sensitive but unclassified sbu - us epa · scnsitiw but unchl\;ilk

$: Sensitive but Unclassified SBU - US EPA · Scnsitiw But UnchL\;ilk$
Scnsitiw But UnchLilkltI

TWAI Memorandum of Understanding (MOU)

Between

The Department of the Treasury

Bureau of the Fiscal Service

And

Environmental Protection Agency

Office of the Chief Financial

Office of Technology Solutions

January 2016

Burcw of lhc Fiscal Scnmiddoticc 3700 Fast West Hiflluy H~middotntt middotmc MD 20782

Environmental Protection AJcncy 1200 Pcnn~y lvania Avenue Washini1on DC 20~60

Scnsithmiddotc But Unclassified

middotn1is pagl in1ct11illnilly kfl blank

Scnsitic l3ut Unclassified

IEMORA-Dl M OF Uii lgtFRST AiiOING (MOU)

Sl iPERSFDES

This Memorandum of Understanding (MOli ) supersedes all prcinu~ 1grccmcnts between the parties regarding the ir11crconncction of the par1icsmiddot systems

11TRODCCT ION

The purpose of this document is tt1 establish a memorandum ofundcrstanltling between the llS Depar1nwnt of the Treasury Bureau of the Fiscal Scricc (Fiscal Serice) and the Enironmcntal Protection Agency (FPA) regarding the demiddotclopmcnt management opcrllion and security ofa connection between systems owned by the Fiscal Scnmiddotice and systems owned by EPA This Ulrccmcnt will gocm the relationship lxtwccn the Fiscnl Scnmiddotiec and EPA inc luding dcsilnatcd manauerial and technical sroff in the abscncc ofucommon manacmcnt authorit- -

The Onicc of the Chief Financial Oflicer Oliicc ufTcchnulogy Scgtlutions ltOCFO-OTS) progrnn1 onice within the EPi is responsible for the Compass Financinls (Compissl IT system OCFlt) ()TS is responsible for 1hc security of Compss and is rcsponsibk for maintaining and implcmcnling the security controls

AUTHORITY

The authority for this agreement is based on the following policy s tandards and guidance

bull Federal lnfom1ation Security Managbullmcnt 1ct IFISMA) as part Mthc E-lticgtVcmmc111 ltt of 2002

bull Oflicc o r ilanagcmcnt and Hudgcl (OlmiddotIB) Circulir A- IO ppcndi~ ll l Sccurit~ or Federal Au1ommcd lnformatitgtn Resources

bull NlST Special Publication 800-47 Security Guide for Interconnecting lnfonnation 1ltchnology systems

bull United Stales Ocpar1111cm of the Treasury TD P 85-01 Treasury lnforma1io11 Tcd1m1logy Sccurit~ Program TD I 85-01 IJnclassilicd Non-National Security Systems

EPi lnfom1a1ion Security lolilties and Guiduncc applicable 10 EPA i111crconnec1ions indudc

bull CIO 2 151 1 EPA Priacy Polic~

bull lnformutiun Securi ty - Incident Response lrnccdurcs CIO 2150-1middot082

2

Scnsillc Uul l ndussilieJ

bull ( middot10 1503 gene~ lnfom1a1ion SCuri1~ lulic~

It is thmiddot intnt 111bo1h panics lu this agrccmcnl to rn1imain an imrcunnc1ion between lhc middot1 rcasur- Aprlicatiun h rchiteturc IT 1I) luc111d u the Fdcral Rscr lnlormo1io11 Tehnulogy 111u Igt Daw Ccmer u1 J)alfus las1 RuthcrliircJ Opcrutions Cr11er (lRO) untlor Rid1111011d tu El Systems admi 11is1n11ors from hmh purtics will comply lith oppropriatc sceuli1~ rc11uircmcnts 10 protect bu1h panismiddot cJnu unu in1hr111ation systems rhe intreonnection is prwiJccJ 111 urur for the Fiscal Scnmiddoticc 111 share dam anJ infllnmuion ilh EP This in1crcu11ncc1io11 ill reduce gucn1111c111 nprating cos1s promiddotidc greater 1Unc1ionnli1y and improw cflicicnc~ The communications imcrconncc1ion ill be cslablishcd using suidancc pro idcd in lh Fl( 7iw1fibullr 111uf Cmiddot1111mbullc111middotit) Oplllmf Jnr Ellrlal 11rork C11111wc111111J

