names

Date and Time of Events

Event Type].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Enterprise Logging Platform (ELP) can process logs that have been forwarded to it based on parameters that include source IP, destination IP, account names, time and date of events and event type.


The System Owner is responsible for having logs forwarded to the ELP, or for implementing tools that can process, search, correlate logs based on the specified parameters if the logs are not forwarded to the ELP.






3.3.8 Time Stamps (AU-8)


a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal

Time (UTC) or Greenwich Mean Time (GMT) and meets [GSA S/SO or Contractor recommended granularity of time measurement to be approved by the GSA AO].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Enterprise Logging Platform (ELP) maintains log events in UTC, it can receive logs in any time zone, and can display the log events in the users’ local time zone.

The ELP is in sync with the GSA time servers at ntp.gsa.gov, which use General Packet Radio Services (GPRS) for time synchronization.


Audit event sources must be configured to synchronize with an authoritative time source that is in sync with the GSA, NIST, or the Cloud Service Provider’s time servers, e.g., Amazon Web Services.





3.3.8.1 Time Stamps | Synchronization with Authoritative Time Source (AU-8(1))


(a) Compares the internal information system clocks [at least hourly (the Microsoft default is every 45 minutes)] with [the internal network's authoritative time source]; and

(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [GSA S/SO or Contractor recommended time period as approved by the GSA AO].

AU-8 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Enterprise Logging Platform is in sync with the GSA time servers at ntp.gsa.gov, which use General Packet Radio Services (GPRS) for time synchronization.


Audit event sources must be configured to synchronize with an authoritative time source that is in sync with the GSA, NIST, or the Cloud Service Provider’s time servers, e.g., Amazon Web Services.



3.3.9 Protection of Audit Information (AU-9)

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Access to events in the Enterprise Logging Platform (ELP) is restricted to users authorized by the OCISO ISO Division and/or the system ISSO or ISSM. The System Owner must restrict access to local audit records to authorized personnel as designated by the ISSO/ISSM.


The System Owner protects audit logs that are not forwarded to the ELP by restricting access to only authorized personnel as designated by the ISSO/ISSM.



3.3.9.1 Protection of Audit Information | Cryptographic Protection (AU-9 (3))

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



Audit records that are not sent to the Enterprise Logging Platform (ELP) should be encrypted at rest using encrypted disk volumes. A means of ensuring the integrity of the audit records will be implemented by leveraging mechanisms such as cryptographic checksums.


Audit records not sent to the enterprise SIEM should be encrypted at rest using encrypted disk volumes. A means of ensuring the integrity of the audit records will be implemented by leveraging mechanisms such as cryptographic checksums.


Vendors/Contractors are required to comply with the control statement.

3.3.9.2 Protection of Audit Information | Access by Subset of Privileged Users (AU-9 (4))

The organization authorizes access to management of audit functionality to only [privileged users specifically authorized to perform audit management functions (i.e., specified administrators of applications, systems, networks, etc.)].

Note: ISSOs, ISSMs, and System Owners may be provided read access to audit data, however they will not have access to audit management functions.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



Access to events in the Enterprise Logging Platform (ELP) is restricted to users authorized by the OCISO ISO Division and/or the system ISSO or ISSM. The System Owner must restrict access to the management of audit records on the local system to authorized personnel as designated by the ISSO/ISSM.


The System Owner protects audit logs that are not forwarded to the ELP by restricting access to only authorized personnel as designated by the ISSO/ISSM.



3.3.10 Audit Record Retention (AU-11)

The organization retains audit records online for [archived for a period of not less than 180 days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Audit records that have been forwarded to the Enterprise Logging Platform (ELP) for aggregation and correlation will be stored for at least 180 days. Audit records that have been forwarded to the Enterprise Logging Platform do not simultaneously have to be retained for this amount of time at the log source though it is recommended that they be kept, if possible.


The System Owner is responsible for ensuring that records are either forwarded to the ELP as a first preference, or if this is not possible, they must be stored elsewhere in order to meet the 180 day archive requirement.



3.4 Security Assessment and Authorization (CA)

NIST Control CSF Category Unique Identifier – Subcategories CA-1 ID.GV-1, ID.GV-3

CA-7 ID.RA-1, PR.IP-7, PR.IP-8, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5, RS.CO-3, RS.AN-1, RS.MI-3

3.4.1 Security Assessment and Authorization Policies and Procedures (CA-1)

The organization:


1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

b. Reviews and updates the current: 1. Security assessment and authorization policy [biennially]; and 2. Security assessment and authorization procedures [biennially].

CA-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control

CA-1 Control Implementation


Security Assessment and Authorization Policies and Procedures is a common control provided by two of the four Office of the Chief Information Security Officer (OCISO) divisions: Information System Security Officer Support (IST), and Policy and Compliance (ISP). Security Assessment and Authorization Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 3, Policy on Management Controls. The policy states: "All GSA information systems must be assessed and authorized at least every three (3) years or whenever there is a significant change to the system’s security posture IAW NIST SP 800-37 R1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, and GSA CIO-IT Security-06-30, Managing Enterprise Risk."

GSA OCISO has defined additional agency-wide security assessment and authorization procedures in:

GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk”

GSA IT Security Procedural Guide: CIO-IT Security-14-68, “Lightweight Security Authorization Process”

GSA IT Security Procedural Guide: CIO-IT Security-12-66, “Information Security Continuous Monitoring

Strategy”

GSA IT Security Procedural Guide: CIO-IT Security-18-88, “Moderate Impact Software as a Service (SaaS) Security Authorization Process”

GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.

CIO 2100.1 and GSA IT Security Procedural Guides are reviewed and updated at least biennially.




3.4.2 Continuous Monitoring (CA-7)

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

a. Establishment of [metrics as defined in CIO-IT Security-12-66] to be monitored; b. Establishment of [monthly] for monitoring and [annually] for assessments

supporting such monitoring;




c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

e. Correlation and analysis of security-related information generated by assessments and monitoring;

f. Response actions to address results of the analysis of security-related information; and

g. Reporting the security status of organization and the information system to [Information System Security Manager, Information System Security Officer, System Owners, Acquisitions/Contracting Officers, Custodians;] [monthly].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Continuous Monitoring is a common control provided by the OCISO. GSA’s Information Security Continuous

Program is described in GSA IT Security Procedural Guide: CIO-IT Security-12-66, “Information Security Continuous

Monitoring Strategy.” The ISCM guide defines the approach for systems to enter the ISCM program and achieve ongoing authorization (OA) in place of the three (3) year security reauthorization process. The automated capabilities and enterprise tools and deliverable updates required for systems in ISCM Program are provided. The guide defines ISCM performance metrics, the frequency of their monitoring, and the frequency of OCISO verification assessments. Based on a correlation of performance metrics and maintaining the use of GSA’s automated tools and updating of manual deliverables, the CISO and AO will determine if the system is effectively implementing its ISCM Plan. If the ISCM Plan is not being adequately followed, the System Owner/Program Manager and ISSM/ISSO will have 30 days to respond and address any shortfalls or a full re-assessment will be required.





After meeting the prerequisites and entering the ISCM Program, systems must maintain their OA by adhering to their approved ISCM Plan and the process defined in the ISCM Guide. Systems must provide the manual deliverables including updating their ISCM Plan and maintain ISCM automated tools, as described in the ISCM guide to continue their OA.



3.5 Configuration Management (CM)

NIST Control CSF Category Unique Identifier – Subcategories CM-1 ID.GV-1, ID.GV-3

CM-6 PR.IP-1

3.5.1 Configuration Management Policy and Procedures (CM-1)

The organization:


1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

b. Reviews and updates the current: 1. Configuration management policy [biennially]; and 2. Configuration management procedures [biennially].

CM-1 Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control





CM-1 Control Enhancement Summary Information


Hybrid Control

CM-1 Control Implementation


Configuration Management (CM) policies and procedures is a common control provided by the OCISO Policy and Compliance Division (ISP). CM Policy is included in the current GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "A system configuration management plan must be developed, implemented, and maintained for every IT system managed by GSA." GSA OCISO ISP has also defined agency-wide CM procedures in GSA IT Security Procedural Guide: CIO-IT Security-01-05, “Configuration Management.” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.

GSA Service/Staff Office (S/SO) organizations are encouraged but not required to have separate CM policies and procedures to supplement procedures in the GSA IT Security Policy and the CM guide. Supplemental procedures may be unique to the S/SO, system, data type (Financial, Privacy, etc.) or convey the organizations implementation of common and/or hybrid controls as defined in NIST SP 800-37.



Vendor/Contractor Operated System Control Expectation: Vendors/contractors may defer to the GSA policy and guide or implement their own configuration management control policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.5.2 Configuration Settings (CM-6)

The organization:

a. Establishes and documents configuration settings for information technology products employed within the information system using [GSA technical guidelines, NIST guidelines, Center for Internet Security guidelines, or industry best practice guidelines, as deemed appropriate by the GSA AO (implemented checklists must be integrated with Security Content Automation Protocol (SCAP) content)] that reflect the most restrictive mode consistent with operational requirements;

b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration

settings for [all components] based on [explicit operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with

organizational policies and procedures.

CM-6 Control Summary Information


Implemented


Planned




CM-6 Control Summary Information

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

CM-6 Control Implementation


Configure systems in agreement with GSA technical guidelines/benchmarks. GSA benchmarks may be exceeded but not lowered. If no technical guideline/benchmark is available for a particular technology, NIST guidelines, Center for Internet Security guidelines, or industry best practice guidelines may be used, as deemed appropriate by the AO. Configure the security settings to the most restrictive mode consistent with operational requirements in all components of the information system.

Security settings that are not completely implemented because of operational requirements should be documented in the SSP. Any deviations, not following GSA policies and standards must be submitted using the Security Deviation Request Google Form. The System Owner must monitor and control changes in accordance with the CM Plan and GSA policies and procedures. GSA’s ISO Division scans for configuration compliance on a regular basis and provides the data to the appropriate system POC for resolution.

GSA uses ISCM enterprise security and CDM tools including BigFix and Tenable to provide asset management for software products installed on applicable endpoints for centrally managing, applying and verifying configuration settings. The GSA Enterprise Continuous Monitoring Tools Google Sheet provides a detailed list of tools used to implement configuration compliance.


The System Owner is responsible for implementing the configuration settings as stated for this control and maintaining configuration control and managing changes using a configuration management process and plan. When submitting security deviation requests to GSA hardening guidelines/benchmarks System Owners must observe the following:

Any baseline hardening deviations must be coordinated by the system Information System Security Officer/Information System Security Manager (ISSO/ISSM).

Deviations to CIS Level 2 settings can be reviewed and approved by the ISSO and ISSM with appropriate justification.

Deviations to CIS Level 1 settings require AO approval.

Vendor/Contractor Operated System Control Expectation: Vendors/contractor systems not utilizing GSA, NIST, or CIS IT Security Hardening standards must provide their technical security hardening guidelines to GSA for review and approval by the AO.

https://docs.google.com/forms/d/e/1FAIpQLSew38lCEj9FnE7Tmpi6ajMn700NYbe4fZtjo2Ol5MA9Of8eUw/viewform

https://docs.google.com/forms/d/e/1FAIpQLSew38lCEj9FnE7Tmpi6ajMn700NYbe4fZtjo2Ol5MA9Of8eUw/viewform



3.6 Contingency Planning (CP)

NIST Control CSF Category Unique Identifier – Subcategories CP-1 ID.GV-1, ID.GV-3

3.6.1 Contingency Planning Policy and Procedures (CP-1)

The organization:


1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

b. Reviews and updates the current: 1. Contingency planning policy [biennially]; and 2. Contingency planning procedures [biennially].

CP-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

CP-1 Control Implementation


Contingency Planning (CP) policies and procedures is a common control provided by the OCISO Policy and Compliance Division (ISP). CP Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "Contingency and continuity of support plans must be developed and tested annually for all IT systems IAW OMB Circular No. A-130, NIST SP 800-34, and GSA CIO-IT Security-06-29." GSA OCISO ISP has also defined agency-wide CP procedures in GSA IT Security Procedural Guide: CIO-IT Security-06-



CP-1 Control Implementation

29, “Contingency Planning.” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own contingency planning policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.7 Identification and Authentication (IA)

NIST Control CSF Category Unique Identifier – Subcategories IA-1 ID.GV-1, ID.GV-3, PR.AC-1, PR.AC-6, PR.AC-7

3.7.1 Identification and Authentication Policy and Procedures (IA-1)

The organization:

a. Develops, documents, and disseminates to [the entire GSA community of organizational users]:

1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

b. Reviews and updates the current: 1. Identification and authentication policy [biennially]; and 2. Identification and authentication procedures [biennially].

IA-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







IA-1 Control Summary Information

Hybrid Control

IA-1 Control Implementation


Identification and Authentication (IA) policies and procedures is a common control provided by the OCISO Policy and Compliance Division (ISP). IA Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 5, Policy on Technical Controls. The policy states: “All GSA systems must incorporate a proper user identification and authentication methodology. Refer to the GSA CIO-IT Security-01-01: Identification and Authentication Procedural Guide for additional details.” CIO 2100.1 contains a number of other specific policies regarding IA technologies. As stated in the policy, GSA OCISO ISP has also defined agency-wide IA procedures in CIO-IT Security-01-01. GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own identification and authentication policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.8 Incident Response (IR)

NIST Control CSF Category Unique Identifier – Subcategories IR-1 ID.GV-1, ID.GV-3

IR-2 PR.AT-5

IR-3 ID.SC-5, PR.IP-10, RS.CO-1

IR-4 ID.SC-5, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, RS.RP-1, RS.CO-3, RS.CO-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.MI-1, RS.MI-2, RS.IM-1, RS.IM-2, RC.RP-1, RC.IM-1, RC.IM-2, RC.CO-3

IR-5 DE.AE-3, DE.AE-5, RS.AN-1, RS.AN-4

IR-6 ID.SC-5, RS.CO-2

IR-7 PR.IP-9

IR-8 ID.SC-5, PR.IP-7, PR.IP-9, DE.AE-3, DE.AE-5, RS.RP-1, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.AN-4, RS.IM-1, RS.IM-2, RC.RP-1, RC.IM-1, RC.IM-2

3.8.1 Incident Response Policy and Procedures (IR-1)

The organization:


1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and




2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

b. Reviews and updates the current: 1. Incident response policy [biennially]; and 2. Incident response procedures [biennially].

IR-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

IR-1 Control Implementation


Incident Response (IR) policies and procedures is a common control provided by the OCISO Policy and Compliance (ISP) and Security Engineering (ISE) Divisions. IR Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. In summary, the policy requires all suspected incidents or violations to be reported to the IT Service Desk with the OCISO handling additional coordination and reporting requirements. The policy contains a number of other specific policies regarding IR. GSA OCISO ISP and ISE have also defined agency-wide IR procedures in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.




Vendors/contractors that process and host GSA information are bound by CIO 2100.1, the terms of their contracts, and Federal Information Security Modernization Act (FISMA) to 2014 to protect the security of this information, including the support of incident response efforts.

3.8.2 Incident Response Training (IR-2)

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:




a. Within [60 days] of assuming an incident response role or responsibility; b. When required by information system changes; and c. [Annually] thereafter.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Personnel with Incident Response responsibilities generally require broader knowledge than most IT staff members as they work with many facets of IT. Personnel with Incident Response responsibilities require sufficient training to maintain networks, systems, and applications in accordance with the GSA security standards.

