business support systems (bss) risk management framework ... · the eis business support systems...
TRANSCRIPT
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
i
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Business Support Systems (BSS)
Risk Management Framework Plan
Network Services & Network Management Systems
IAW C.1.8.7
(NIST FIPS 199 Moderate-Impact Baseline)
November 4, 2016
Prepared by
CenturyLink Government Services, Inc.
4250 North Fairfax Drive
Arlington, VA 22203
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
ii
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
TABLE OF CONTENTS
Step 1—Categorize Information System ......................................................................... 1 Task 1-1—Security Categorization (G.5.6, G.5.6.2) ............................................. 1 Task 1-2—Information System Description .......................................................... 2
Task 1-3—Information System Registration ....................................................... 11
Step 2—Select Security Controls .................................................................................. 13
Task 2-1—Common Control Identification .......................................................... 13 Task 2-2—Security Control Selection (G.5.6.2) .................................................. 25 Task 2-3—Monitoring Strategy ........................................................................... 25 Task 2-4—Security Plan Approval ...................................................................... 28
Step 3—Implement Security Controls ........................................................................... 29 Task 3-1—Security Control Implementation ....................................................... 29
Task 3-2—Security Control Documentation ....................................................... 29
Step 4—Assess Security Controls ................................................................................ 30 Task 4-1—Assessment Preparation ................................................................... 30 Task 4-2—Security Control Assessment ............................................................ 30
Task 4-3—Security Assessment Report (G.5.6.4 (17)) ...................................... 30 Task 4-4—Remediation Actions (G.5.6.4 (22) .................................................... 31
Task 4-5—Additional Security Requirements (G.5.6.6) ...................................... 31
Step 5—Authorize Information System ......................................................................... 32 Task 5-1—Plan of Action and Milestones ........................................................... 32 Task 5-2—Security Assessment and Authorization Package (G.5.6.3, G.5.6.4 (1
through 16, 21, 23)) ................................................................................. 32 Task 5-3—Risk Determination ............................................................................ 36
Task 5-4—Risk Acceptance ............................................................................... 36
Step 6—Monitor Security Controls ................................................................................ 36 Task 6-1—Information System and Environment Changes ................................ 36 Task 6-2—Ongoing Security Control Assessments ............................................ 37
Task 6-3—Ongoing Remediation Actions ........................................................... 37 Task 6-4—Key Updates ..................................................................................... 37
Task 6-5—Security Status Reporting ................................................................. 37 Task 6-6—Ongoing Risk Determination and Acceptance ................................... 38
Task 6-7—Information System Removal and Decommissioning ........................ 38
LIST OF FIGURES
Figure 1.2-1. EIS Customer Access to the BSS—Overview. ........................................... 3
LIST OF TABLES
Table 1.1-1. System Categorization. ............................................................................... 1
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
1
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
This plan is submitted in accordance with RFP Section C.1.8.7 and NIST SP 800-37.
STEP 1—CATEGORIZE INFORMATION SYSTEM
TASK 1-1—SECURITY CATEGORIZATION (G.5.6, G.5.6.2)
The General Services Administration (GSA) determined the overall categorization to
be moderate-impact per Federal Information Processing Standards (FIPS) Publication
199 Standards for Security Categorization of Federal Information and Information
Systems.
To assign an accurate security categorization level for the information and
information system, Table 1.1-1 provides guidance in determining the potential impact
level for each security objective based on FIPS 199 and National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-60 Guide for Mapping Types of
Information and Information Systems to Security Categories. The overall system
categorization will be derived from the information system types described in the table.
Table 1.1-1. System Categorization.
Information Description Confidentiality Level Integrity Level Availability Level
Federal customer
account access
parameters
Customer usernames, passwords, and
account scope (services and capabilities
specific to the individual agency’s services)
Moderate Moderate Moderate
Information Type Confidentiality Integrity Availability
Contingency planning Low Low Moderate
Continuity of operations Low Low Moderate
Service recovery Low Low Moderate
Goods acquisition Low Low Low
Inventory control Low Low Low
Logistics management Low Low Low
Services acquisition Low Low Low
System development Moderate Moderate Moderate
Lifecycle/change management Moderate Moderate Moderate
System maintenance Moderate Moderate Moderate
Information technology (IT) infrastructure maintenance Moderate Moderate Moderate
Managed Trusted Internet Protocol Service (MTIPS) security Moderate Moderate Moderate
Record retention Low Low Low
Information management Low Low Low
System and network monitoring Low Low Low
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
2
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Information Type Confidentiality Integrity Availability
Information sharing Low Low Low
Overall information categorization Moderate Moderate Moderate
Information System Owners
GSA
Name: Kevin Gallo
Title: Services Development
Agency: GSA/FAS/ITS
Address: 1800 F Street NW, Washington, DC 20450
Email Address: [email protected]
Phone Number: 703-306-6616
CenturyLink
Name: Srinivas Gunturu
Title: Director, eCommerce and Enterprise Systems
Division: CenturyLink Information Technologies
Address: 6000 Parkwood Pl, Suites 101 300, Dublin, OH 43016
Email Address: [email protected]
Phone Number: 614-215-5912
TASK 1-2—INFORMATION SYSTEM DESCRIPTION
The EIS Business Support Systems (BSS) Gateway will be designed and developed
to provide access to CenturyLink telecommunications service data for authorized
federal agency personnel, referred to as federal personnel throughout this document.