ltgtmiddot111hmiddotr JO13 mu 711ll ~1lt11111 Sbullrnri1y lltJ11 Ines Jocumcms describe Oii lable cu111111unica1io11s pro1ocols dua mrnslir capabili1ics SpCilic communications hard11rc and nc~ p1ion rltlt111irc111Jlls 10 -1ablish u scun conn-cliun m TI

tn1 TI lticncral Suppun Sys1cm (GSS)

lurpnc I he fWI prmmiddotiucs u muhi-ticrcd urld 1dc cb (Web) intrfru und 0111mo11 scriccs i1hl11 u mbus1 infrns1ruc1urc lur muhifllc Trcosurmiddot applica1ions Guiding principles lor lite TAI i111ludc the prodsion 111 gc11erull1 ucccssihk applications in II suitably robust c11 irunmcnl giving precedence w sccurit mer other consitkr11 ions th use o Ideg sumc111cd li crcJ sccuril and 1hc 11l1ccmc111 or nll l)cm11111s anti Ju1a a~ litr iwa fmm 1hc I11en1c1 m is rJun1hk rI internal user ucraquo is h~ inuul lrimiddotutc Nctorls (VlNs) usini smun cardmiddot based authori uiun and aulhenticatiun

Luiu riunN

fdrul Rcsclc Bank (lRl3J Dallas Tc~us

Fkml Rcselmiddotc Bank 1FR1l) East Rutherford Opcmtinns Center 1EROC) East Rutherford -le htM~~

hJcrul Rcscnmiddotc Bnnk IFRB I Ricluuunu Richmond V1

fun crion

rite T1I is a secure infras1ructurc wilh ln1cmc1 and dedicated relecommunicnrinn~ cunncc1imiddoti1y middot1 ht JJVA 2 rn1rprist Editmn 1J2EI~gtcnv1ro11mcn1 can suppon hJ pcncxt markup lnnguug 111 l11 I md cxtmsihk markup lungu~11-c (Xibull11 ) Jhe TWAl is designed to provide o high dcgr-c ol iilnhilit~ Ilic I I trd1t1Clt1rc cun scilc from 1hc inilial bJs uf 1housands of ultrs 11 ~uppon millions ofusers nrlJ idc middot1 he J I trditcCIUrc is in-cred usinl mulriplc Ones III ensu~ dtlinse-in-dcprh 1s-g111cnrltltl) s~curi1y lf1d scilobility All 70ncs except

bull middot

Scnsiiin~ Rut Unclassified

Zone 0 ionc 3-NT and Zone 5 (Mnnagcmcm Zone) arc load-balanced utilizing F5 load balancers

The TWAI cmmiddotironmcnt includes wch server drhmiddotcn by logic residing on an Application Scrcr which is in tum supported by a Database Managcmcn1 System (Dl3MS) and other scrers

The TV Al preferred Web server is illanet utilizing the Trns1cd Solaris npcra1ing system 111c preferred applica1ion servers arc BEA Wcblogic and IBM WcbSpherc The DBMS environments arc currently supported by Oracle 11 204 and IBM UDB Genera l users ncccssing applications ia 1-rnmiddotp enter the TWA middotia Zone 0 The llCb scrcrs suppon Secure Sockcl Layer (S~I ) 128-bil key cncryplion The web scrcr connccl~ 10 one or more standard applications servers in Zone 2 The applications SCrCrs use database and other resources in Zone 3 as needed Application-specific (PayGomiddot for example) processing and storage components arc generally in Zone 3 as objects requiring the protection of the deepest zone 8usincs~ P~nncrshy(Bls) (eg application administrators) access TWAI through Zone 4 middotia VlNs or dedicated lines

Description of data includ ing scnsitimiddoti~middot or classification lcmiddotcl

TWAI S~middotstcm Sccuri~middot Categorization Summary Information T e Confidentialitv Int middot Availability

TWAI System HIGH HIGH HIGHRating

For further infonnation on the methodology used 10 establish security caic~orics idcn1ify scnsitiity of information and assess the impact tor TW1 information and information systems

0refer to the TWA I Securi1middot ltUlltgtOrit11m1 o( Feltieml 11(or111C11irm and 11(m1w1 i111 S1middots1e111s bull bull bull

In support of thc Post Puymenl System (fPSJ IOM Sterling ConncctDirect with Secure Plus 5 or higher and Internet Explorer CJ or higher wet browser will be used to send and rccciw cancellations and claims submissions riles CH and check returns and reclamations E-JR~ and NOCs and payment infom1a1ioninquiries on a dail basis between SSA and TWAl Unix miinframcs