OCISO also provides training to members of the GSA Incident Response Team within 60 days of joining and annually thereafter. Follow-on annual training is integrated with biannual OCISO testing of the GSA Incident Response Plan, i.e., GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).” The training ensures team members are able to respond to and manage adverse situations involving IT, using the established procedures documented in this document and supporting standard operating procedures (SOP). The training focuses on OCISO processes for responding to incidents and using GSA enterprise IT and IT Security tools. Incident response training relating to process focuses on the following activities:

Verifying the source

Verifying the incident

Notifying responsible parties, including GSA management, US-CERT, OIG, and other law enforcement as necessary

Forming incident handling team

Gathering evidence

Containing, eradicating and recovering from the incident

Performing follow-up activities after the incident is resolved

Incident response training may be tabletop or functional; should be integrated with annual incident response testing or the annual contingency plan test if contingency plan testing includes scenarios for incident reporting and

response in agreement with CIO-IT Security-01-02 and GSA IT Procedural Guide: CIO-IT Security-06-29,




“Contingency Planning.”


GSA information systems, including vendor owned/operated systems on behalf of GSA, shall provide initial training within 60 days to staff with incident reporting and response responsibilities in agreement with CIO-IT Security-01-02 when required by information system changes, and annually thereafter consistent with control requirements.


GSA information systems, including vendor owned/operated systems on behalf of GSA, shall provide initial training within 60 days to staff with incident reporting and response responsibilities in agreement with CIO-IT Security-01-02 when required by information system changes, and annually thereafter consistent with control requirements.

3.8.3 Incident Response Testing and Exercises (IR-3)

The organization tests and/or exercises the incident response capability for the information system [annually] using [GSA IT Security Procedural Guide: Incident Response (IR) CIO-IT Security-01-02 and NIST SP 800-61, Revision 1, Computer Security Incident Handling Guide] to determine the incident response effectiveness and documents the results.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Incident Response Plan, GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR),” is tested biannually by OCISO following the process documented in the guide, NIST SP 800-61 Revision 2, “Computer Security Incident Handling Guide,” and NIST SP 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.”

IR testing validates the content of IR plans and improves effectiveness of incident response capabilities to prepare




for, respond to, manage, and recover from adverse events that may affect GSA information systems. Testing activities focus on likely scenarios informed by the threats to and the vulnerabilities in the GSA IT environment.

Results of the annual test are documented in an IR test report. A general test report template (i.e., Contingency Plan Test Report Template) is available on the IT Security Forms page on InSite.


FIPS 199 Moderate and High-impact information systems are required to perform annual incident response testing in agreement with CIO- IT Security-01-02. Incident response testing should be coordinated with the GSA Incident Response Team ([email protected]) to ensure end-to-end reporting and response actions and may be included as a scenario in the annual contingency plan test.

If the IR test is integrated with the annual CP test, ensure the annual CP test includes scenarios for incident reporting and response as documented in CIO-IT Security-01-02 to validate its effectiveness. Refer to NIST SP 800-84 for more specific guidance in developing, conducting, and evaluating IR test activities.


Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and the Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including the support of incident response testing.

3.8.3.1 Incident Response Testing | Coordination with Related Plans (IR-3 (2))

The organization coordinates incident response testing with organizational elements responsible for related plans.

IR-3 (2) Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control




IR-3 (2) Control Implementation


Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans; for details, refer to GSA IT Security Procedural Guide: CIO-IT Security-06-29, “Contingency Planning.” The GSA Incident Response Plan (GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR)”) is tested biannually by OCISO following the process documented in the guide, NIST SP 800-61, Revision 2, “Computer Security Incident Handling Guide,” and NIST SP 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.”


FIPS 199 Moderate and High impact information systems are required to perform annual incident response testing in agreement with CIO-IT Security-01-02. Incident response testing may be coordinated with the GSA Incident Response Team ([email protected]) to ensure end-to-end reporting and response actions and may be included as a scenario in the annual contingency plan test. Additional integration of the GSA Incident Response Plan with other organizational plans is a system specific consideration.

GSA information systems, including vendor owned/operated systems on behalf of GSA, shall identify any related plans and coordinate incident response testing with organizational elements responsible for related plans.


Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including the support of incident response testing.

3.8.4 Incident Handling (IR-4)

The organization:

a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident

response procedures, training, and testing/exercises, and implements the resulting changes accordingly.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



The GSA Security Engineering Division (ISE) of the Office of the Chief Information Security Officer (OCISO) provides the incident response coordination for all incidents involving GSA IT systems regardless of ownership (internal or external) with GSA management, US-CERT, external law enforcement, and the GSA Inspector General.

GSA’s Incident Response Plan (i.e., GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR)”) is consistent with NIST SP 800-61, Revision 2, “Computer Security Incident Handling Guide.” The supporting incident response process is performed on a ‘Tiered’ basis including Tier 1 through Tier 3 and is fully defined in section 4 of CIO-IT Security-01-02. Key tasks in the Tiers are summarized below:

Tier 1 – Observe event/incident, open ticket in ServiceNow, provide data to IR Team, stabilize system.

Tier 2 – Determine seriousness of threat, verify notification and reporting, coordinate with Tier 1, collect data, isolate systems as necessary, support Tier 3, remediate and restore.

Tier 3 – Direct data collection, lead response team, conduct detailed technical analysis, prepare ans submit reports.


GSA information systems shall align with the incident handling and reporting process defined in CIO-IT Security-01-02. Systems are required to coordinate system-level incident handling activities with contingency planning activities and incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implement the resulting changes accordingly.


Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including the support of incident response testing.

3.8.4.1 Incident Handling | Automated Incident Handling Processes (IR-4 (1))

The organization employs automated mechanisms to support the incident handling process.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



Automated mechanisms supporting incident handling processes include:

Incident Handling Tools:

The GSA Incident Response Team utilizes a number of automated tools and services that are used to assist in incident handling, including:

GSA Enterprise Logging Platform (ELP) - The ELP collects and correlates event log data from network devices across the network including Firewalls, IDP/IPS devices, Web Proxies, and Wireless Access Points.

FireEye Endpoint Security (HX series) - An endpoint-based solution that allows security analysts to conduct detailed investigations to identify and contain Indicators of Compromise (IOC) related to APT malware.

Bit9 - Deployed as an application whitelisting solution that identifies executables on GSA workstations/servers in a central repository for investigation into whether malware was executed on a device.

Palo Alto Wildfire - Cloud-based malware detection service which performs static and dynamic analysis of binary executables ingressing the GSA network. Alerts on detection of malware.

NetIQ - Identity Management Tool used for correlating VPN identifiers to users.

McAfee ePO - ePo provides centralized event collection and reporting for McAfee antivirus software on GSA workstations and servers. It allows security analysts to investigate malware incidents and trends.

MaaS360 - The software management tool that GSA uses to deploy and inventory software on workstations and mobile devices.

FireEye MCIRT Portal - Allows for access to alerts from FireEye regarding threats.

CenturyLink Portal - Allows for access to alerts from the CenturyLink Security Operations Center.

iSight Portal - Allows for access to ThreatScape/iSIGHT Partners Vulnerability and Threat Reports.

Forensic Tool Sources:

GSA OCISO uses a combination of commercial and open source tools to capture cyber-forensic evidence as part of a Tier 3 investigation. Detailed forensics investigations are also supported by several additional COTS and open source tools, including, but not limited to, the following:

Mobile Forensics Tools o Katana Forensics Lantern - Allows image acquisition for mobile devices, specializing in iOS. o viaForensics viaExtract - Provides forensic capabilities for Android devices, including image

acquisition.

General Forensics o FTK Forensic Toolkit - Provides the ability to conduct detailed forensic investigations on various

platforms, such as hard drives, mobile devices, network data, and internet storage.




o EnCase Forensic Imager - Provides the ability to acquire forensic images from local disks.

Live Response Forensics o FireEye Memoryze - Provides ability to acquires and/or analyze memory images, and on live

systems, can include the paging file in its analysis.

All incident information generated as part of response activities is maintained in ServiceNow, which coordinates the overall response including required reporting to US-CERT. All incidents are reported to the GSA IT Service Desk at [email protected] and the ISSO for incident tracking. The ISSO enters incident information into ServiceNow as an Incident Response ticket. In accordance with the timeframes identified in IR-6, the incident will then be reported to US-CERT using automated means within the ServiceNow system.


External GSA information systems not integrated with GSA’s ServiceNow ticketing system shall utilize the GSA Cyber Incident Reporting form available on the IT Security Forms page.

Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including using automation as part of incident handling.

3.8.5 Incident Monitoring (IR-5)

The organization tracks and documents information system security incidents.

IR-5 Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Security Engineering Division (ISE) in the OCISO manages the GSA Incident Response Program, which is responsible for tracking all security incidents for GSA IT systems (including vendor-owned and -operated systems) reported to the OCISO.





Incident reports include (as applicable) the status of the incident, and any pertinent information gathered as part of the overall response process including but not limited to vulnerability details, system information, and forensics evidence.

Incident information generated as part of response activities is maintained in ServiceNow and centrally managed by ISE, which coordinates the overall response including required reporting to US-CERT. All incidents are reported to the GSA IT Service Desk at [email protected] and the ISSO for incident tracking. The ISSO enters incident information into ServiceNow as an Incident Response ticket.



Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including supporting GSA’s incident monitoring process.

3.8.6 Incident Reporting (IR-6)

The organization:

a. Requires personnel to report suspected security incidents to the organizational incident response capability within [US-CERT Incident Reporting Timelines as documented in GSA IT Security Procedural Guide : Incident Response (IR) CIO-IT Security-01-02]; and

b. Reports security incident information to designated authorities to [the ISSO and Help Desk as per GSA IT Security Procedural Guide: Incident Response (IR) CIO-IT Security-01-02. Incidents classified between Categories 1-3 should simultaneously be reported to the OCISO].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





GSA has an agency-wide incident response program with formally promulgated policies, procedural guidelines, and supporting processes managed by the OCISO Security Engineering Division (ISE). The GSA Incident Response Process, including incident reporting is documented in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).” CIO-IT Security-01-02 follows the United States Computer Emergency Readiness Team (US-CERT) Federal Incident Reporting Guidelines. These guidelines are further defined within the guide:

Notifying US-CERT of a computer security incident is mandatory when the confidentiality, integrity, or availability of a Federal Government information system has been confirmed as compromised. Notification of incidents which have no confirmed functional or information impact such as passive scans, phishing attempts, attempted access, or thwarted exploits may be submitted to US-CERT voluntarily. However, GSA will voluntarily report all phishing attempts to US-CERT.

Requirement: US-CERT must be notified of all computer security incidents involving a Federal Government

Information system with a confirmed impact to confidentiality, integrity or availability within one hour of

being positively identified by the agency’s top-level Computer Security Incident Response Team (CSIRT),

Security Operations Center (SOC), or IT department.

GSA will put forth a best effort to report all mandatory incidents within one-hour of notification to the GSA Incident Response Team and provide all available information. GSA will not delay reporting in order to provide further details (i.e. root cause, vulnerabilities exploited, or mitigation actions taken) as this may result in high risk to the system or enterprise. If the cause of the incident is later identified, the threat vector may be updated in a follow-up report.

Incidents may affect multiple types of data. Therefore, when classifying an incident GSA may select multiple options to identify the information impact. Incidents with a functional, information, or recovery impact must be IMMEDIATELY reported to the GSA IT Service Desk and the OCISO. Details of the reporting process are explained in Section of CIO-IT Security-01-02. Use TableTable 1 1 below to identify the impact of the incident. The term “classified information” is defined in IAW Committee on National Security Systems Instruction (CNSSI) 4009. The term “proprietary information” is defined in IAW NIST SP 800-61, Revision 2, “Computer Security Incident Handling Guide.” The term “personally identifiable information (PII)” is defined IAW with OMB Memorandum M-17-12.

Note: Incidents involving non-cyber PII exposures or classified data spillage (i.e. unsecured hard copies) will not be reported to US-CERT. The GSA Senior Agency Official for Privacy (SAOP) will coordinate all response efforts related to non-cyber incidents involving PII.

Table 1: Federal Agency Incident Impact Classifications

Impact Category Category Severity Levels

Functional Impact: A measure of the impact to business functionality or ability to provide services.

NO IMPACT Event has no impact.

NO IMPACT TO SERVICES: Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.

MINIMAL IMPACT TO NON-CRITICAL SERVICES: Some small level of impact to non-critical systems and services.

MINIMAL IMPACT TO CRITICAL SERVICES: Minimal impact but to a critical system or service, such as email or active directory.

SIGNIFICANT IMPACT TO NON-CRITICAL SERVICES: A non-critical service or system has a significant impact.

DENIAL OF NON-CRITICAL SERVICES: A non-critical system is denied or destroyed.

SIGNIFICANT IMPACT TO CRITICAL SERVICES: A critical system has a significant impact, such as local administrative account compromise.

DENIAL OF CRITICAL SERVICES/LOSS OF CONTROL: A critical system has been rendered

https://www.cnss.gov/CNSS/issuances/Instructions.cfm




unavailable.

Information Impact: Describes the type of information lost, compromised, or corrupted.

NO IMPACT: No known data impact.

SUSPECTED BUT NOT IDENTIFIED: A data loss or impact to availability is suspected, but no direct confirmation exists.

PRIVACY DATA BREACH: The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.

PROPRIETARY INFORMATION BREACH: The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.

DESTRUCTION OF NON-CRITICAL SYSTEMS: Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.

CRITICAL SYSTEMS DATA BREACH: Data pertaining to a critical system has been exfiltrated.

CORE CREDENTIAL COMPROMISE: Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.

DESTRUCTION OF CRITICAL SYSTEM: Destructive techniques, such as MBR overwrite; have been used against a critical system.

Recoverability: Identifies the scope of resources needed to recover from the incident

REGULAR: Time to recovery is predictable with existing resources.

SUPPLEMENTED: Time to recovery is predictable with additional resources.

EXTENDED: Time to recovery is unpredictable; additional resources and outside help are needed.

NOT RECOVERABLE: Recovery from the incident is not possible (e.g., sensitive data exfiltrated and posted publicly).

Per OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments,” the term PII means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. However, incidents involving non-cyber PII exposures or classified data spillage (i.e. unsecured hard copies) should not be reported to US-CERT and will be reported to GSA’s Privacy Office as required by policy, consistent with updated federal incident reporting guidelines.

GSA Policy specifies that all mobile data storage devices (including laptop hard drives, USB external disk or Flash storage, Blackberry, etc.) must be encrypted with a FIPS 140-2 certified encryption module. If a device is lost or stolen that violates this policy or the keys that protect the device could be recovered, the incident must be treated as an incident with information impact and reported immediately as such.

Phishing attempts reported to the GSA Incident Response Team will be reported to US-CERT as follows:

Phishing attempts where ENT domain credential or credentials to other GSA systems are used to gain unauthorized access; or results in malicious code being successfully executed on a GSA server or workstation will be reported with the appropriate functional, information, and/or recoverability impact classification.

If sensitive information is revealed in spear phishing attempt via email or other means will also be reported as an incident will be reported with the appropriate information and recoverability impact classification.

All other phishing attempts will be reported as an incident with no functional, information, or recoverability impact as voluntary submissions.





Individual system is responsible for reporting incidents to ISE in accordance with CIO-IT Security-01-02.


Information systems that are contractor owned and/or operated on behalf of GSA must have a documented incident reporting process that integrates with the reporting and response processes documented in CIO-IT Security-01-02. Incidents involving external contractor systems must be immediately reported to the GSA ISSO using the GSA Cyber Incident Reporting form available on the IT Security Forms page. Agency ISSOs for Vendor systems shall initiate a ServiceNow Security Incident ticket upon receipt of the form.

3.8.6.1 Incident Reporting | Automated Reporting (IR 6 (1))

The organization employs automated mechanisms to assist in the reporting of security incidents.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



When documenting an incident, print or capture (by other means) any resource messages. To identify the IT security incident, document as much information as possible. Write down as many details as possible, notes should include date and time. Depending on the system, use the Help Desk, IT Service Desk, or other operational support system(s) to report and document the event or incident.

The email for the IT Service Desk is [email protected]. The IT Service Desk will be responsible for initiating incident tickets related to users. IT security staff will also have access to initiate tickets themselves.