The telecommunications service data comprise the details of the services provided to
customers under the EIS contract, including those listed under telecommunications
services below. Agency customers will use such data to check on the scope and status
of services they receive.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
5
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
maintenance. The OCO will be the only person authorized to request master account
changes. The OCO will not have the ability to establish or change this information. EIS
BSS gateway administrators will set up the accounts and make any needed changes.
The agency will assign the OCO at the time a task order (TO) is awarded. Each
OCO will provide the appropriate information, including the name and the AHC over
which the OCO has authority. Any attempt to access an AHC without permission will be
blocked. Only an OCO can request new user accounts and define their access levels for
the agency. The EIS BSS gateway will manage the following services:
Virtual Private Network Service (VPNS)
Ethernet Transport Service (ETS)
Optical Wavelength Service (OWS)
Private Line Service (PLS)
Internet Protocol Service (IPS)
Internet Protocol Voice Service (IPVS)
Colocated Hosting Service (CHS)
Cloud Service
– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS)
– Software as a Service (SaaS)
– Content Delivery Network Service (CDNS)
Managed Service
– Managed Network Service (MNS)
– Unified Communications Service (UCS)
– Managed Trusted Internet Protocol Service (MTIPS)
– Managed Security Service (MSS)
– Department of Homeland Security (DHS) Intrusion Prevention Security
Service (IPSS) (DHS only)
– Access Arrangements
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
11
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Information Flow
An EIS BSS gateway database will store customer authentication credentials and
authority information defining the access permissions of each individual. It will not store
information about orders, services, performance, or reporting. The gateway pulls such
information from CenturyLink back office commercial systems through the EIS BSS
gateway’s back-end touch point (BETP) functionality. These back-office systems cannot
initiate data transfers with the EIS BSS gateway.
Web Protocols
Only HTTPS will be permitted for web access to ensure encryption of data in transit.
Mobile Code
No mobile code technologies will be deployed in the EIS BSS gateway.
Configuration Specifications
EIS BSS gateway systems and database configurations will be based on the most
recent IBM specifications and verified to comply with the applicable NIST SP 800-53
controls by security vulnerability scans of the operating systems, databases, and web
applications.
TASK 1-3—INFORMATION SYSTEM REGISTRATION
The information system registration process begins with the definition of the EBAB in
the Security Assessment Boundary and Scope Document, which identifies the
information system and subsystems in the system inventory and establishes a
relationship between the information system and the parent or governing organization
that owns, manages, and/or controls the system. The information system owner has
primary responsibility for registering the EIS BSS gateway information system
supporting network services and network management systems.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
12
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Primary Responsibility:
CenturyLink Information System Owner
Name: Srinivas Gunturu
Title: Director, eCommerce and Enterprise Systems
Division: CenturyLink Information Technologies
Address: 6000 Parkwood Pl, Suites 101 300, Dublin, OH 43016
Email Address: [email protected]
Phone Number: 614-215-5912
Supporting Roles:
CenturyLink Information Systems Security Officer (ISSO)
Name: Robert Ellis
Title: Information System Security Officer (ISSO)
Company: Qwest Government Services, Inc. dba CenturyLink QGS
Address: 931 14th Street, Suite 1000B, Denver, CO 80202
Email Address: [email protected]
Phone Number: 720-578-2110
CenturyLink Information System Security Manager (ISSM)
Name: Kent Geerlings
Title: Director, Industrial Security
Company: Qwest Government Services, Inc. dba CenturyLink QGS
Address: 2900 Towerview Road, Suite 150, Herndon, VA 20171
Email Address: [email protected]
Phone Number: 703-796-6700
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
13
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
GSA Information System Security Manager (ISSM)
Name: David Trzcinski
Title: Information Systems Security Manager
Agency: GSA
Address: 1800 F Street, NW
Washington, DC 20405
Email Address: [email protected]
Phone Number: 703-306-6354
GSA Information Systems Security Officer (ISSO)
Name: William Olson
Title: Systems and Security Program Manager
Agency: GSA
Address: 1800 F Street, NW
Washington, DC 20405
Email Address: [email protected]
Phone Number: 703-306-6393
CenturyLink will register the EIS BSS gateway information system as FIPS 199
moderate-impact as determined by GSA.
