Evaluation of Department of State Information Security Program ...
Evaluation of Department of State Information Security Program ...
Evaluation of Department of State Information Security Program ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
4<br />
Recommendation 3: {Section A} We recommend that the Chief <strong>Information</strong> Officer:<br />
• Improve oversight <strong>of</strong> the security assessment and authorization process for the<br />
<strong>Department</strong>'s information systems, especially the OpenNet General Support System<br />
(GSS) and ClassNet GSS as required by the National Institute <strong>of</strong> Standards and<br />
Technology (NIST) (SP) 800-37.<br />
• Improve existing procedures to ensure security authorization packages are updated every<br />
3 years or when a significant change occurs or develop a risk-based approach for<br />
implementing a continuous monitoring strategy as required by NIST SP 800-37.<br />
• Improve existing procedures to ensure Systems <strong>Security</strong> Plans and Systems Assessment<br />
Reports are updated as required to comply with the security baseline controls contained<br />
in NIST SP 800-53 (Revision 3).<br />
• Perform annual security assessments <strong>of</strong> a subset <strong>of</strong> a system's security controls as<br />
required by NIST SP 800-37.<br />
<strong>Department</strong> Response to Recommendation 3:<br />
With regard to bullet 2, we note that FISMA FY2011 reporting instructions explicitly<br />
removed any such requirement. We quote:<br />
Is a security reauthorization still required every 3 years or when an information<br />
system has undergone significant change as stated in OMB Circular A-130? No.<br />
Rather than enforcing a static, three-year reauthorization process, agencies are expected<br />
to conduct ongoing authorizations <strong>of</strong> information systems through the implementation <strong>of</strong><br />
continuous monitoring programs. [1] (emphasis in original)<br />
Based on this instruction, the <strong>Department</strong> does not agree with the recommendation in<br />
bullet l.<br />
With regard to bullet 3, the new NIST SP 800-53 guidance was not fully implemented[2]<br />
until June 2010, and thus compliance was not required for C&As starting before June<br />
2011. All <strong>Department</strong> C&As commencing after June 2011 will comply with the new<br />
version <strong>of</strong>NIST 800-53/53A. The <strong>Department</strong>'s C&A Toolkit has been fully updated to<br />
implement this change. Applying a risk-based approach, the <strong>Department</strong> does not judge<br />
it necessary to retroactively adjust prior C&As to meet this new standard. [3]<br />
With regard to bullet 4, the <strong>Department</strong> performs such annual testing on all its systems,<br />
except in rare cases that are vigorously pursued.<br />
Recommendation 4: {Section B} We recommend that the Chief <strong>Information</strong> Officer expedite<br />
the <strong>Information</strong> Resource Management, Operations, Enterprise Network Management and<br />
Diplomatic <strong>Security</strong>, <strong>Security</strong> Infrastructure, Office <strong>of</strong> Computer <strong>Security</strong> process to finalize and<br />
implement the elements within the Cyber <strong>Security</strong> Architecture draft target architecture and<br />
[1] OMB M-1l-33, FAQ 28.<br />
UNCLASSIFIED<br />
[2] A new NIST 800-53A was needed to implement the new 800-53, and was not published until June 2010.<br />
[3] Authority is OMB M-1l-33, FAQ 15.<br />
65<br />
UNCLASSIFIED
Change language