Time is critical. Serious incidents with a functional, information, or recovery impact shall be immediately reported upon incident identification to the GSA IT Service Desk. If there is no immediate response during business hours contact William Salamon (202-501-0223) or Bo Berlas (202-236-6304). If after hours normal business hours on-call IR support is available at 202-780-9423. The GSA Incident Response team can also be contacted at [email protected].





Do not delay reporting in order to provide further details (i.e., root cause, vulnerabilities exploited, or mitigation actions taken) as this may result in high risk to the system or enterprise. The GSA OCISO must report such incidents to US-CERT within one-hour.

Confirmed and/or suspected incidents involving the potential loss or compromise of PII in electronic or physical form must be reported IMMEDIATELY to the OCISO via the GSA IT Service Desk. The OCISO will determine when it is appropriate to report incidents to the GSA SAOP. The OCISO will also determine external reporting to the US-CERT, OIG, and U.S. Congress. Reporting will be completed IAW this guide and the US-CERT Federal Incident Notification Guidelines.



Information systems that are contractor owned and/or operated on behalf of GSA must have a documented incident reporting process that integrates with the reporting and response processes documented in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).” External GSA information systems not integrated with GSA’s ServiceNow ticketing system shall utilize the GSA Cyber Incident Reporting form available on the IT Security Forms page. Agency ISSOs for Vendor systems shall initiate a ServiceNow Security Incident ticket upon receipt.

3.8.7 Incident Response Assistance (IR-7)

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control






All incidents are reported to the GSA OCISO consistent with the reporting requirements in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).” ISE in the OCISO provides the incident response coordination for all incidents involving GSA IT systems regardless of ownership (internal or external) with GSA management, US-CERT, external law enforcement, and the GSA Inspector General.

The first line of support is provided through the GSA IT Service Desk when an initial incident is reported. Incidents that are determined to fit the US-CERT criteria for a Categories 1- 3 are passed on to the OCISO ISE, which will provide support until the incident has been resolved and the affected system(s) have been restored to normal operation, if needed. Additional support from OCISO ISE is also available for any incident. The OCISO maintains a contract for 24 x 7 secure operations / incident response support that is available to assist with Tier 3 incident handling. The incident support contractor can be deployed at the discretion of the OCISO to assist in incident response activities. The OCISO will put forth a best effort to coordinate the incident response activities with the affected systems’ ISSO and ISSM.



The GSA OCISO Security Engineering Division (ISE) provides assistance to vendors/contractors that process and host GSA information in accordance with GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014.

3.8.7.1 Incident Response Assistance | Automation Support for Availability of Information / Support (IR 7 (1))

The organization employs automated mechanisms to increase the availability of incident response related information and support.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control






Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. From a pull perspective, the first line of support at GSA is provided through the GSA IT Service Desk. Then, when an initial incident is reported and entered into the ServiceNow automated system, all requests are automatically routed via ServiceNow to the GSA Incident Response Team. The OCISO maintains a contract for 24 x 7 secure operations / incident response support that is available to assist with any of these incidents, which also includes the deployment of forensic services. From a push perspective, GSA maintains a list of points of contact for all FISMA systems that includes the ISSO, ISSM, Program Manager, and Authorizing Official, which is available to the GSA Incident Response Team for reaching out to systems affected by a security threat or incident.

The GSA Incident Response Team also utilizes a number of automated tools and services that support the availability of information and support for incident response as described in in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR).”



Vendors/contractors that process and host GSA information are bound by GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” the terms of their contracts, and Federal Information Security Modernization Act (FISMA) of 2014 to protect the security of this information, including the use of automated mechanisms to increase the availability of information/support..

3.8.8 Incident Response Plan (IR-8)

The organization:

a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response

capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into

the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size,

structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the

organization; 7. Defines the resources and management support needed to effectively maintain

and mature an incident response capability; and 8. Is reviewed and approved by [AO, ISSM, ISSO, PM, CISO];

b. Distributes copies of the incident response plan to [AO, ISSM, ISSO, PM, CISO]; c. Reviews the incident response plan [annually]; d. Updates the incident response plan to address system/organizational changes or

problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [AO, ISSM, ISSO, PM, CISO]; and f. Protects the incident response plan from unauthorized disclosure and modification.

https://ea.gsa.gov/#!/FISMA_POC





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control


GSA/Internally Operated System Common Control Implementation: GSA’s Incident Response Plan (GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response (IR)”) is consistent with IR-8 requirements and is reviewed and approved by the GSA OCISO.

The GSA Incident Response Plan is distributed to all GSA IT staff with significant IT security responsibilities and is available to all GSA staff via the IT Security InSite page. Updates to the GSA Incident Response Plan are communicated to all stakeholders.

The GSA Incident Response Plan is updated following each incident response test and at least annually. This document is updated to address system/organizational changes or problems encountered during plan implementation, execution, or testing.


GSA IT systems may leverage the GSA Incident Response plan (CIO-IT Security-01-02) as their system incident response plan or supplement it with system-specific reporting and response procedures that align with, but not conflict with process and requirements in the GSA Incident Response Plan.


Vendor/contractor owned/operated systems must have their own system-specific incident response plans that detail response activities and reporting requirements to GSA consistent with CIO-IT Security-01-02.

3.9 Maintenance (MA)

NIST Control CSF Category Unique Identifier – Subcategories MA-1 ID.GV-1, ID.GV-3




3.9.1 System Maintenance Policy and Procedures (MA-1)

The organization:


1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

b. Reviews and updates the current: 1. System maintenance policy [biennially]; and 2. System maintenance procedures [biennially].

MA-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

MA-1 Control Implementation


System maintenance policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). System maintenance policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "The availability and usability of GSA equipment and software must be maintained and safeguarded to enable agency objectives to be accomplished.” GSA OCISO ISP has defined agency-wide system maintenance control procedures in GSA IT Security Procedural Guide: CIO-IT Security-10-50, “Maintenance.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.






MA-1 Control Implementation


Vendors/contractors may defer to the GSA policy and guide or implement their own system maintenance policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.10 Media Protection (MP)

NIST Control CSF Category Unique Identifier – Subcategories MP-1 ID.GV-1, ID.GV-3

3.10.1 Media Protection Policy and Procedures (MP-1)

The organization:

a. Develops, documents, and disseminates to [Information System Security Managers, Information System Security Officers, System Owners, Acquisitions/Contracting Officers, Custodians]:

1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

b. Reviews and updates the current: 1. Media protection policy [biennially]; and 2. Media protection procedures [biennially].

MP-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



MP-1 Control Implementation


Media protection policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). Media protection policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "All GSA data from information system media, both digital and non-digital, must be sanitized IAW methods described in IT Security Procedural Guide: Media Protection Guide, CIO-IT Security-06-32, before disposal or transfer outside of GSA." Agency-wide access control procedures are provided in GSA IT Security Procedural Guide: CIO-IT Security-06-32 “Media Protection.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own media protection policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.11 Physical and Environmental Protection (PE)

NIST Control CSF Category Unique Identifier – Subcategories PE-1 ID.GV-1, ID.GV-3

3.11.1 Physical and Environmental Protection Policy and Procedures (PE-1)

The organization:


1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

b. Reviews and updates the current: 1. Physical and environmental protection policy [biennially]; and 2. Physical and environmental protection procedures [biennially].

PE-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




PE-1 Control Summary Information




Hybrid Control




Hybrid Control

PE-1 Control Implementation


Physical and environmental protection policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). Physical and environmental protection policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: "Physical and environmental security controls must be commensurate with the level of risk and must be sufficient to safeguard IT resources against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters." Agency-wide Physical and environmental protection procedures are provided in GSA IT Security Procedural Guide: CIO-IT Security-12-64, “Physical and Environmental Protection.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own physical and environmental protection policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.12 Planning (PL)

NIST Control CSF Category Unique Identifier – Subcategories PL-1 ID.GV-1, ID.GV-3

PL-4 Not addressed in the CSF.

3.12.1 Security Planning Policy and Procedures (PL-1)

The organization:


1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and




2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

b. Reviews and updates the current: 1. Security planning policy [biennially]; and 2. Security planning procedures [biennially].

PL-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

PL-1 Control Implementation


Security planning policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). Security planning policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 3, Policy on Management Controls. Throughout Chapter 3, GSA’s policy requires that the applicable security controls from the current version of NIST SP 800-53 be determined, documented, assessed, and system risks managed. Agency-wide security planning procedures are provided in GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk” and GSA “Information Security Program Plan.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.

CIO 2100.1, the Information Security Program Plan, and CIO-IT Security-06-30 are reviewed and updated at least biennially.



Vendors/contractors may defer to the GSA policy and guide or implement their own security planning policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.12.2 Rules of Behavior (PL-4)

The organization:




a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

c. Reviews and updates the rules of behavior [at least annually]; and d. Requires individuals who have signed a previous version of the rules of behavior to read

and resign when the rules of behavior are revised/updated.

PL-4 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

PL-4 Control Implementation


Policy regarding rules of behavior is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 3, Policy on Management Controls. The policy states: “Authorized users must be provided written Rules of Behavior IAW GSA Order CIO 2104.1 before being allowed access into any GSA, non-public information system.” and “The user must acknowledge receipt of these rules through a positive action.” GSA OCISO ISP Division is responsible for reviewing and updating GSA Order CIO 2104.1, “GSA Information Technology (IT) General Rules of Behavior,” at least annually. As a part of GSA’s annual security awareness training, users are required to acknowledge reading and complying with the current GSA IT Rules of Behavior.

GSA/Internally Operated System System-Specific Expectation: If GSA internally operated systems/applications require their own rules of behavior which comply with GSA’s requirements with the approval of the Authorizing Official (AO).


Vendors/contractors may defer to the GSA Rules of Behavior or implement their own rules of behavior which comply with GSA’s requirements with the approval of the Authorizing Official (AO).



3.12.2.1 Rules of Behavior | Social Media and Networking Restrictions (PL-4 (1))

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

PL-4 (1) Control Enhancement Summary Information

Parameter: None


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

PL-4 (1) Control Implementation


GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls includes explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.



Vendors/contractors may defer to the GSA Rules of Behavior or implement their own rules of behavior which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.13 Program Management (PM)

NIST Control CSF Category Unique Identifier – Subcategories PM-1 ID.GV-1, ID.GV-2

PM-2 ID.GV-2

PM-3 ID.GV-4

PM-4 ID.RA-6

PM-5 ID.AM-1, ID.AM-2

PM-6 PR.IP-7



PM-7 ID.GV-4

PM-8 ID.BE-2, ID.BE-4, ID.RM-3

PM-9 ID.GV-4, ID.RA-4, ID.RA-6, ID.RM-1, ID.RM-2, ID.RM-3, ID.SC-1, ID.SC-2, ID.SC-3

PM-10 ID.GV-4

PM-11 ID.AM-6, ID.BE-3, ID.GV-4, ID.RA-4, ID.RM-3

PM-12 ID.RA-3

PM-13 PR.AT-1, PR.AT-2, PR.AT-4, PR.AT-5

PM-14 PR.IP-10, DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-5

PM-15 ID.RA-2, RS.CO-5, RS.AN-5

PM-16 ID.RA-2, ID.RA-3, ID.RA-5

3.13.1 Information Security Program Plan (PM-1)

The organization:

a. Develops and disseminates an organization-wide information security program plan that:

1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and

4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

b. Reviews the organization-wide information security program plan [annually]; c. Updates the plan to address organizational changes and problems identified during plan

implementation or security control assessments; and d. Protects the information security program plan from unauthorized disclosure and

modification.

PM-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:






Hybrid Control

Vendor/Contractor Control Type:



Hybrid Control

Not Applicable

PM-1 Control Implementation

GSA Control Type Implementation:

GSA’s Information Security Program Plan (ISPP) is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). The ISPP and documents the implementation details of the common and hybrid controls, including program management controls, provided by the OCISO that are in place to meet the requirements of the GSA security program and has been coordinated with other organizations providing control implementations. The plan is approved by the CISO and is designed to give clear direction as to which GSA division or organization is responsible for implementation of the control. The ISPP is reviewed/updated biennially to address changes or problems identified with control implementation. The ISPP is disseminated via the GSA IT Security InSite page, which is only accessible on the GSA Intranet.


Vendor/Contractor Control Type Expectation:

Not applicable.

3.13.2 Senior Information Security Officer (PM-2)

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control








Hybrid Control

Not Applicable



GSA has an appointed a Chief Information Security Officer (CISO). The GSA CISO provides oversight and resources for developing, implementing, and maintaining GSA’s enterprise-wide information security program. The GSA CISO manages and oversees the operation of the four Office of the Chief Information Security Officer (OCISO) divisions: Security Engineering (ISE), Security Operations (ISO), Policy and Compliance (ISP), and Information System Security Officer (ISSO) Support (IST).



Not applicable.

3.13.3 Information Security Resources (PM-3)

The organization:

a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;

b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and c. Ensures that information security resources are available for expenditure as planned.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:

Common Control Provided by GSA Office of Enterprise Planning and Governance


Hybrid Control


Common Control Provided by GSA Office of Enterprise Planning and Governance





Hybrid Control

Not Applicable



The Exhibit 53B (security section) was deleted in OMB Guidance on Exhibit 53 and 300 issued on 7/1/13. OMB began collecting the IT security data as a separate data call starting with the BY15 budget submission. However, the IT security costs and resources continue to be a part of the internal annual budget process for review and approval by GSA IT Governance and the GSA Leadership management IRB team. GSA annually submits Exhibit 53A for reporting all the GSA IT security costs and resources managed by OCISO.



Not applicable.

3.13.4 Plan of Action and Milestones Process (PM-4)

The organization:

a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:

1. Are developed and maintained; 2. Document the remedial information security actions to adequately respond to

risk to organizational operations and assets, individuals, other organizations, and the Nation; and

3. Are reported in accordance with OMB FISMA reporting requirements. b. Reviews plans of action and milestones for consistency with the organizational risk

management strategy and organization-wide priorities for risk response actions.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control







Hybrid Control

Not Applicable



GSA’s Plan of Action and Milestones (POA&M) process is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). In Chapter 3, Policy on Management Controls, of GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” it is stated "All information systems must develop and maintain a POA&M IAW IT Security Procedural Guide: Plan of Action and Milestones (POA&M), OCIO-IT Security-09-44. POA&Ms are the authoritative agency management tool for managing system risk and used in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in agency programs and systems. GSA must submit POA&Ms to OMB upon request." and “Capture information security program and system weaknesses that require mitigation IAW the processes described in GSA CIO-IT 09-44. POA&Ms shall be updated quarterly.”

POA&Ms must include all known IT security weaknesses associated with information systems and GSA’s overall information security program. Weakness information is gathered and reported using the most current GSA POA&M Template. The POA&M Google Sheet template includes four quarterly update sheets, one for each quarter of the fiscal year. GSA OCISO ISP Division reviews POA&Ms quarterly and coordinates reviews with the ISSOs and ISSMs. The reviews are focused on ensuring POA&Ms are accurately documented and progress is made on resolving POA&M items in line with agency-wide priorities and risk tolerance. The ISP Division prepares status reports of their reviews and provides those reports to ISSOs, ISSMs, the CISO, and AOs and System Owners, as required. The ISP Division collects data on POA&Ms and reports to OMB, as requested by data calls and required by FISMA reporting instructions.

ISP manages all system and program level POA&Ms in Google Team Drives.



Vendors/contractors that process and host GSA information are bound by CIO 2100.1, the terms of their contracts, and OMB Memoranda and CIO-IT 06-30 to develop system POA&Ms and maintain them.

3.13.5 Information System Inventory (PM-5)

The organization develops and maintains an inventory of its information systems.