STEP 2—SELECT SECURITY CONTROLS
TASK 2-1—COMMON CONTROL IDENTIFICATION
The following common controls will be inherited within the EBAB:
Physical security controls
Environmental controls
Centralized authentication mechanisms
– SecurID
– Active directory
– Personal digital certificates
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
14
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Continuous monitoring systems
– Log aggregators and alarming systems
– Centralized configuration control monitoring systems
– Centralized file integrity monitoring systems
– Centralized access monitoring systems
– Network intrusion detection systems (IDS)
Common controls—including specific security products, hardware, software, and
processes applied within the EBAB—will be designed and selected by a team of
CenturyLink personnel, including the information system owner, ISSO, and personnel
from network engineering, network operations, IT architecture, IT development, and
information assurance.
Regarding overall common controls inherited by the EIS customer access gateway
and services provided under the EIS contract, CenturyLink follows industry-leading
information security standards and best practices to ensure the integrity and
confidentiality of customer and company information in support of our services. These
practices include extensive controls in the areas of personnel, systems, and facility
security, which will be guided by comprehensive security policies and standards.
CenturyLink maintains a hierarchy of information security-related policies and
standards, using the NIST SP 800 series as guidance. Authority for these policies is
founded in the CenturyLink code of conduct (available to the public online under our
corporate governance page) and corporate ethics and compliance program, as
authorized by the CenturyLink Board of Directors.
CenturyLink has a comprehensive physical security program that includes centrally
managed exterior and interior card access controls and video surveillance systems that
supplement standard facility features that include power backup systems, fire control
systems, and physical access controls.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
15
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
CenturyLink's information security teams develop and maintain processes designed
to identify new risks and monitor and respond to known security risks. These processes
include both process and technical controls:
IDS and intrusion prevention systems (IPS)
Data loss prevention systems (DLP)
Ongoing security assessment of systems, software, and network environments
Partnering with audit teams to ensure that CenturyLink systems and processes
are in compliance with information security policies and standards
As a part of our enterprise security program, CenturyLink’s cyber defense team
maintains a centralized cyber incident response process with specific criteria for
identifying and responding to events in the operational environment, including customer
notification as appropriate. The cyber incident response process is closely integrated
with CenturyLink's overall disaster preparedness and emergency response programs. In
addition to real-time event management, specific post-event analysis and continuous
improvement activities will be completed for each incident.
CenturyLink has a fully documented, comprehensive disaster preparedness program
ensuring that all business units have Business Continuity (BC) and/or Disaster
Recovery (DR) and emergency response plans for all critical functions and processes.
These plans will be reviewed, updated, and tested annually, at a minimum, to ensure
their effectiveness. This program is mandated by CenturyLink’s corporate compliance
policy and managed by a full-time staff of certified business continuity professionals.
Inherited Controls
Controls inherited within the EBAB will include centralized authentication
mechanisms:
SecurID
Active directory
Personal digital certificates
Continuous monitoring systems
– Log aggregators and alarming systems
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
16
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
– Centralized configuration control monitoring systems
– Centralized file integrity monitoring systems
– Centralized access monitoring systems
The specific security products, hardware, software, and processes implemented to
apply the appropriate security controls will be designed and selected by a team of
CenturyLink personnel, including the information system owner, ISSO, and personnel
from network engineering, network operations, IT architecture, IT development, and
information assurance.
Securing the overall CenturyLink infrastructure, whether within corporate
environments, customer-facing networks, or the infrastructure that links them, requires
collaboration on risk assessment, policies, threat remediation, and implementation of
best practices. CenturyLink information security-related functions will be performed in
collaboration with CenturyLink’s operations organizations, as follows:
Corporate Security/Information Security (InfoSec): Provides end-to-end
governance, policy making, compliance assurance, risk assessment, vulnerability
management, incident response, identity management, and security monitoring.
Operations/Corporate Infrastructure & Systems Sphere: Operational teams
focus on areas often known as “IT,” including internal CenturyLink computing and
network components.