Name Compass Financials IT Syst~m (Compass)

Function Compass is the EPs financial management system that proides the tools needed to cflcctily manage budget and track expenditures Compass provides both comprehensive financial planning capabilities and a means to record El financial tmnsac1ions

Location Compass Financials is an IT system hat spans two data centers - the El National Computer

4

Sensiliw Jui L nd1ssi1icd

Cmcr utd 1hc C(jl lhllcnix Dna Ccnicr FlAs 1nimal Computer Center is lmatecl in Research Irimgk Park -lC This agrccmcnl is sold~ wi1h 1hc Compass componcnis located in th --imional Comru1cr Ccmcr

Ocscript ion of data including scnsitimiddoti1y or classilication lcnl Cumpass proidcs dclailcd inlom1n1io11 un opcr11i11g plan unoums as wdl us expenditures and remaining hala11ccs h~ account and budict 1bjcct chi

lhc l~ pc or inli1m1a1iu11 stored in anJor prnccsscJ h~ the Compass is mission-cri tical Jinanciut in limnaiion related 10 employees and middotendurs The Compass operations and data an roted as middotmiddotmodcrn1e for LHilabi lit~ conlhkntialit~ am integrity security compromise could result in sccrc impainncnl to lhc l11 s missions functions image and reputation h could also cause a loss nf as~cts or hamiddotc an micrs~ impact on nsuun~s

In forma tion Carcoorics Scnsithmiddotilmiddot Lcmiddotcl lnterit1middot Uifabilil I ConfielentiuIit1middot

uJit and lmmiddotcsligolion gtkJium Medium McJium In lo nnu ion I

Conlidcmial Business MediumMedium McdiumI I I lnfonnation I Contr1c1 Information Ia Medium Medium

Finnnciul lnlltgtr111u1iu11 lo 1kdium Medium Gmm lnlormallon lm kdium Medium

~ hdium

COMM UNICATIONS

F rc4ucm rom1al communications arc csscminl lo ensure the successful managcmcm and upcmtion of the imcrconncction The parties agree ln maimain open lines 1fcommu11icmion between Jcsignatcd staff at hoth the managerial and technical lcc ls II communicmions tkscrihcd herci1 must be conducted in writing unless ulhcrwisc notcd

middot1 be 1iscal $cricc and lilA agree 10 dcsignntc anJ pnn idc contact infom1ation lilr technical leads tor their respective system and 10 focili1atc direct contacts between 1chnical leads 1ltgt

suppon 1he nianagcmcm and operation of the imcrconncction Sec Auochment I Points of Com1c1 for Compass tuachmclll 2 Points ofCuntact for OElNCC and Allachmcnl 3 Fiscal Scnmiddoticc POCs To salcguard the conlideotiality imcgril) and avai labil ity or the connected systcms and the dnw 1h~y store process umI tnmsmil thi parties agree to prtiidc notice of sp-=cilh middotems within the 1imc frames intlicahJ hdo

Sceurit) lnd dcn1s The tcchnicil swrrs ill i111111cltliitd) notilY their designated courncrpan by 1dcphonc or e-mai l when security indkm(sl is detected in order to dc1cm1i11c whether their

5

Sensitive B111 l nclassi lied

system has been compromised ond take appropriate security prccrntions In addition the technical staffs should notilY their rcspcctiC lncidcfll Response Centers or points of contact to ensure that appropriate actions and reporting takes pinesbull

Disaste rs and Other Contingencies The technical staff will immcdintcly not ifmiddot their dcsi lnatcd counterpnn by telephone or c-mnil in the CCnl ofa disaster or other contingency that dis~pts the nonnal operation ofonc or hoth of the c1mnccted systems

Material Changes to System Configuration Planned technical changes to the system architccwrc will he reported to technical siaffwilhin a week lxbullforc such changes arc implemented The initiating pany agrees 111 conduct a risk nscssmcnt based nn the new system mhitccturc and to modilY and re-sign the SA within one ( I l m1gtnth of implementation

lcw lntcrconncclions The EPA 11ilf notlt~middot thc Bureau of the Fiscal Service lll lcas1 onc ( I l month before it uses the VPN connection i1 has cs1ablished with the TWAl to intcrconnec1 wilh another IT system including systems that arc owned and operated by 1hird parties