PM-5 Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



The OCISO uses GSA EA Analytics and Reporting (GEAR) to maintain an up-to-date inventory of GSA FISMA systems. The following FISMA system attributes are maintained for each FISMA system:

Responsible Organization

FISMA System Name

Federal or Contractor Designation

FIPS 199 impact level

Authority-to-Operate (ATO) date

ATO Type

ATO Renewal Date

If a Complete Assessment was conducted during the current fiscal year

If the system contains Personally Identifiable Information (PII)

If the system is Cloud Hosted

If cloud hosted: o Cloud Service Provider o Type of Cloud Service

Link to the ATO Letter

GEAR also maintains:

FISMA Points of Contact (Information Systems Security Office, Information Systems Security Manager, System Owner, and Authorizing Official)

Inactive FISMA Systems (i.e., Disposed/Decommissioned) Systems and the date of disposal (inactive date



Not applicable.

3.13.6 Information Security Measures of Performance (PM-6)

The organization develops, monitors, and reports on the results of information security measures of performance.

https://ea.gsa.gov/#!/FISMA

https://ea.gsa.gov/#!/FISMA_POC

https://ea.gsa.gov/#!/FISMAexp





Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



The GSA leadership team develops Information Security Performance measures for each Fiscal year. These performance metrics are aligned with the GSA IT goals to operate efficiently, deliver business value, and lead IT innovation across the Federal Government and to continue to transform GSA IT. Various security performance elements are derived from the Goals and Information Security (IS) metrics are created for each performance element. The performance metrics for each fiscal year are also influenced by external OMB and DHS reporting requirements and cross agency priorities (CAP) goals.

GSA also provides security performance progress updates on GSA’s Information Security Program by responding to periodic OMB and DHS data calls. GSA currently provides responses to quarterly and annual FISMA metrics, monthly Cyberscope data feeds, quarterly Integrated Data Collection (IDC) metrics on Security and Privacy and FedRAMP Key Metrics, quarterly PortfolioStat updates, annual Cyberstat sessions, quarterly President’s Management Council (PMC) Cybersecurity Agency self-assessment, and bi-annual Trusted Internet Connections (TIC) POA&M.



Not applicable.

3.13.7 Enterprise Architecture (PM-7)

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.





Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:

Common Control Provided by GSA Office of Enterprise Planning and Governance (IE)


Hybrid Control


Common Control Provided by GSA Office of Enterprise Planning and Governance (IE)


Hybrid Control

Not applicable



GSA’s Office of Enterprise Planning and Governance (IDR) in GSA IT is responsible for GSA’s enterprise architecture and is responsible for:

Developing and maintaining GSA’s current (As-Is) and target (To-Be) architecture and work with GSA business units to develop segment and solution architecture plans

Developing the IT service strategy, design, and transition planning

Developing and implementing IT Policy

GSA Order CIO 2110.4, “GSA Enterprise Architecture Policy” utilizes GSA’s strategic goals, mission and support services, data, and enabling technologies to communicate the business vision and target architecture in conjunction with the GSA Performance Management, Capital Planning and Investment Control (CPIC), and Solutions Life Cycle (SLC) processes.

The GSA Enterprise Architecture follows GSA’s SLC methodology, which ensures holistic security, including enterprise architecture and governance, is incorporated into the system from inception rather than retrofitted after the fact.

The following are security integration points with Enterprise Architecture:

Providing a common repository for application and FISMA inventory management

Reviewing of system architectures to ensure security compliance

Facilitating all testing needed for initial ATO and periodic reauthorizations

Providing on-request security consulting

The Security Engineering Division (ISE) in OCISO is also developing a Security Engineering Framework to facilitate integration of security standards/requirements into the SDLC, ensuring secure outcomes as a matter of routine. Information Technology contracts will be reviewed by the OCISO before release to the public and system architectures reviewed and approved before system development.






Not applicable.

3.13.8 Critical Infrastructure Plan (PM-8)

The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control

Not applicable

Vendor Control Type:



Hybrid Control

Not applicable


This control is Not Applicable to GSA.

3.13.9 Risk Management Strategy (PM-9)

The organization:

a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;

b. Implements the risk management strategy consistently across the organization; and c. Reviews and updates the risk management strategy [annually] or as required, to address

organizational changes.





Implementation Status :

Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



GSA’s Risk Management Strategy (RMS) is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). The RMS provides a comprehensive approach for managing risks associated with GSA information systems in accordance with Federal laws, regulations, and requirements; and establishes GSA guidance and processes for all operating units and GSA Services and Staff Offices (S/SO) to follow. The strategy is disseminated via the GSA IT Security InSite page.

The Risk Management Strategy is reviewed and updated at least annually.



Not applicable.

3.13.10 Security Authorization Process (PM-10)

The organization:

a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes;

b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

c. Fully integrates the security authorization processes into an organization-wide risk management program.






Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk,” defines GSA’s security authorization processes. This guide is provided by the GSA OCISO Policy and Compliance Division (ISP). The guide describes key activities in managing the security state of GSA information systems through the use of processes adapted from NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” It has been updated to show the alignment between the RMF and NIST’s, “Framework for Improving Critical Infrastructure Cybersecurity,” commonly referred to as the Cybersecurity Framework (CSF), as required by Executive Order (EO) 13800, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”

The processes defined in CIO-IT Security-06-30 are integrated into GSA’s risk management program via required risk assessments, vulnerability management, and POA&M processes described therein.

GSA has implemented several A&A processes for the purpose of ensuring risks to GSA IT resources are reduced to the extent possible based on budget constraints, business requirements and other resource issues. These processes and the criteria required for each are outlined below. For process-specific details, refer to the document references within the table below.

A&A Process Requirements

A&A Process/Program Qualifying Criteria

GSA Standard A&A Process • All new and existing GSA information systems that do not fall under one of the other A&A processes

• Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk.”




Lightweight Security Authorization Process

• New GSA information systems pursuing an agile development methodology • Reside on infrastructures that have a GSA ATO concurred to by the CISO or a

Federal Risk and Authorization Management Program (FedRAMP) ATO • Must be FIPS 199 Low or Moderate • Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-14-

68, “Lightweight Security Authorization Process.”

GSA Salesforce Process • Applicable to applications that integrate into the main Salesforce.com application and are hosted on Salesforce.com's infrastructure

• Applications developed for internal and external GSA use published on the Salesforce Platform

• Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-11-62, “GSA’s Security Implementation of the Salesforce Platform.”

Security Reviews for Low Impact Software as a Service Solutions Process

• Private sector cloud computing Software as a Service (SaaS) solutions that are implemented within GSA

• Limited duration • Data already in the public domain or data is non-sensitive and is considered

FIPS 199 low impact • GSA would be caused limited harm regardless of the consequence of an

attack or compromise • Dollar cost for such deployments do not exceed $100,000 annually • Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-16-

70, “Security Reviews for Low Impact Software as a Service (SaaS) Solutions.”

GSA Agency FedRAMP Process

• A Cloud Service Provider (CSP) requesting GSA Agency sponsorship into FedRAMP

• GSA accepts sponsoring the CSP • GSA determines CSP’s security authorization package will be considered

FedRAMP compliant • Document Reference: Documents available on the FedRAMP.gov website.

Moderate Impact Software as a Service (SaaS) Security Authorization Process

• New GSA information systems pursuing an agile development methodology • Reside on infrastructures that have a GSA ATO concurred to by the CISO or a

Federal Risk and Authorization Management Program (FedRAMP) ATO • Must be FIPS 199 Moderate • Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-18-

88, “Moderate Impact Software as a Service (MiSaaS) Security Authorization Process.”

GSA Subsystem Process • Classified as a subsystem (and not a Salesforce application) • Majority of IT security controls provided by the hosting system in which it

operates • FIPS 199 Low or Moderate • FIPS 199 level can be below the level of the hosting system • Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-06-

30, “Managing Enterprise Risk,” Section 3.2.7.




GSA Information Security Continuous Monitoring (ISCM) Program

• Must have received an initial ATO based on assessing all of the NIST SP 800-53 controls in its control set and a complete ATO package.

• The information system must adhere to GSA’s continuous monitoring processes and procedures as described in CIO-IT Security-12-66, including: - Deploying GSA’s CDM and other enterprise ISCM tools and verifying

they are operating on the platforms listed in the GSA Continuous Monitoring Enterprise Management Tools Google Sheet.

- Maintaining the ISCM manual processes described in Appendix A of CIO-IT Security-12-66.

• Updating the system’s documentation as described in Appendix A of CIO-IT Security-12-66.

• Document Reference: GSA IT Security Procedural Guide: CIO-IT Security-12-66, “Information Security Continuous Monitoring Strategy.”



Not applicable.

3.13.11 Mission/Business Process Definition (PM-11)

The organization:

a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.



Implemented


Planned

Not Implemented

Not applicable

GSA/Internally Control Type:



Hybrid Control




Hybrid Control

https://docs.google.com/a/gsa.gov/spreadsheets/d/1M_eZqPO5oc5YcJacidyxVCMPCzGKDoEwBNZRnU0IjGY/edit?usp=sharing

https://docs.google.com/a/gsa.gov/spreadsheets/d/1M_eZqPO5oc5YcJacidyxVCMPCzGKDoEwBNZRnU0IjGY/edit?usp=sharing




Not applicable



All GSA Service and Staff Offices(S/SO) have a defined mission. Each S/SO further defines business processes supporting the S/SO mission. Further, IT systems are developed to implement and execute business processes. The GSA OCISO ISE division reviews information system architectures to ensure security compliance.

GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk” defines the GSA risk management process, specifically the security authorization process GSA has implemented for information systems to obtain a full authorization to operate (ATO). The guide describes the key activities in managing enterprise-level risk as described in NIST SP 800-37. As part of the processes described in CIO-IT Security-06-30, the mission/business process of systems is documented along with a categorization of the system IAW FIPS 199, FIPS 200, and NIST SP 800-60 Volumes I and II resulting in a baseline set of security controls providing the system its protection needs. As necessary, security controls, features, or mechanisms are tailored for each process and system to ensure systems obtain the protection needed for them and their data.



Not applicable.

3.13.12 Insider Threat Program (PM-12)

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:

Common Control Provided by GSA Office of Mission Assurance (OMA)


Hybrid Control


Common Control Provided by GSA Office of Mission Assurance (OMA)


Hybrid Control

Not applicable





The Insider Threat Program (ITP) is established as a GSA-wide program to protect all GSA personnel, facilities, and automated systems from insider threats. This program seeks to prevent espionage, violent acts against the Nation or GSA, or the unauthorized disclosure of classified information; deter cleared employees from becoming insider threats; detect employees who pose a risk to classified information systems and classified information; and mitigate the risks to the security of classified information through administrative, investigative, or other responses. The GSA ITP complies with E.O. 13587 “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information” and the November 21, 2012, Presidential Memorandum “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.”

GSA’s Office of Mission Assurance (OMA) outlines the responsibilities designed to enable the ITP to gather, integrate, centrally analyze, and respond appropriately to key threat-related information in GSA Order ADM 2400.1A, “Insider Threat Program.” The Order provides detail on the responsibilities of GSA Heads of Services and Staff Offices (HSSO), GSA Regional Administrators (RA), the Senior Agency Official for Insider Threat, The Office of Human Resources Management (OHRM), the Office of the Chief Financial Officer, the Office of General Counsel (OGC), the Office of Chief Information Officer (OCIO), and the Office of the Inspector General (OIG).

All credible Insider Threat Information will be coordinated and shared with the OIG, which will then take action as the OIG deems appropriate, including coordinating with other law enforcement agencies, such as the Federal Bureau of Investigation. The ITP shall consult with records management, legal counsel, and civil liberties and privacy officials to ensure any legal, privacy, civil rights, and civil liberties issues (including, but not limited to, the use of personally identifiable information) are appropriately addressed



Not applicable.

3.13.13 Information Security Workforce (PM-13)

The organization establishes an information security workforce development and improvement program.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control







Hybrid Control

Not applicable



The GSA OCISO Policy and Compliance Division (ISP) provides an information security workforce development and improvement program. ISP provides security awareness training annually and provides role-based training for personnel with security responsibilities. ISP provides role-based training on any emerging topics or technology that would help employees in those roles perform their job functions better. For more information on the information security workforce development and improvement program, please refer to procedures in GSA IT Security Procedural Guide: CIO-IT Security-05-29, “Security Awareness and Role Based Training Program.”



Not applicable.

3.13.14 Testing, Training, and Monitoring (PM-14)

The organization:

a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

1. Are developed and maintained; and 2. Continue to be executed in a timely manner;

b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.



Implemented


Planned

Not Implemented

Not applicable

GSA Control Type:



Hybrid Control







Hybrid Control

Not applicable



The four Office of the Chief Information Security Officer (OCISO) Divisions, Security Engineering (ISE); Security Operations (ISO); Policy and Compliance (ISP); and Information System Security Officer (ISSO) Support (IST) provide:

Security testing support for assessing GSA systems

Training for various internal GSA processes including but not limited to assessment and authorization processes, POA&M management, continuous monitoring, vulnerability scanning, firewall requests, and incident response.

Monitoring of GSA systems for those same processes (e.g., monitoring A&A status and POA&Ms are maintained, monitoring vulnerabilities through scanning, monitoring systems/activities for incidents.)

The divisions develop, maintain, and collaborate on updates of GSA IT Security policies, procedural guides, templates, and documents which support testing, training, and monitoring of GSA’s security processes. The documents produced are disseminated via the GSA IT Security InSite page.



Not applicable.

3.13.15 Contacts with Security Groups and Associations (PM-15)

The organization establishes and institutionalizes contact with selected groups and associations within the security community:

a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency with recommended security practices, techniques, and

technologies; and c. To share current security-related information including threats, vulnerabilities, and

incidents.



Implemented


Planned

Not Implemented





Not applicable

GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



GSA OCISO security divisions establish and maintain contact with relevant Government and commercial groups and associations within the security community, including but not limited to US-CERT, US-CERT GFIRST, SANS, ISC2, and iSight Partners. The objective of maintaining these associations is to facilitate ongoing security education and training of organizational personnel with systems security responsibility.

Participating in these groups and associations enables the security staff to maintain currency with recommended security practices, techniques, and technologies. OCISO divisions may attend seminars, conferences, vendor exhibits, and reads various publications to stay current with security-related information such as threats, vulnerabilities, and incidents.

Any noteworthy information (e.g., threats, vulnerabilities, incidents) obtained is shared with appropriate agency stakeholders within GSA to facilitate security awareness.



Not applicable.

3.13.16 Threat Awareness Program (PM-16)

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.



Implemented


Planned

Not Implemented

Not applicable




GSA Control Type:



Hybrid Control




Hybrid Control

Not applicable



The Security Engineering Division (ISE) in the OCISO manages GSA’s Threat Awareness Program, as described in GSA IT Security Procedural Guide: CIO-IT Security-01-02, “Incident Response.”

The ISE reviews indicators of compromise (e.g. domains/IP addresses of known malicious actors, hashes of malicious files traffic excerpts of suspicious activity, etc.) from threat intelligence for actionable information and shares this information with relevant System Owners, US-CERT, and other government agencies as needed. US-CERT coordinates communication of threat intelligence information between GSA and other Federal agencies. ISE implements proactive blocking of IP addresses, URIs, hashes, fraudulent email senders, as necessary.

The following are sources of threat information used by GSA OCISO. They include external entities such as US-CERT, iSight Partners, and GSA enterprise network and security monitoring tools:

External Threat Sources:

iSight Portal - Allows for access to ThreatScape/iSIGHT Partners Vulnerability and Threat Reports.

DHS US-CERT - Communicates vendor specific security vulnerabilities and related availability of patches for mitigation.

Government Forum of Incident Response and Security Teams (GFIRST) - Forum for government-wide incident responders for knowledge and information sharing relative to threats facing government information systems.

Product vendors and industry advisory groups (e.g., SANS).

GSA Enterprise Network and Security Tools:

GSA Enterprise Logging Platform (ELP) - The ELP collects and correlates event log data from network devices across the network including Firewalls, IDP/IPS devices, Web Proxies, and Wireless Access Points.