Operations/Customer-Facing Sphere: Operational teams provide element
access control and security-related response and other functions in both the
public switched telephone network (PSTN) and the transport services area (IP-
based, dedicated facilities, ISP services, etc.).
CenturyLink’s security management provides our customers with a strong, dedicated
partner that understands the security challenges they face. This is demonstrated
through CenturyLink’s well-established security policies, standards, and processes.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
20
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
User and protocol access controls
– Restricted access controls to the management and control planes of the
network elements including encryption, MD5 authentication, and two-factor
authentication methods
– Rate limiting and blocking of protocols directed specifically to the network
elements
– Restricted access to the management and control planes of network elements
permitted only from a small set of trusted sources
– Core privatization architecture that limits outside visibility to key network
elements using MPLS tunneling
– Deployment of session border controllers for dynamic pinhole firewall controls
for signaling and bearer VoIP traffic on session initiation protocol (SIP),
H.323, and MGCP
– Defense in depth architecture with multiple layers, including firewalls, proxies,
and rate limiters to protect the SS7 infrastructure from cyber attacks
– Dynamic routing prefix filtering at all carrier and customer interconnects to
prevent accidental or malicious route corruption
IP spoofing prevention measures
– Implementation of anti-spoofing technologies on the majority of our edge and
border routers to prevent spoofed network attacks from entering the
CenturyLink network
– Routing protocol message integrity checks using MD5 authentication
Comprehensive monitoring and alarming of infrastructure components
– Real-time monitoring of network elements with alarm notifications to the
CenturyLink network management center (24/7)
DoS/DDoS monitoring and mitigation measures
– DoS and distributed DoS (DDoS) flow monitoring across border routers to
provide proactive attack identification and mitigation
– CenturyLink- and customer-initiated IP address black hole filtering
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
21
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
– DNS URL black hole filtering and redirect for mitigation of phishing attacks
and malware distribution
– Monitoring, notification, and turndown of malware-infected customers on the
public CenturyLink IP network
– Network based Layers 3-7 data scrubbing capabilities for DoS/DDoS
mitigation
Protection of SS7
– The CenturyLink SS7 network is provisioned using closed, dedicated circuit
pathways across physically and geographically diverse transport facilities
– Message throttling is accomplished using standard ANSI and Telcordia SS7
congestion control mechanisms
– All SS7 connections to external SS7 networks use SS7 gateways
– All incoming messages are screened for proper origination, destination, and
service indicator (type)
In-depth certification testing
– Comprehensive hardening, testing, and ongoing auditing of network
elements, including routers, switches, and servers
Robustness and failover of IP traffic and backbone services
– Sub-50ms failover provided on the CenturyLink IP backbone using MPLS fast
reroute and on the CenturyLink domestic private line network using
Synchronous Optical Network (SONET) four-fiber bi-directional switched rings
– Two independent recursive DNS anycast systems that provide a highly,
geographically redundant DNS service
– Redundant router and circuit links in each point of presence
– Enhanced backbone traffic separation for different risk domains
CenturyLink Enterprise Malware Protection
CenturyLink actively manages virus protection and anti-malware controls.
CenturyLink standards cover all CenturyLink computing assets and apply to all
employees, contractors, and suppliers who are responsible for operating, installing,
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
22
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
deploying, or administering computing systems within CenturyLink. CenturyLink has
implemented a comprehensive anti-virus and anti-spam posture within our
infrastructure. Mandatory controls at multiple levels (including email, desktop, and
server) are implemented and constantly updated. These controls, coupled with a formal
incident response process, create an environment in which impact on CenturyLink
operations by malware events is extremely rare. Over 99 percent of the spam directed
to the CenturyLink domain is blocked.
CenturyLink Cyber Incident Response Team (CIRT)
CenturyLink maintains a corporate-level CIRT and corresponding processes. These
processes incorporate specific criteria and procedures for engaging operational groups
and escalation to CenturyLink’s corporate-level emergency response team. CenturyLink
senior management is engaged as defined by specific event criteria. An assessment is
made for communicating internally and externally to various customers, critical
infrastructure and national security information-sharing groups, and other external
communication points. Once the risk exposure is remediated (or mitigation is in place),
the CIRT and security management meet to ascertain the depth to which the system
may have been breached and what, if any, customer data may have been exposed;
determine any employee compliance findings; perform a gap analysis; and determine
follow-up steps to ensure continuous process improvement. Key stakeholders are
advised of the outcome, and any follow-up, including notifications and communications,
are tracked to completion.