Personnel Changes middotn1c parties agree to provide notification or the separation or long-term absence of their respective system owner or technical lead ln addition both parties will proidc notification ofany changes in poim ofcontact infonna1ion Both panics will also proidc 1101ification of chnngcs 10 user protilcs including applicable users who resign or change joh responsibilities

INT ERCONNECTION SECURITY AGREEMET

Thc technical dc1ails of the interconnection will bc documented in an Interconnection Sccurity 1grccmcm (IS) The panics agree 1 work together 1 dcc lop the ISi which must be signed by both pnrtics before the interconncc1ion is actiatcd Pniposcd changes 10 either system or the intcrrnnnccting medium will be reviewed and cmiddotaluated 10 detem1inc the potential imp1c1 on the inlerconncction The SA will be rencgotialcu blforc changes arc implemented

SECURITY

130th panics agree 10 work together ro ensure the joim security or the connected systems and the dnta they store process and transmit as specified in the SA Each rarty cer1ilics that its nspcctivc system is designed managed and opcra1cd in compliance wi1h all rclcam federal laws regulations and policies Interconnecting systems shall have undergone an Assessment amp Authnri-1ation (Aamp) process with associated memorandums that designate 1he sys1cms as fully accredited

COST CONSIDERATIONS

Both panics agree and arc responsible for lheir 011 agency costs of the interconnecting

6

Scnsi1ie But Lnclissifoltl

111cd1111ism mJ1or media hut mi sud1 cxp-nltliturcs or linmcial crnnmiimcnts shull lie maJc i1h11u1 th- Tillcn concurrence ufhuth partics l-l11di lkatinns 10 either sys1c1111hm an ncccssni 10 support the i111crcnn11cctin11 arc the rcspunsihilit~ lt11 1hc rcspccriw system owners organi1alitlll

TlilEUNE

lllis agreement wil l remain in cffcc1 for 1hrcc (gt) years afier 1hc las da1c m ci1hcr sig11a1ur in lhc signu1ure hluck heh lkr three (3) yc1rs this agreement wil l expire i1hout further action I f the partHi wish to cxtnd this ugrccnicnt th~~ ina~ J) so by r ic ing upJating and rcm1thori1ing this agrecmcm The nc l~ signed agreement will explicitly supersede 1his agrcemclll hieh should be refcrcnccJ h~ 1iilc mJ daic in the 1pproprimc sction of 1his documc111 lf 1111c ur hu1h 1 t the panics wish 111 tcnninntc this igrccmcm prenmlurcl) 1hcy moy Jo so upon 3ll ltla~ s ultlvnnceJ no1icc or in 1hc c-111 ur l sccurit~ indtlcm that nccssitmes an immediate rc~pnnsc This ngrmcnt will Ix re iccu 11 lca~1 annually or whncmiddotcr a signilican1 change occurs to ensure that s~curi1Jmiddot controls arc opirnting properly and providing appropriate cmiddotds ol prgttcction

7

ScnsitiC But LJncla~-silied

SIGNATORY AUTHORITY

I ogrcc to the 1em1s of this bulllcmorandum o Lndcrstandinu

Peter Gcnon Deputy Assistani Commissioner for Security Services Orticc of lnfomiation Sccuri1y Services Bureau of 1hc Fiscal Service

I loward K ()sbomc Senior lnfonnmion Otliciul US Environmcn1ol Pr01cc1ion Agency Onicc of the Chief Financial Olliccr (OCH)

Michael Knyon

Acting Principal Depu1y Assis1ant Administralor Ollicc of Environmenwl Jnforma1ion (OEI)

2~= 3t-L_______

g

- -

Scnsitiw But Lndussilicltl

ttachmcnt I

fPA C ompass Poims of Contact

C onq11ss System Owner ()uc111ir1 X Jnnc~ Oflicc nr the Chie r FilllllCICII ()ificcr

Onie orTcchnulog~ S1lutions 1200 P nnsylvania Aw --1 Washington DC 20-160 202-564-1112 1mui l JonsQucntin II cpagw

Compass Project fanal(cr middotlichod I Rohcns Ollie of the Chict Fimuicial 0 11icc r onicc of I cdmology Solutions 1~00 lcnnsylvan ia Jvc N middotushingtlln DC 20460