FireEye Endpoint Security (HX series) - An endpoint-based solution that allows security analysts to conduct detailed investigations to identify and contain Indicators of Compromise (IOC) related to APT malware.

Bit9 - Deployed as an application whitelisting solution that identifies executables on GSA workstations/servers in a central repository for investigation into whether malware was executed on a device.

Palo Alto Wildfire - Cloud-based malware detection service which performs static and dynamic analysis of binary executables ingressing GSA network. Alerts on detection of malware.

NetIQ - Identity Management Tool used for correlating VPN identifiers to users.

Nessus - A vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery, and vulnerability

https://mysight.isightpartners.com/auth/login/login

https://www.us-cert.gov/ncas

https://www.us-cert.gov/government-users/collaboration/gfirst




analysis.

McAfee ePO - ePo provides centralized event collection and reporting for McAfee antivirus software on GSA workstations and servers. It allows security analysts to investigate malware incidents and trends.

MaaS360 - The software management tool that GSA uses to deploy and inventory software on workstations and mobile devices.

FireEye MCIRT Portal - Allows for access to alerts from FireEye regarding threats.

CenturyLink Portal - Allows for access to alerts from the CenturyLink Security Operations Center.

iSight Portal - Allows for access to ThreatScape/ iSIGHT Partners Vulnerability and Threat Reports.

Netsparker Cloud - Scalable multi-user online web application security scanning solution with built-in workflow tools that is used to configure, organize and report on GSA wide Netsparker scans. Netsparker Cloud utilizes deployed Netsparker agents as sensors to perform web application scans.



Not applicable.

3.14 Personnel Security (PS)

NIST Control CSF Category Unique Identifier – Subcategories PS-1 ID.GV-1, ID.GV-3, PR.IP-11

PS-2 PR.IP-11

PS-3 PR.AC-6, PR.DS-5, PR.IP-11

PS-4 PR.IP-11

PS-5 PR.IP-11

PS-6 PR.DS-5, PR.IP-11

PS-7 ID.AM-6, ID.GV-2, ID.SC-4, PR.AT-3, PR.IP-11, DE.CM-6

PS-8 PR.IP-11

3.14.1 Personnel Security Policy and Procedures (PS-1)

The organization:


1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

b. Reviews and updates the current: 1. Personnel security policy [biennially]; and 2. Personnel security procedures [biennially].



PS-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

PS-1 Control Implementation


Personnel Security Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: “Background investigation requirements for access to GSA information systems (including contractor operations containing GSA information) shall comply with GSA Order CIO P 2181.1 GSA HSPD-12. Contractors requiring non-routine access to IT systems (contractor summoned for an emergency service call) are not required to have a personnel investigation and are treated as visitors and must be escorted while in a GSA facility.” and “There shall be no waivers to background investigations for IT access for GSA employees or contractors. A favorable initial fitness/suitability determination shall be granted before access to the GSA network or any GSA IT system.” Additional policies such as GSA Policy 9732.1D ADM P, “Suitability and Personnel Security” and GSA Order CIO P 2181.1, “Homeland Security Presidential Directive-12 Personal Identity Verification and Credentialing” provide additional guidance on personnel security.

GSA OCISO ISP has also defined agency-wide procedures regarding personnel security in GSA IT Security Procedural Guide: CIO-IT Security-03-23, “Termination and Transfer” and GSA IT Security Procedural Guide: CIO-IT Security-01-07, “Access Control.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page. Other GSA policies are updated on an as needed basis.



Vendors/contractors may defer to the GSA policies and guides or implement their own personnel security policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.14.2 Position Risk Designation (PS-2)

The organization:

a. Assigns a risk designation to all positions; b. Establishes screening criteria for individuals filling those positions; and




c. Reviews and revises position risk designations [every three (3) years].



Implemented


Planned

Not Implemented

Not applicable


Common Control Provided by GSA OHRM


Hybrid Control


Common Control Provided by GSA OHRM


Hybrid Control



Position Risk Designation is a Common Control provided by OHRM. GSA Policy 9732.1D ADM P, “Suitability and Personnel Security” assigns the Human Resource Office and Security Office with designating the risk levels for all occupations in GSA and incorporate the risk level in the position designation for each series and grade. It also requires GSA Human Resources Offices to coordinate with GSA Personnel Security Division to designate each position using the Position Designation System. GSA Human Resources Offices are responsible for coordinating with the Personnel Security Division in developing and implementing position categorization, designation, and personnel screening, termination, and transfers. Position risk designations will be reviewed and updated, if necessary, every three (3) years.



Vendors/contractors may defer to the GSA policies and guides or implement their own personnel security policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.14.3 Personnel Screening (PS-3)

The organization:

a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [national security clearances; a reinvestigation is

required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during



the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions].



Implemented


Planned

Not Implemented

Not applicable


Common Control Provided by OPM and DHS


Hybrid Control


Common Control Provided by OPM and DHS


Hybrid Control



Personnel Security Policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls. The policy states: “Background investigation requirements for access to GSA information systems (including contractor operations containing GSA information) shall comply with GSA Order CIO P 2181.1 GSA HSPD-12. Contractors requiring non-routine access to IT systems (contractor summoned for an emergency service call) are not required to have a personnel investigation and are treated as visitors and must be escorted while in a GSA facility.” and “There shall be no waivers to background investigations for IT access for GSA employees or contractors. A favorable initial fitness/suitability determination shall be granted before access to the GSA network or any GSA IT system.” Additional policies such as GSA Policy 9732.1D ADM P, “Suitability and Personnel Security” and GSA Order CIO P 2181.1, “Homeland Security Presidential Directive-12 Personal Identity Verification and Credentialing” provide additional guidance on personnel security

Personnel Screening is a Common Control provided by the Office of Personnel Management (OPM) and Department of Homeland Security (DHS). Screening (and re-screening) of individuals are provided by OPM and DHS (and their agents) prior to authorizing access to the GSA information systems.

Re-Screening of individuals is provided by OPM and DHS (and their agents) according to position requirements. For national security clearances, a reinvestigation is required during the 5th year for a top secret security clearance, the 10th year for a secret security clearance, and the 15th year for a confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.



Vendors/contractors must have individuals working/using GSA information systems comply with the GSA policies and




guides for personnel screening. They may supplement this process by having conducting their own personnel screening of the individual.

3.14.4 Personnel Termination (PS-4)

The organization, upon termination of individual employment:

a. Disables information system access within [24 hours after an approved Service Catalog Request indicating personnel termination];

b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [privacy, disclosure, and

confidentiality responsibilities]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly

controlled by terminated individual; and f. Notifies [supervisor and/or ISSMs/ISSOs] within [24 hours after approved Service Catalog

Request indicating personnel termination has been serviced].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Disabling information system access is initiated and facilitated by the supervisor/CO/COR of an individual. Retrieval of all information system-related property which includes HDPS-12 cards, authentication tokens (USB for privileged access), laptops, etc. is a common control provided by IO and facilitated by the supervisor. Exit interviews are initiated and facilitated by the supervisor/CO/COR of an individual ensuring that privacy, disclosure, and confidentiality responsibilities




are reviewed with the person leaving. As part of the off-boarding of users, the supervisor/CO/COR is responsible for coordinating with IO to transfer organizational information and information systems, as appropriate, to appropriate individuals. For additional details, refer to GSA IT Security Procedural Guide: CIO-IT Security-03-23, “Termination and Transfer.”


The supervisor/CO/COR is responsible for notifying the appropriate ISSMs/ISSOs of a user’s off-boarding so they can take appropriate action at a system/application level.


Vendors/contractors must have individuals working/using GSA information systems comply with the GSA policies and guides regarding personnel termination processes and procedures. They may supplement this process by conducting their own personnel termination processes.

3.14.5 Personnel Transfer (PS-5)

The organization:

a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

b. Initiates [denial or modification of access privileges to specific information systems based on their new duties] within [3 days of an approved ServiceNow Ticket indicating personnel transfer];

c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

d. Notifies [supervisor and/or ISSMs/ISSOs] within [24 hours after approved ServiceNow Ticket indicating personnel transfer has been serviced].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Review of ongoing operational need for current logical and physical access by individuals is initiated and facilitated by the individual’s supervisor/CO/COR. The supervisor/CO/COR is responsible for initiating transfer procedures (with the individual) such as creating a Service Catalog Request, as necessary, to ensure the user’s access is adjusted as appropriate for their new assignment. For additional details, refer to GSA IT Security Procedural Guide: CIO-IT Security-03-23, “Termination and Transfer.”


The supervisor/CO/COR is responsible for notifying the appropriate ISSMs/ISSOs of a user’s transfer so they can take appropriate action at a system/application level.


Vendors/contractors must have individuals working/using GSA information systems comply with the GSA policies and guides regarding personnel transfer processes and procedures. They may supplement this process by conducting their own personnel transfer processes.

3.14.6 Access Agreements (PS-6)

The organization:

a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [annually]; and c. Ensures that individuals requiring access to organizational information and information

systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems

when access agreements have been updated or [at least annually].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





All GSA Federal and contractor personnel requiring access to organizational information and information systems are required to sign appropriate access agreements (i.e., IT General Rules of Behavior) per GSA Order CIO 2104.1, “GSA Information Technology (IT) General Rules of Behavior” prior to being granted access in agreement with GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy.”

GSA/Internally Operated System System-Specific Expectation: System/organization unique rules of behavior for systems must be provided when the System Owner and Authorizing Official determine unique Rules of Behavior are required.


Vendors/contractors of contracted commercial IT resources/systems, not connected to GSA IT resources, must develop commercial IT system specific Rules of Behavior in accordance with GSA CIO Order 2104.1.

3.14.7 Third-Party Personnel Security (PS-7)

The organization:

a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;

b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;

c. Documents personnel security requirements; d. Requires third-party providers to notify [Information System Security Manager,

Information System Security Officer, System Owner, Custodian, Contracting Officer] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [3 business days]; and

e. Monitors provider compliance.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



All third party personnel (i.e., vendors/contractors) providing services or equipment to GSA must adhere to GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy”, regarding security roles and responsibilities and personnel security requirements. They must comply with GSA Order, CIO P 2181.1, “Homeland Security Presidential Directive-12 Personal Identity Verification and Credentialing,” and GSA Order ADM P 9732.1, “Suitability and Personnel Security.” Notifications of transfers and terminations of personnel with organizational credentials and/or badges who have system privileges must provided within 3 business days. GSA monitors compliance via contractual requirements.



Vendors/contractors are bound by CIO 2100.1 and, the terms of their contracts, and their Corporate policies regarding third party personnel.

3.14.8 Personnel Sanctions (PS-8)

The organization:

a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

b. Notifies [appropriate personnel after coordinating with the servicing human resources office] within [3 business days] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





GSA Federal personnel are subject to sanctions as described in in GSA Order CPO 9751.1, “Maintaining Discipline” for Delinquency or Misconduct, including security violations.

Supervisors must coordinate with the servicing human resources office before sanctions are taken and before notifications of sanctions are further disseminated.

GSA/Internally Operated System System-Specific Expectation: Systems are expected to follow the same policy and process described for the Common Control Implementation.


Vendors/contractors are bound by CIO 2100.1 and, the terms of their contracts, and their Corporate policies regarding personnel sanctions and notifications of sanctions.

3.15 Risk Assessment (RA)

NIST Control CSF Category Unique Identifier – Subcategories RA-1 ID.GV-1, ID.GV-3

RA-5 ID.RA-1, PR.IP-12, DE.CM-8, DE.DP-4, DE.DP-5, RS.CO-3, RS.MI-3

3.15.1 Risk Assessment Policy and Procedures (RA-1)

The organization:


1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

b. Reviews and updates the current: 1. Risk assessment policy [biennially]; and 2. Risk assessment procedures [biennially].

RA-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable








Hybrid Control




Hybrid Control

RA-1 Control Implementation


Risk Assessment policy and procedures is a common control provided by the GSA OCISO Policy and Compliance Division (ISP). Risk Assessment policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 3, Policy on Management Controls. The policy states: "Authorizing Officials must ensure risk assessments are performed and documented as part of assessment and authorization activities before a system is:

Placed into production;

When significant changes are made to the system;

At least every three (3) years, or

Via continuous monitoring based on continuous monitoring plans reviewed and accepted by the GSA CISO."

GSA OCISO ISP has also defined agency-wide risk assessment control procedures in GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk.” GSA’s security policy and procedural guides are disseminated via the IT Security InSite page.




Vendors/contractors must use GSA policies and guides regarding risk assessment policies and procedures. They may supplement them with their own risk assessment policies and procedures with the approval of the Authorizing Official (AO).

3.15.2 Vulnerability Scanning (RA-5)

The organization:

a. Scans for vulnerabilities in the information system and hosted applications [weekly for operating systems (OS)-including databases, monthly for web applications] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and





3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Very High (Critical)/High vulnerabilities within 30

days; Moderate vulnerabilities within 90 days] in accordance with an organizational assessment of risk; and

e. Shares information obtained from the vulnerability scanning process and security control assessments with [Information System Security Officers] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies) to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA OCISO Security Operations Division (ISO) maintains an enterprise vulnerability management program. It consists of vulnerability and compliance/configuration scanning of GSA systems. GSA Compliance and Policy Division (ISP) in collaboration with ISO has developed GSA IT Security Procedural Guide: CIO-IT Security-17-80, “Vulnerability Management Process,” which describes activities associated with the identification, reporting, tracking and remediation of vulnerabilities within applicable GSA systems using various scanning tools. Scanning is conducted on a periodic basis in accordance with the parameters in the 06-30 Scanning Parameter Spreadsheet, and at least monthly. Vulnerability reports are available/provided to ISSOs/designated Points of Contact by ISO. Those reports are reviewed and analyzed by the recipients on a regular basis as described within the guide, at least monthly. GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy” and GSA IT Security Procedural Guide: CIO-IT Security-06-30, “Managing Enterprise Risk” require remediation of Very High (Critical)/High vulnerabilities within 30 days and remediation of Moderate vulnerabilities within 90 days.


System Owners/ISSOs are responsible for ensuring scans can successfully be run in accordance with CIO-IT Security-17-80.

https://docs.google.com/spreadsheets/d/1cfVMvgdfGs2bFMUeWV-ILB6tZCT0mnLTKF9QztmKWLU/edit#gid=980094450




System Owners/ISSOs shall maintain an accurate inventory of all IP addresses and hostnames utilized by the system, as well as provide access and credentials for the GSA vulnerability scans to properly run.


Vendors/contractors may defer to the GSA guide and process or implement their own vulnerability scanning processes which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.15.2.1 Vulnerability Scanning | Update Tool Capability (RA-5 (1))

The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.

RA-5 (1) Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

RA-5 (1) Control Implementation


The GSA enterprise vulnerability management program scanning tools all include the capability to readily update the list of information system vulnerabilities scanned.



Vendors/contractors may defer to the GSA guide and process or implement their own vulnerability scanning update processes which comply with GSA’s requirements with the approval of the Authorizing Official (AO).



3.15.2.2 Vulnerability Scanning | Update By Frequency / Prior to New Scan / When Identified (RA-5 (2))

The organization updates the list of information system vulnerabilities scanned [continuously - before each scan] or when new vulnerabilities are identified and reported.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



As defined in GSA IT Security Procedural Guide: CIO-IT Security-17-80, “Vulnerability Management Process,” scanning tools are configured to auto-update (where possible during non-work hours) and, as necessary, the ISO Division scanning team will update the scanning tool vulnerability plug-ins prior to scanning systems.



Vendors/contractors may defer to the GSA guide and process or implement their own vulnerability scanning update processes which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.15.2.3 Vulnerability Scanning | Privileged Access (RA-5 (5))

The information system implements privileged access authorization to [all information system components (as applicable (e.g., OS, DB, Web App, etc.)] for selected [all vulnerability scanning activities].





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA enterprise vulnerability management program scanning tools use privileged access via System Owner/ISSO accounts and authentication mechanisms on a case by case basis when more intrusive or sensitive scans need to be performed.


System Owners/ISSOs are responsible for coordinating the establishment of accounts with the GSA ISO Scan Team.


Vendors/contractors may defer to the GSA guide and process or implement their own privileged access processes which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.16 System and Services Acquisition (SA)

NIST Control CSF Category Unique Identifier – Subcategories SA-1 ID.GV-1, ID.GV-3

SA-4 PR.IP-2, DE.CM-6

3.16.1 System and Services Acquisition Policy and Procedures (SA-1)

The organization:




1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

b. Reviews and updates the current: 1. System and services acquisition policy [biennially]; and 2. System and services acquisition procedures [biennially].

SA-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

SA-1 Control Implementation


System and Services Acquisition policy and procedures is a common control provided by the GSA OCISO Policy and Compliance (ISP) and Security Engineering (ISE) Divisions in collaboration with GSA Acquisition staff. System and Services Acquisition policy is included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 1, The GSA Information Technology Security Program. Paragraph 11, Contractor Operations, provides policy statements indicating contracts and task orders must include the security requirements from CIO 2100.1 and the need to allow the requirements/security controls to verified/validated. Chapter 2 specifies security roles and responsibilities, including acquisition/contracting roles. GSA OCISO ISP has defined agency-wide IT acquisition procedures in GSA IT Security Procedural Guide: CIO-IT Security-09-48, “Security and Privacy Requirements for IT Acquisition Efforts.” GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guide or implement their own system and services acquisition policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).




3.16.2 Acquisition Process (SA-4)

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in

which the system is intended to operate; and g. Acceptance criteria.

SA-4 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA’s Acquisitions/Contracting function is responsible for managing contracts and overseeing their implementation.

GSA IT Security Procedural Guide: CIO-IT Security-09-48, “Security and Privacy Requirements for IT Acquisition Efforts provides contract language that must be included in acquisition contracts involving the acquisition of information systems, components, or services to ensure compliance with the appropriate provisions of FISMA, OMB Circular A-130, FIPS, and NIST SP 800-series documents.


Program Managers/System Owners/ISSOs are responsible for coordinating with Acquisition personnel to ensure the




information from CIO-IT Security-09-48 is included in acquisition contracts.


Vendors/contractors may defer to the GSA policy and guide or implement their own acquisition processes which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17 System and Communications Protection (SC)

NIST Control CSF Category Unique Identifier – Subcategories SC-1 ID.GV-1, ID.GV-3

SC-5 PR.DS-4, DE.CM-1

SC-7 PR.AC-5, PR.DS-5, PR.PT-4, DE.CM-1

SC-20 PR.PT-4

SC-21 PR.PT-4

SC-22 PR.PT-4

3.17.1 System & Communications Protection Policy and Procedures (SC-1)

The organization:


1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

b. Reviews and updates the current: 1. System and communications protection policy [biennially]; and 2. System and communications protection procedures [biennially].

SC-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control

SC-1 Control Implementation


System and Communications Protection policy and procedures is a common control provided by the GSA OCISO Security Engineering (ISE) in collaboration with the Policy and Compliance Division (ISP). System and Communications Protection policies are included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” Chapter 4, Policy on Operational Controls, and Chapter 5, Policy on Technical Controls. The policies are in multiple subsections relating to such areas as firewall access, Trusted Internet Connections, encryption, and monitoring. GSA OCISO ISP in collaboration with ISE and the Security Operations Division (ISO) has developed a number of technical and procedural guides addressing securely configuring components, access control, key management, firewall changes, etc. which address procedures to involving systems and communication protection. GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.




Vendors/Contractors may defer to the GSA policy and guide or implement their own system and communications protection policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17.2 Denial of Service Protection (SC-5)

The information system protects against or limits the effects of the following types of denial of service attacks: [network flooding attacks] by employing [perimeter and internal protection devices/techniques].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control








Hybrid Control



GSA OCISO Security Operations Division (ISO) employs perimeter protection devices (e.g., firewalls) that can protect against or limit the effects of network flooding attacks.

GSA/Internally Operated System System-Specific Expectation: The System Owner is responsible for configuring the system in a manner that it can withstand network flooding attacks, including from internal sources, at the OS and application level. Such settings are generally recommended in GSA’s technical hardening guides developed by GSA Security Engineering Division (ISE).


Vendors/contractors may defer to the GSA policy and guidance or implement their own denial of service policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17.3 Boundary Protection (SC-7)


a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

b. Implements subnetworks for publicly accessible system components that are [logically] separated from internal organizational networks; and

c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



GSA information systems are protected by a range of enterprise security solutions that provide defense-in-depth protection to GSA OCISO systems. The Security Operations Division (ISO) in the OCISO is responsible for GSA perimeter boundary protection systems. All internal systems are protected by the GSA perimeter firewall which provides analysis/correlation, a management structure, and minimizes threats presented by external attacks. Services provided include a Trusted Internet Connection (TIC) for government-wide visibility into traffic, application layer firewalls to inspect application traffic for malicious activity, and other devices to analyze traffic for indicators of attacks, including Advanced Persistent Threat (APT) activity.

Site-to-Site VPNs to external networks or information systems that are not protected by the TIC shall terminate outside the TIC as applicable, or be protected by boundary protection devices as otherwise deemed necessary by GSA OCISO in accordance with GSA’s organizational security architecture.

All internal systems must be positioned behind the GSA perimeter firewall and request configuration changes consistent with least privilege and as specified in GSA IT Security Procedural Guide: CIO-IT Security-06-31, “Firewall Change Request.”

The Security Engineering Division (ISE) in the OCISO is responsible for managing the FireEye MCIRT Network Threat Detection service, which provides real-time tactical and strategic visibility and response capability against APT. The service involves vendor monitoring of network traffic originating on or received by GSA for indicators of compromise and providing a report of findings to the GSA. Sensors are installed at all GSA egress points. The devices are owned by FireEye and remotely managed by the FireEye MCIRT Network Operations Security Center (NOSC). All installed sensors remotely connect over an encrypted virtual private network (VPN) to the FireEye MCIRT NOSC. The appliances monitor traffic for network-based indicators of compromise providing:

● Full packet capture and analysis of suspicious sessions; ● Real-time alerts for known-bad traffic; ● Analyst reports covering confirmed attacker activity; ● Source and destination IP addresses, ports, domains; ● Compromised usernames/passwords used; and ● E-mail addresses of targeted spear phishing attacks.


System Owners/ISSOs are responsible for coordinating with GSA ISE and ISO Divisions to ensure proper placement and configuration of systems allows GSA’s boundary protection features to be effective.


Vendors/contractors may defer to the GSA policy and guidance or implement their own boundary protection policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17.3.1 Boundary Protection | Access Points (SC-7 (3))

The organization limits the number of external network connections to the information system.



SC-7 (3) Control Enhancement Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

SC-7 (3) Control Implementation


The GSA perimeter network utilizes the Trusted Internet Connection (TIC) initiative, and has thus reduced the number of external network connections. Where deemed necessary, OCISO may authorize non-TIC connections for site-to-site connectivity to other trusted sites, or for user VPN access in accordance with TIC reference guidelines.




3.17.3.2 Boundary Protection | External Telecommunications Services (SC-7 (4))

The organization:

a. Implements a managed interface for each external telecommunication service; b. Establishes a traffic flow policy for each managed interface; c. Protects the confidentiality and integrity of the information being transmitted across

each interface; d. Documents each exception to the traffic flow policy with a supporting mission/business

need and duration of that need; and e. Reviews exceptions to the traffic flow policy [annually] and removes exceptions that are

no longer supported by an explicit mission/business need.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA OCISO Security Operations Division (ISO) manages perimeter firewall policies and reviews access annually. Changes to the perimeter firewall rules are implemented in accordance with GSA IT Security Procedural Guide: CIO-IT Security-06-31, “Firewall Change Request.” The GSA OCISO Security Engineering Division (ISE) reviews information system architectures to ensure compliance with security controls, including external telecommunications connections at external boundaries.


System Owners are expected to manage and review their perimeter access rules (firewall policy) annually in accordance with GSA’s security architectural and network connectivity guidance.



3.17.3.3 Boundary Protection | Deny By Default / Allow By Exception (SC-7 (5))

The information system at managed interfaces, denies network traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).



Implemented


Planned




Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA OCISO Security Operations Division (ISO) manages the perimeter firewall policies which defaults to deny all unless a specific firewall rule permits traffic, and reviews access rules annually. Changes to the perimeter firewall rules are implemented in accordance with GSA IT Security Procedural Guide: CIO-IT Security-06-31, “Firewall Change Request.”


System Owners are responsible for maintaining a default restrictive perimeter firewall ruleset that denies all traffic unless permitted by a specific firewall rule.



3.17.3.4 Boundary Protection | Prevent Split Tunneling for Remote Devices (SC-7 (7))

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



GSA client VPN policies prevent systems from being dual-homed and connected to external networks simultaneously with being connected to the GSA network.




3.17.4 Secure Name / Address Resolution Service (Authoritative Source) (SC-20)


a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



GSA manages Domain Name System Security Extensions (DNSSEC) compliant servers for all GSA managed DNS records. Any exceptions are to be made on a case by case basis by GSA CISO and GSA OCISO. The System Owner is responsible for utilizing DNSSEC compliant servers.



Vendors/contractors may defer to the GSA policy and guidance or implement their own Secure Name/Address Resolution Service (Authoritative Source) policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17.5 Secure Name / Address Resolution Service (Recursive or Caching Resolver) (SC-21)

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control






Internal GSA Domain Name System (DNS) resolvers are configured to attempt to perform validation on any DNS Security Extensions (DNSSEC) enabled responses it receives and return the appropriate response code. System Owners are responsible for utilizing validating recursive caching DNS servers in accordance with the control enhancement requirement.



Vendors/contractors may defer to the GSA policy and guidance or implement their own Secure Name/Address Resolution Service (Authoritative Source) policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.17.6 Architecture and Provisioning for Name-Address Resolution Service (SC-22)

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA Domain Name System (DNS) architecture is designed to be fault tolerant according to best common practices, including being fault tolerant and separating internal/external DNS roles. System owners are responsible for adhering to policy for any system that does not utilize GSA DNS servers.






Vendors/contractors may defer to the GSA policy and guidance or implement their own Architecture and Provisioning for Name-Address Resolution Service policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18 System and Information Integrity (SI)

NIST Control CSF Category Unique Identifier – Subcategories SI-1 ID.GV-1, ID.GV-3

SI-3 DE.CM-4, DE.DP-3

SI-4 ID.RA-1, PR.DS-5, PR.IP-8, DE.AE-1, DE.AE-2, DE.AE-3, DE.AE-4, DE.CM-1, DE.CM-5, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5, RS.CO-3, RS.AN-1

SI-5 ID.RA-1, ID.RA-2, ID.RA-3, RS.CO-5, RS.AN-5

SI-7 PR.DS-6, PR.DS-8

SI-8 DE.CM-4

3.18.1 System & Information Integrity Policy & Procedures (SI-1)

The organization:

a. Develops, documents, and disseminates to [Information System Security Manager, Information System Security Officer, System Owners, Acquisitions/Contracting Officers, Custodians]: 1. A system and information integrity policy that addresses purpose, scope, roles,

responsibilities, management commitment, coordination among organizational entities, and compliance; and

2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

b. Reviews and updates the current: 1. System and information integrity policy [biennially]; and 2. System and information integrity procedures [biennially].

SI-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control

SI-1 Control Implementation


System and Information Integrity policy & procedures policy and procedures is a common control provided by the GSA OCISO Security Engineering Division (ISE) and Security Operations Division (ISO) in collaboration with the Policy and Compliance Division (ISP). System & Information Integrity policies are included in GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy.” Chapter 4, Policy on Operational Controls, and Chapter 5, Policy on Technical Controls. The policies are in multiple subsections relating to such areas as data integrity, production and input/output controls, security advisory alert handling, logical access controls, audit records, vulnerability testing, malicious code protection, and Trusted Internet Connection (TIC). GSA OCISO ISP in collaboration with ISE and ISO has developed a number of technical and procedural guides addressing securely configuring components, access control, key management, firewall changes, etc. which address procedures involving system and information integrity. GSA’s security policy and procedural guides are disseminated via the GSA IT Security InSite page.




Vendors/contractors may defer to the GSA policy and guides or implement their own system and information integrity policies and procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18.2 Malicious Code Protection (SI-3)

The organization:

a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [GSA S/SO or Contractor

recommended frequency to be approved by the GSA AO] and real-time scans of files from external sources at [endpoint, network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

2. [Block or quarantine malicious code, send alert to administrator; send alert to log] in response to malicious code detection; and

d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.






Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA employs a variety of anti-malware controls, including Tripwire and Bit9. Included in GSA’s tools are signature and nonsignature-based antivirus/antimalware, application whitelisting, perimeter firewalls and spam filtering on mail servers, and all are configured in accordance with GSA policy. GSA malicious code protection tools are all centrally managed and monitored. GSA also configures its antimalware/malicious code protection tools to automatically update and be pushed to systems in accordance with configuration management and testing processes and procedures.


System Owners are responsible for ensuring that their systems utilize the GSA antimalware/malicious code protection solutions or a solution with similar capabilities.


Vendors/contractors may defer to the GSA policy and guidance or implement their own malicious code protection procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18.2.1 Malicious Code Protection | Central Management (SI-3 (1))

The organization centrally manages malicious code protection mechanisms.

SI-3 (1) Control Enhancement Summary Information


Implemented


Planned

Not Implemented




Not applicable




Hybrid Control




Hybrid Control

SI-3 (1) Control Implementation


GSA antimalware systems, such as Tripwire and Bit9, are all centrally managed and monitored.





3.18.2.2 Malicious Code Protection | Automatic Updates (SI-3 (2))

The information system automatically updates malicious code protection mechanisms.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



GSA configures its antimalware/malicious code protection tools, such as Tripwire and Bit9, to automatically update and be pushed to systems in accordance with configuration management and testing processes and procedures.





3.18.3 Information System Monitoring (SI-4)

The organization:

a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [ensuring the

proper functioning of internal processes and controls in furtherance of regulatory and compliance requirements; examining system records to confirm that the system is functioning in an optimal, resilient, and secure state; identifying irregularities or anomalies that are indicators of a system malfunction or compromise]; and

2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [a variety of sources

including but not limited to continuous monitoring vulnerability scans, malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers];

c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and



g. Provides [GSA S/SO or Contractor recommended information system monitoring information to be approved by the GSA AO] to [ISSM, ISSO, and System Program Managers who distribute the information to other personnel with system administration, monitoring, and/or security responsibilities] [within the timeframe(s) specified in the applicable system security plan].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



For proper configuration of the information system to support the requirements of this control please refer to GSA IT Security Procedural Guide: CIO-IT Security-01-08, “Audit and Accountability.”

GSA OCISO Security Operations Division (ISO) has implemented a variety of controls across the GSA enterprise, including IDS/IPS and other data sources that all feed into the Enterprise Logging Platform (ELP) which is utilized to identify unauthorized access to and use of systems in near real time. The level of monitoring is heightened if there is indication of elevated risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. GSA OCISO consults with GSA Office of General Counsel (OGC) for legal opinion as necessary with regard to information system monitoring activities in accordance with applicable Federal Laws, Executive Orders, directives, policies, or regulations. The ELP is configured to alert appropriate personnel upon signs of compromise. Systems not connected to the ELP or protected by the GSA perimeter firewall are responsible for adhering to this requirement independently.



Vendors/contractors may defer to the GSA policy and guidance or implement their own information systems monitoring procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).