202-56 -1-29 -1 Emuil RobcrtsMichadl 11 cpunailqngmmiddot

Compass Sccurity Acl01inistruor Craig Clark onicc oi the C hic Financ ial 011iccr Office otTchnolog~ Solutions I 200 Penns) h middotmia Amiddotc 1middot ashington llC 2046() 202-564-88()6 Email ClirkCriic II c patl

~

OTS Information Security Officer Lisu ~I yalo Ofticc of the Chif Fin111cial Ofliccr ()Jtitc 1fJcchnology Sohuions I 200 Penns~ h ania Aw N ashingwn DC 2()-160 202-564Jjlt)(I mail ~ alaLisa a cpa1

Compass T echnical roe J)alid Dcwc

Oilicc of the Chid Finuncial Otliccr O rticc o r lchnolltlg y Solutions

lOO lcnnsylania Aw N W ashington DC 20460 202-56-1-1289 Jimiii Dccrclgtr itI cpago

OC FC) Information Securi ty Officer - lid1acl Callcwicn Ollicc of lcsourccs antI In formation

~fanagc111c111 Ottiw 0 1hc Chief Financia l Oniccr 1200 lcnnsyhmiddotania Aw N ashingllln DC 20-160 ~U2-56J-737CJ Email CallcticrtMichadi cpugm

OCFCgt Information MunaJcmcnt Officer Kimberli Dubbs Ollicc o t Rcsuurccs 11ul lniltgtm1ation ~d u1agtnhnl Olli cc of thmiddot Chic Financitl Olliccr I2110 lcnns) lmia llC N Washing1on DC 20-160 202-56J- I 598 Email l)uhhsKimbcrly icpag(ll

lt)

Scnsithmiddotc But Unclassilicd

ttachment 2

Office of Environmental Information I lational Computer Center Points of Conl1e1

Report security inciden ts to EPA Call Center at l-866-~l l-4fPA or 1-866-4 11-4372 Report operationa l concerns to EPANCC Console OperJtions Desk (9 19) 541- 1 I 12

Rcrcr 10 the following website for the OEI loi111s ofContact hup_s llwJJP11cpalt llltlp about i11kxd111 ~i - 1263 ~bl4II I ltJltJ72-lltbull-I l-lO-l l~0569

10

Scnsi111c 1111 l nclu~silkd

A11ichmen1

Fic11 Scnmiddoticc lnints o r Conract

llcrul) ssisranl Commissioner for Sccuriry Senmiddoticcs P~ ( iino t1

Ulfoc oithc C10 71111 E1s1 est I lightY I I~ UIISI ilk S 11) 10782 Phone 2U2-S74-512J Email 111crCirnma u Jiscal1ra$u~ go1

T I I ncirlcnt Response i1k Ponce I I ISSO nuu l~~I est I liglm1~ I I~ 111s1 ilk Mlgt 207S2 lhunc 2U2-R74-X-IIJ E111ui I mlclnncc lt1bullliscaltrcasury middot

TWAI lana~cmcnt Stuff middotrho1111s llultgtkcr ll ircctur 1700 l1s1 est r liglmo~ f fyuHSI if le 11) 2078 lhunc 0-874-51 JltJ IhnnasDookcr ltt liscalmasu~ go

ChiefSccuril Officer and Chief P riac Officer Dai id tnhros nun lus1 middotest lligha~ I I~ u11s1 illc ~ID 2078 lhnnc 2U2-S74-6488 Enmil l)alidmhmsc a liscultrcus urygomiddot

11

middotn1is pagl in1ct11illnilly kfl blank



Sl iPERSFDES


11TRODCCT ION



AUTHORITY









2







Luiu riunN




fun crion


bull middot














4









~ hdium

COMM UNICATIONS





5









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11



Sl iPERSFDES


11TRODCCT ION



AUTHORITY









2







Luiu riunN




fun crion


bull middot














4









~ hdium

COMM UNICATIONS





5









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11







Luiu riunN




fun crion


bull middot














4









~ hdium

COMM UNICATIONS





5









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11














4









~ hdium

COMM UNICATIONS





5









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11









~ hdium

COMM UNICATIONS





5









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11









SECURITY


COST CONSIDERATIONS


6



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11



TlilEUNE


7


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11


SIGNATORY AUTHORITY




Michael Knyon


2~= 3t-L_______

g

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11

- -


ttachmcnt I







~








lt)


ttachment 2




10


A11ichmen1







11


ttachment 2




10


A11ichmen1







11


A11ichmen1







11

sensitive but unclassified sbu - us epa · scnsitiw but unchl\;ilk

Documents