3.18.3.1 Information System Monitoring | Automated Tools for Real-Time Analysis (SI-4 (2))

The organization employs automated tools to support near real-time analysis of events.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA OCISO ISO Division has implemented a variety of controls across the system, including IDS/IPS and other data sources that all feed into the Enterprise Logging Platform (ELP), and is utilized to identify unauthorized access to and use of systems in near real time. The ELP is configured to alert appropriate personnel upon signs of compromise. Systems not connected to the ELP or protected by the GSA perimeter firewall are responsible for adhering to this requirement independently.




3.18.3.2 Information System Monitoring | Inbound and Outbound Communications Traffic (SI-4 (4))

The information system monitors inbound and outbound communications traffic [continuously] for unusual or unauthorized activities or conditions.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA OCISO ISO Division has implemented a variety of controls across the system, including IDS/IPS and other data sources that all feed into the Enterprise Logging Platform (ELP), and is utilized to identify unauthorized access to and use of systems in near real time. Level of monitoring is heightened if there is indication of elevated risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. Systems not connected to the ELP or protected by the GSA perimeter firewall are responsible for adhering to this requirement independently.




3.18.3.3 Information System Monitoring | System-Generated Alerts (SI-4 (5))

The information system alerts [all staff with system administration, monitoring, and/or security responsibilities including but not limited to ISSM, ISSO, System Program Managers, Sys/Net/App Admins, etc.] when the following indications of compromise or potential compromise occur: [all staff with system administration, monitoring, and/or security responsibilities including but not limited to ISSM, ISSO, System Program Managers, Sys/Net/App Admins, etc.; compromise indicators may include but shall not be limited to the following:

- Protected system files or directories have been modified without notification from the appropriate change/configuration management channels.

- System performance indicates resource consumption that is inconsistent with expected operating conditions.



- Auditing functionality has been disabled or modified to reduce audit visibility. - Audit or log records have been deleted or modified without explanation. - The system is raising alerts or faults in a manner that indicates the presence of an abnormal

condition. - Resource or service requests are initiated from clients that are outside of the expected client

membership set. - The system reports failed logins or password changes for administrative or key service

accounts. - Processes and services are running that are outside of the baseline system profile. - Utilities, tools, or scripts have been saved or installed on production systems without clear

indication of their use or purpose].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA OCISO Security Operations Division (ISO) has implemented a variety of controls across the GSA enterprise, including IDS/IPS and other data sources that all feed into the Enterprise Logging Platform (ELP) which is utilized to identify unauthorized access to and use of systems in near real time. The level of monitoring is heightened if there is indication of elevated risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. The ELP is configured to alert appropriate personnel upon signs of compromise. Systems not connected to the ELP or protected by the GSA perimeter firewall are responsible for adhering to this requirement independently.






3.18.4 Security Alerts, Advisories, and Directives (SI-5)

The organization:

a. Receives information system security alerts, advisories, and directives from [US-CERT, NIST, OMB, Product Vendors, and Industry Advisors] on an ongoing basis;

b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to [all staff with system

administration, monitoring, and/or security responsibilities including but not limited to ISSM, ISSO, System Program Managers, Sys/Net/App Admins, etc.]; and

d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA OCISO Security Engineering Division (ISE) receives information system security alerts, advisories, and directives pertaining to enterprise information system security from various sources on an ongoing basis. Sources include but are not limited to US-CERT, NIST, OMB, Product Vendors, Industry Advisors, etc. Security alerts, advisories, and directives are reviewed for relevance to GSA’s IT operating environment and distributed to IT and security staffs, as applicable.

ISE distributes security alerts, advisories, and directives pertaining to enterprise information system security to internal and external enterprise entities with IT system security responsibility over GSA systems. These entities include all staff with system administration, monitoring, and/or security responsibilities including but not limited to ISSM, ISSO, System Program Managers, Sys/Net/App Admins, etc. Information is disseminated through email distribution lists. ISE maintains the root level email groups, however populating individual group memberships are delegated to the directors of the various IS organizations directors.

ISE in coordination with ISO is responsible for overseeing the enterprise implementation of security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.





Information systems may supplement the security alerts, advisories, or directives received from ISE by subscribing to other sources; generating internal system alerts as necessary; disseminating alerts to IT and IT security personnel; and implementing the directives in accordance with established time frames set by GSA consistent with SI-5 requirements.


Vendors/contractors may defer to the GSA policy and guidance or implement their own security alerts, advisories, and directives procedures which comply with GSA’s requirements with the approval of the GSA Authorizing Official (AO).

3.18.5 Software, Firmware, and Information Integrity (SI-7)

The organization employs integrity verification tools to detect unauthorized changes to [GSA software, firmware, and information].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA OCISO offers application whitelisting software and/or file integrity monitoring to GSA managed assets. This software is integrated into the Enterprise Logging Platform (ELP) for notification purposes, and is utilized as part of the GSA incident response capability.


Systems not using the tools offered by GSA OCISO and not integrated into the (ELP) are responsible for adhering to this requirement independently.





Vendors/contractors may defer to the GSA policy and guidance or implement their own software, firmware, and information integrity procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18.5.1 Software, Firmware, and Information Integrity | Integrity (SI-7 (1))

The information system performs an integrity check of [GSA software, firmware, and information] [at startup; at the occurrence of configuration changes or security-relevant events; at least monthly].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Systems not using the tools offered by GSA OCISO and not integrated into the ELP are responsible for adhering to this requirement independently.


Vendors/contractors may defer to the GSA procedures or implement their own software, firmware, and information integrity procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).



3.18.5.2 Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7 (7))

The organization incorporates the detection of unauthorized [changes to established configuration settings or unauthorized elevation of information system privileges] into the organizational incident response capability.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





Systems not using the tools offered by GSA OCISO and not integrated into the ELP are responsible for adhering to this requirement independently.


Vendors/contractors may defer to the GSA procedures or implement their own software, firmware, and information integrity procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18.6 Spam Protection (SI-8)

The organization:

a. Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and



b. Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA utilizes Google Apps for Government for enterprise email and collaboration. Google Apps is supported by strong spam protection capabilities that automatically (through Gmail) help identify spam and suspicious emails by detecting viruses, finding patterns across messages, and learning from what Gmail users commonly mark as spam or phishing. Additionally, GSA implements other technologies (e.g., Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Postini IP Lock) to prevent spoofing of messages originating from outside of the gsa.gov domain that are sent to gsa.gov addresses and DKIM provides message integrity.

Systems not using the tools offered by GSA OCISO and not integrated into the Enterprise Logging Platform (ELP) are responsible for adhering to this requirement independently.



Vendors/contractors must implement their own Spam protection procedures which comply with GSA’s requirements with the approval of the Authorizing Official (AO).

3.18.6.1 Spam Protection | Central Management (SI-8 (1))

The organization centrally manages spam protection mechanisms.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA utilizes Google Apps for Government for enterprise email and collaboration. Google Apps is supported by strong spam protection capabilities that automatically (through Gmail) help identify spam and suspicious emails by detecting viruses, finding patterns across messages, and learning from what Gmail users commonly mark as spam or phishing. Additionally, GSA implements other technologies (e.g., Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Postini IP Lock) to prevent spoofing of messages originating from outside of the gsa.gov domain that are sent to gsa.gov addresses and DKIM provides message integrity. All of these technologies are managed at the GSA enterprise level. Systems not using the tools offered by GSA OCISO and not integrated into the Enterprise Logging Platform (ELP) are responsible for adhering to this requirement independently.




3.18.6.2 Spam Protection | Automatic Updates (SI-8 (2))

The information system automatically updates spam protection mechanisms.



Implemented


Planned

Not Implemented




Not applicable




Hybrid Control




Hybrid Control



GSA utilizes Google Apps for Government for enterprise email and collaboration. Google Apps is supported by strong spam protection capabilities that automatically (through Gmail) help identify spam and suspicious emails by detecting viruses, finding patterns across messages, and learning from what Gmail users commonly mark as spam or phishing. Additionally, GSA implements other technologies (e.g., Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Postini IP Lock) to prevent spoofing of messages originating from outside of the gsa.gov domain that are sent to gsa.gov addresses and DKIM provides message integrity. All of these technologies are managed at the GSA enterprise level. Systems not using the tools offered by GSA OCISO and not integrated into the Enterprise Logging Platform (ELP) are responsible for adhering to this requirement independently.




4 Privacy Controls

NIST has not mapped privacy controls to the CSF, therefore no mapping tables are provided for privacy controls.

4.1 Authority and Purpose (AP)

4.1.1 Authority to Collect (AP-1)

The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.



AP-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

AP-1 Control Implementation

GSA/Internally Operated System System-Specific Implementation:

The System Owner is responsible for determining and documenting the legal authority permitting the handling of GSA PII. Pursuant to 5 U.S.C. §552a (e) (3) the Privacy Office, in conjunction with the System Owner, provides what is commonly referred to as a Privacy Act Statement to all persons asked to provide personal information about themselves, which will go into a system of records (i.e., the information will be retrieved using the individual’s name or other personal identifier, for example a Social Security Number (SSN). All Privacy Act statements must be reviewed by the GSA Privacy Office. When drafting a Privacy Act Statement for review by the GSA Privacy Office, the System Owner must include the legal authority for collecting the information (statute, executive order, regulation, etc.).


When drafting a Privacy Act Statement for review by the GSA Privacy Office, the System Owner must include the legal authority for collecting the information.


Vendors/contractors are required to comply with the control statement and abide by GSA policy and procedures.

4.1.2 Purpose Specification (AP-2)

The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices.



AP-2 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

AP-2 Control Implementation


Pursuant to 5 U.S.C. §552a (e) (3) GSA provides what is commonly referred to as a Privacy Act Statement to all persons asked to provide personal information about themselves, which will go into a system of records (i.e., the information will be stored and retrieved using the individual’s name or other personal identifier such as a SSN. All Privacy Act statements must be drafted by the System Owner and reviewed by the Privacy Office.


When drafting a Privacy Act Statement for review by the GSA Privacy Office, the System Owner must include the purpose(s) for collecting the information.



4.2 Accountability, Audit, and Risk Management (AR)

4.2.1 Governance and Privacy Program (AR-1)

The organization:

a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;

b. Monitors federal privacy laws and policy for changes that affect the privacy program;



c. Allocates [at least four (4) full-time employees and budgets] sufficient resources to implement and operate the organization-wide privacy program;

d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;

e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and

f. Updates privacy plan, policies, and procedures [biennially].

AR-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control


Common Control Provided by GSA OCISO and/or Privacy Program


Hybrid Control

AR-1 Control Implementation


GSA has a designated SAOP and allocates sufficient resources to implement and operate the organization-wide privacy program. The SAOP oversees the GSA Privacy Office which develops privacy policies and manages the GSA privacy program. It also monitors federal privacy laws and policy, and develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures.

The Privacy Office develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and updates the privacy plan, policies, and procedures at least biennially.




4.2.2 Privacy Impact and Risk Assessment (AR-2)

The organization:



a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of PII; and

b. Conducts PIAs for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The Privacy Office manages the privacy risk management process by advising and assisting System Owners as they conduct PIAs and SORNs for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. Systems are categorized as low, moderate, or high risk in accordance with Federal Information Processing Standard 199 (FIPS 199) and NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations.”


The System Owner is responsible for conducting a Privacy Threshold Analysis and, if applicable, a Privacy Impact Assessment addressing risks to PII. They also must coordinate with Privacy Office concerning these documents.



4.2.3 Privacy Requirements for Contractors and Service Providers (AR-3)

The organization:

a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and



b. Includes privacy requirements in contracts and other acquisition-related documents.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. Information regarding GSA privacy roles, responsibilities, and access requirements for contractors and service providers can be found in HCO 2180.1 GSA Rules of Behavior for Handling PII, GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” 41 CFR Part 105-64, “Privacy Act Rules,” and the GSA FAR Contracting- privacy requirements (policy and web page). This information includes privacy requirements in contracts and other acquisition-related documents, which COs and/or CORs are responsible for including in contracts and other acquisition-related documents.


The System Owner is responsible for coordinating with acquisition staff to ensure privacy requirements are included in acquisition contracts.



4.2.4 Privacy Monitoring and Auditing (AR-4)

The organization monitors and audits privacy controls and internal privacy policy [annually] to ensure effective implementation.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office advises and assists System Owners as they develop Privacy Act Statements and conduct PIAs and SORNs for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. Systems are periodically audited and assessed for security weaknesses and privacy risks and the resulting Security Assessment Reports and Plan of Action and Milestones (POA&M) Reports are developed to monitor privacy controls and internal privacy policy to ensure effective implementation.




4.2.5 Privacy Awareness and Training (AR-5)

The organization:

a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;

b. Administers basic privacy training [annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [annually]; and

c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [annually].





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA has developed, implemented, and regularly updates “IT Security Awareness and Privacy Training and Privacy Training 201.” These training courses are part of a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities. All GSA account holders electronically sign the GSA Rules of Behavior before taking privacy training exams. GSA privacy training includes targeted role-based privacy training for personnel having responsibility for PII and ensures that personnel certify acceptance of responsibilities for privacy requirements.




4.2.6 Privacy Reporting (AR-6)

The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops, disseminates, and updates the annual SAOP FISMA report and works with other program offices on quarterly FISMA reports to respond to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.




4.2.7 Privacy Enhanced System Design and Development (AR-7)

The organization designs information systems to support privacy by automating privacy controls.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies that promote the appropriate use of automated privacy controls.


GSA System Owners support privacy by automating privacy controls.



4.2.8 Accounting of Disclosures (AR-8)

The organization:

a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:

1. Date, nature, and purpose of each disclosure of a record; and 2. Name and address of the person or agency to which the disclosure was made;

b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and

c. Makes the accounting of disclosures available to the person named in the record upon request.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. Additionally, it provides guidance and feedback to System Owners on how to account for disclosures of information held in each system.


The System Owner is responsible for maintaining an accurate accounting of disclosures of information held in each system of records under its control including date, nature, and purpose of each disclosure of a record; name and address of the person or agency to which the disclosure was made; retains the accounting of disclosures for the life of the record or five years after the disclosure is made (whichever is longer); and makes the accounting of disclosures available to the person named in the record upon request.



4.3 Data Quality and Integrity (DI)

4.3.1 Data Quality (DI-1)

The organization:

a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information;

b. Collects PII directly from the individual to the greatest extent practicable; c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its

programs or systems [annually]; and d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and

integrity of disseminated information.

DI-1 Control Summary Information


Implemented


Planned

Not Implemented




Not applicable




Hybrid Control




Hybrid Control

DI-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA privacy program and accompanying GSA requirements for PTAs/PIAs and SORNs ensure that the highest quality of data protection for PII is used and is in accordance with applicable laws and NIST recommendations. GSA confirms to the greatest extent practicable upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that information; collects PII directly from the individual to the greatest extent practicable; checks for and corrects as necessary, any inaccurate or outdated PII used by its programs or systems; and, issues guideline ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.


The System Owner is responsible for the accuracy, relevance, timeliness, and completeness of the information in their system and for requesting assistance with regard to data integrity questions involving privacy data.



4.3.1.1 Data Quality | Validate PII (DI-1 (1))

The organization requests that the individual or individual’s authorized representative validate PII during the collection process.

DI-1 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control

DI-1 (1) Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA privacy program and accompanying GSA requirements for PIAs ensure that the highest quality of data protection for PII is used and is in accordance with applicable laws and NIST recommendations. GSA confirms to the greatest extent practicable upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that information; collects PII directly from the individual to the greatest extent practicable; checks for and corrects as necessary, any inaccurate or outdated PII used by its programs or systems; and, issues guideline ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.





4.3.1.2 Data Quality | Re-Validate PII (DI-1 (2))

The organization requests that the individual or individual’s authorized representative revalidate that PII collected is still accurate [whenever they access the information].



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA privacy program and accompanying GSA requirements for PIAs ensure that the highest quality of data protection for PII is used and is in accordance with applicable laws and NIST recommendations. GSA confirms to the greatest extent practicable upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that information; collects PII directly from the individual to the greatest extent practicable; checks for and corrects as necessary, any inaccurate or outdated PII used by its programs or systems; and, issues guideline ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.





4.3.2 Data Integrity and Data Integrity Board (DI-2)

The organization: a. Documents processes to ensure the integrity of personally identifiable information (PII)

through existing security controls; and b. Establishes a Data Integrity Board when appropriate to oversee organizational

Computer Matching Agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act. (Organizations enter into Computer Matching Agreements in connection with computer matching programs to which they are a party. With certain exceptions, a computer matching program is any computerized comparison of two or more automated systems of records or a system of records with nonfederal records for the purpose of establishing or verifying the eligibility of, or continuing compliance with, statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to cash or in-kind assistance or payments under federal benefit programs or computerized comparisons of two or more automated federal personnel or payroll systems of records or a system of federal personnel or payroll records with nonfederal records. See Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a (a)(8)(A).)





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

DI-2 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA documents processes to ensure the integrity of PII through existing security controls in 5420.1 OAD “Central Office GSA Committee Handbook.” The GSA Data Integrity Board headed by the Senior Agency Official for Privacy oversees organizational Computer Matching Agreements and ensures that those agreements comply with the computer matching provisions of the Privacy Act.




4.3.2.1 Data Integrity and Data Integrity Board | Publish Agreements on Website (DI-2 (1))

The organization publishes Computer Matching Agreements on its public website.



Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA documents processes to ensure the integrity of PII through existing security controls in 5420.1 OAD “Central Office GSA Committee Handbook.” The GSA Data Integrity Board headed by the Senior Agency Official for Privacy oversees organizational Computer Matching Agreements and ensures that those agreements are published on a public GSA website.




4.4 Data Minimization and Retention (DM)

4.4.1 Minimization of Personally Identifiable Information (DM-1)

The organization:

a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;

b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and

c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

DM-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control

DM-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA IT Security Policy and GSA requirements for PIAs, SORNs, Privacy Act Statements, Annual Reviews of system notices ensure that GSA identifies the minimum PII elements that are relevant and necessary to accomplish the legally authorized purpose of collection; limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice for which the individual has provided consent; and, conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holding to ensure that only PII identified in the notice is collected and retained.


The System Owner is responsible for limiting the collection and retention of PII to the minimum elements necessary and for requesting assistance with regard to data minimization questions involving privacy data.



4.4.1.1 Minimization of Personally Identifiable Information | Locate/Remove/Redact/ Anonymize PII (DM-1 (1))

The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.

DM-1 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control

DM-1 (1) Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA documents processes to ensure the appropriate aggregation, redaction and/or de-identification of PII prior to disclosure.

GSA/Internally Operated System System-Specific Expectation: The System Owner is responsible for limiting the risk to PII to the minimum elements necessary by aggregating, redacting or otherwise de-identifying PII prior to disclosure.



4.4.2 Data Retention and Disposal (DM-2)

The organization:

a. Retains each collection of personally identifiable information (PII) for [at least one year] to fulfill the purpose(s) identified in the notice or as required by law;

b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and

c. Uses [techniques and methods as stipulated in 1820.1 OAS P GSA Records Management Program and in accordance with 1820.1 and GSA IT Security Policy CIO 2100.1] to ensure secure deletion or destruction of PII (including originals, copies, and archived records).



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control







Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA records maintenance and disposition is performed by System Owners in accordance with applicable laws and NIST recommendations. More information regarding GSA records maintenance and disposition can be found in 1820.1 CIO P “GSA Records Maintenance and Disposition System.”


GSA records maintenance and disposition is performed by System Owners in accordance with applicable laws and NIST recommendations.



4.4.2.1 Data Retention and Disposal | System Configuration (DM-2 (1))

The organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control





The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA records maintenance and disposition is performed by System Owners in accordance with applicable laws and NIST recommendations. More information regarding GSA records maintenance and disposition can be found in 1820.1 CIO P “GSA Records Maintenance and Disposition System.”


GSA records maintenance and disposition is performed by System Owners in accordance with applicable laws and NIST recommendations.



4.4.3 Minimization of PII Used in Testing, Training, and Research (DM-3)

The organization:

a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and

b. Implements controls to protect PII used for testing, training, and research.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA IT Security Policy requires the use of PII for testing, training, and research only when required and absolutely necessary, and the Privacy Office advises and assists System Owners as they implement controls to protect PII used for testing,




training, and research.


System Owners are responsible for implementing controls to protect PII used for testing, training, and research.



4.4.3.1 Minimization of PII used in Testing, Training, and Research | Risk Minimization Techniques (DM-3 (1))

The organization, where feasible, uses techniques to minimize the risk to privacy of using PII for research, testing, or training.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA IT Security Policy requires the use of PII for testing, training, and research only when required and absolutely necessary, and the Privacy Office advises and assists System Owners as they implement controls such as masking, redacting or otherwise de-identifying PII to protect it if it must be used for testing, training, and research.


System Owners are responsible for implementing controls to protect PII used for testing, training, and research.





4.5 Individual Participation and Redress (IP)

4.5.1 Consent (IP-1)

The organization:

a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;

b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;

c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and

d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.

IP-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



IP-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Rules of Behavior for Handling PII, GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” and GSA requirements for PIAs, SORNs, and Privacy Act Statements govern individual consent and issues surrounding authorization of the collection, use, dissemination, and retention of PII.


System Owners are responsible for adding Privacy Act Statements to their systems at the point of collection.



4.5.1.1 Consent | Mechanisms Supporting Itemized or Tiered Consent (IP-1 (1))

The organization implements mechanisms to support itemized or tiered consent for specific uses of data.

IP-1 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

IP-1 (1) Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Rules of Behavior for Handling PII, CIO 2100.1, and GSA requirements for PIAs, SORNs, and Privacy Act Statements govern individual consent and issues surrounding authorization of the collection, use, dissemination, and retention of PII.


System Owners are responsible for adding Privacy Act Statements to their systems at the point of collection and including tiered consent models as appropriate.






4.5.2 Individual Access (IP-2)

The organization:

a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;

b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;

c. Publishes access procedures in System of Records Notices (SORNs); and d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper

processing of Privacy Act requests.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



Individuals have the ability to access their PII maintained in GSA system(s) of records. GSA publishes CFR Part 105-64 GSA “Privacy Act Rules,” which governs how individuals may request access to records maintained in a Privacy Act system of records. GSA also provides access procedures in system of records notices and adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act Requests.


The System Owner is responsible for coordinating with the Privacy Program to ensure individuals have the ability to access their PII in accordance with GSA policies/procedures.






4.5.3 Redress (IP-3)

The organization:

a. Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and

b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA provides a process for individuals to have inaccurate PII maintained by the organization corrected or amended, as appropriate; and, establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners, and where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.

More information about PII redress can be found in CFR Part 105-64, “GSA Privacy Act Rules.”







4.5.4 Complaint Management (IP-4)

The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.



Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA maintains a dedicated email box for receiving and responding to complaints, concerns, or questions from individuals about the organization privacy practices.

More information about PII complaint management can be found in CFR Part 105-64, “GSA Privacy Act Rules.”




4.5.4.1 Complaint Management | Response Times (IP-4 (1))

The organization responds to complaints, concerns, or questions from individuals within [30 days].






Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



GSA maintains a dedicated email box for receiving and responding to complaints, concerns, or questions from individuals about the organization privacy practices.

More information about PII complaint management can be found in CFR Part 105-64, “GSA Privacy Act Rules.”




4.6 Security (SE)

4.6.1 Inventory of Personally Identifiable Information (SE-1)

The organization:

a. Establishes, maintains, and updates [annually] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII; and

b. Provides each update of the PII inventory to the CIO or information security official [annually] to support the establishment of information security requirements for all new or modified information systems containing PII.



SE-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

SE-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA establishes, maintains, and updates list of Privacy Act notices posted on the GSA.gov website. GSA also submits quarterly and annual FISMA reports that contain listings of all GSA programs and information systems that collect, use, maintain, or share PII. GSA provides each update of the PII inventory to the CIO or information security official to support the establishment of information security requirements for all new or modified information systems containing PII.


The System Owner is responsible for coordinating with the Privacy Program to add or remove their system from the PII inventory as appropriate with regard to its collection of PII.



4.6.2 Privacy Incident Response (SE-2)

The organization:

a. Develops and implements a Privacy Incident Response Plan; and b. Provides an organized and effective response to privacy incidents in accordance with

the organizational Privacy Incident Response Plan.



SE-2 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

SE-2 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. GSA develops and implements a Privacy Incident Response Plan and provides an organized and effective response to privacy incidents in accordance with applicable laws and OMB guidance.

More information regarding Privacy Incident Response can be found in 9297.1 HCO, “GSA Information Breach Notification Policy.”




4.7 Transparency (TR)

4.7.1 Privacy Notice (TR-1)

The organization:

a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII; (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;

b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the



organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and

c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.

TR-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

TR-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA requirements for SORNs and Privacy Act Statements ensure that GSA is in accordance with applicable laws and NIST recommendations with regard to privacy notice and the rights individuals have regarding their PII.


The System Owner is responsible for coordinating with the Privacy Program to ensure privacy notices and the rights of individuals are accurate and kept current.



4.7.1.1 Privacy Notice | Real-Time or Layered Notice (TR-1 (1))

The organization provides real-time and/or layered notice when it collects PII.



TR-1 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control

TR-1 (1) Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA requirements for SORNs and Privacy Act Statements ensure that GSA is in accordance with applicable laws and NIST recommendations with regard to privacy notice and that notices are provided in real time.


The System Owner is responsible for coordinating with the Privacy Program to ensure privacy notices and the rights of individuals are timely and accurate.



4.7.2 System of Records Notices and Privacy Act Statements (TR-2)

The organization:

a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing PII;

b. Keeps SORNs current; and c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that

can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.





Implemented


Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Privacy Act Rules and the GSA Privacy Training informs staff of applicable laws and NIST recommendations with regard to privacy notice. The Privacy Office publishes system of records notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing PII. The Privacy Office and System Owners keep SORNs current, perform an annual review of SORNS, and include Privacy Act Statements on GSA forms that collect PII.

More information regarding System of Records Notices and Privacy Act Statements can be found in 41 CFR Part 105-64.


The System Owner is responsible for coordinating with the Privacy Program to ensure SORNs and Privacy Act notices on forms that collect that collect PII are kept current.


Vendors/Contractors are required to comply with the control statement and abide by GSA policy and procedures.

4.7.2.1 System of Records Notices and Privacy Act Statements | Public Website Publication (TR-2 (1))

The organization publishes SORNs on its public website.



TR-2 (1) Control Summary Information


Implemented


Planned

Not Implemented

Not applicable


Common Control Provided by


Hybrid Control


Common Control Provided by


Hybrid Control

TR-2 (1) Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Privacy Act Rules and the GSA Privacy Training informs staff of applicable laws and NIST recommendations with regard to privacy notice. The Privacy Office publishes SORNs in the Federal Register, subject to required oversight processes, for systems containing PII. The Privacy Office and System Owners keep SORNs current and publicly available on gsa.gov/privacy.


The System Owner is responsible for coordinating with the Privacy Program to ensure SORNs are current and publicly available on gsa.gov/privacy.



4.7.3 Dissemination of Privacy Program Information (TR-3)

The organization:

a. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and

b. Ensures that its privacy practices are publicly available through organizational websites or otherwise.



Implemented





Planned

Not Implemented

Not applicable




Hybrid Control




Hybrid Control



The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Privacy Act Rules ensure that the public has access to information about GSA privacy activities and is able to communicate with GSA’s Chief Privacy Officer. GSA privacy practices are publicly available on gsa.gov.

More information regarding dissemination of privacy program information can be found in 41 CFR Part 105-64.




4.8 Use Limitation (UL)

4.8.1 Internal Use (UL-1)

The organization uses PII internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.

UL-1 Control Summary Information


Implemented


Planned

Not Implemented

Not applicable







Hybrid Control




Hybrid Control

UL-1 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA privacy training and the GSA requirements for PIAs and SORNs ensure that GSA uses PII internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.


The System Owner is responsible for ensuring that PII is shared internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.



4.8.2 Information Sharing with Third Parties (UL-2)

The organization:

a. Shares PII externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;

b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;

c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and

d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.



Implemented


Planned

Not Implemented




Not applicable




Hybrid Control




Hybrid Control

UL-2 Control Implementation


The GSA Privacy Office develops privacy policies and manages the GSA privacy program. The GSA Rules of Behavior for Handling PII and GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” ensure that GSA is in accordance with applicable laws and NIST recommendations with regard to sharing information with third parties. The GSA requirements for PIAs, SORNs, and Privacy Act Statements require that GSA evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required. GSA shares PII externally only for the authorized purposes identified in the Privacy Act and/or described in its notices or for a purpose that is compatible with those purposes. The GSA FAR Contracting privacy requirements (policy and web page) require that GSA specifically describe the PII covered and specifically enumerate the purposes for which PII may be used when entering into agreements with third parties. GSA monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII by requiring two courses,

“IT Security Awareness Training” and “Privacy 201 Training.”


The System Owner is responsible for coordinating with the GSA Privacy Program to ensure PII is shared in accordance with the requirements and agreements with third parties.





Appendix A: Acronyms

Acronym Definition

A&A Assessment and Authorization

AD Active Directory

AO Authorizing Official

APT Advanced Persistent Threat

BIA Business Impact Analysis

CBT Computer-Based Training

CHRIS Comprehensive Human Resources Integrated System

CIO Chief Information Officer

CISO Chief Information Security Officer

COOP Continuity of Operations Plan

CPIC Capital Planning and Investment Control

CPO Chief Privacy Officer

DISA Defense Information Systems Agency

DKIM DomainKeys Identified Mail

DNSSEC Domain Name System Security Extensions

ELP Enterprise Logging Platform

FAR Federal Acquisition Regulation

FISMA Federal Information Security Modernization Act

GMT Greenwich Mean Time

GPRS General Packet Radio Services

HSSO Heads of Services and Staff Offices

ISCM Information Security Continuous Monitoring

ISE Information Security Engineering Division

IG Inspector General

ISO Information Security Operations Division

ISP Information Security Policy and Compliance Division

IST ISSO Support Division

ISSM Information System Security Manager

ISSO Information System Security Officer

OMB Office of Management and Budget

MIRT Management Incident Response Team

NARA National Archives and Records Administration

NIST National Institute of Standards and Technology

NOSC Network Operations Security Center



Acronym Definition

OCIO Office of the Chief Information Security Officer

OCISO Office of the Chief Information Security Officer

OHRM Office of Human Resource Management

OIG Office of Inspector General

OLU Online University

OMA Office of Mission Awareness

PII Personally Identifiable Information

PIV Personal Identity Verification

RA Regional Administrator

RMS Risk Management Strategy

SAOP Senior Agency Official for Privacy

SLC Solutions Life Cycle

SPF Sender Policy Framework

SSL Secure Sockets Layer

TLS Transport Layer Security

VPN Virtual Private Network



Appendix B: GSA Common Control Workbook

The GSA OCISO ISP Division and the ISSMs of GSA’s major information systems providing a significant number of common controls have developed a common control workbook. It provides information for System Owners to use when they inherit a common control or the common portion of a hybrid control from one of the GSA’s major common control providers. The common control workbook is available on the Google drive at GSA Common Control Workbook.

https://drive.google.com/open?id=1--tjhs9_XeCJxk-B9xGnEWx60CZmli6pkIYwF_dLHME

https://drive.google.com/open?id=1--tjhs9_XeCJxk-B9xGnEWx60CZmli6pkIYwF_dLHME



Appendix C: Program Level POA&M

GSA has established a Program Level POA&M for monitoring plans of action and milestones for findings that exist at the GSA IT Security Program level affecting the program and GSA Enterprise. The program level POA&M is maintained on the POA&M Google Team Drive. To request access, contact the POA&M team for access at [email protected].