Security Enhancements
CenturyLink takes a lead role in developing standards, working with suppliers, and
implementing new, innovative approaches to improving our products, including security
services. CenturyLink maintains relationships with key network equipment suppliers to
create a dialogue on best security practices and new feature development and
maintains membership and participation in a variety of industry and standards forums.
Examples of network security enhancements are shown below.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
25
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Enhanced Cybersecurity Services
As a provider of DHS-approved enhanced cybersecurity services to the sixteen
critical infrastructure sectors, CenturyLink makes use of these same services within our
own infrastructure. As a consequence, GSA may be assured that the CenturyLink
infrastructure has been filtered on the most pernicious classified threats identified by
DHS and its partners. This filtering is achieved through:
Network-based inbound email filtering and neutralization
Domain Name System (DNS) protection and notifications
Advanced attack detection, prevention and mitigation
Real time blocking, notifications and weekly reporting
Multiple interface options to meet a variety of corporate email implementations
Evolving security services provide state-of-the-art protections not available in
commercial offerings. Support is provided 24/7/365 by CenturyLink’s SOC.
TASK 2-2—SECURITY CONTROL SELECTION (G.5.6.2)
The specific security products, hardware, software, and processes implemented will
be designed and selected by a team of CenturyLink personnel, including the information
system owner, ISSO, and personnel from network engineering, network operations, IT
architecture, IT development, and information assurance. Controls will be based on
NIST SP 800-53 Rev 4, at the FIPS 199 security impact level determined by GSA.
TASK 2-3—MONITORING STRATEGY
Network IDS and IPS are deployed throughout our national and international
networks at inside and outside locations across CenturyLink national networks and
corporate network boundary, as well as at strategic locations within corporate networks.
Sensors report to centralized security information and event management (SIEM)
systems managed and monitored by network security management teams and
CenturyLink’s cyber defense team.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
26
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Automated, continuous monitoring of EIS BSS systems is centralized in corporate
SIEM systems for access monitoring, file integrity monitoring, and configuration
monitoring. Potential unauthorized use of systems is detected by monitoring:
Network traffic for malware signatures or unusual behavior
Access attempts, successful and unsuccessful
Unauthorized changes to configuration files, security-related files, and other files
that should not change except during a software release or system maintenance
activity
Certain activities trigger alerts within the SIEM systems and network elements at
network borders:
Series of unsuccessful access attempts
Unauthorized or unexpected changes in configuration files
Unexpected changes to inventory (automated inventory monitoring)
Traffic that matches known malware signatures
Traffic that matches known malware behavior
DoS attacks
Real-Time Alerts
Monitoring and alerting systems provide near-real-time alerts when the following
indications of compromise or potential compromise occur:
Protected system files or directories have been modified without notification from
the appropriate change/configuration management channels (software agents
send notice of configuration file or directory changes to a centralized SIEM).
System performance indicates resource consumption that is inconsistent with
expected operating conditions (system information is sent remotely to a SIEM
and an IT bridge performance monitoring system).
Auditing functionality has been disabled or modified to reduce audit visibility
(system software agents send notice of configuration file or directory changes to
centralized SIEMs).
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
27
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Audit or log records have been deleted or modified without explanation (software
agents on systems send notice of configuration file or directory changes to a
centralized SIEM).
The system is raising alerts or faults in a manner that indicates the presence of
an abnormal condition (syslog information is sent remotely to SIEM and to an IT
bridge performance monitoring system).
Resource or service requests are initiated from clients that are outside of the
expected client membership set (unsuccessful access attempt notifications are
logged remotely to a SIEM).
The system reports failed logins or password changes for administrative or key
service accounts (unsuccessful access attempt notifications are logged remotely
to a SIEM, and software agents on systems send notice of password file changes
to a centralized SIEM).
Processes and services are running that are outside of the baseline system
profile (syslog and related information are sent to a SIEM and an IT bridge
performance monitoring system).
Utilities, tools, or scripts have been saved or installed on production systems
without clear indication of their use or purpose (software agents on systems send
notice of configuration file or directory changes to centralized SIEMs).
The SIEMs managed and monitored by CenturyLink’s network operations and CIRT
aggregate and correlate input from firewalls, gateways, switches, routers, and intrusion
IDS, in addition to the specific EIS systems.
CenturyLink security operations centers and cyber defense organization investigate
alerts. Investigations are documented as security incidents in the incident tracking tools.
Incident investigations can originate from alerts triggered by monitoring tools, engineers’
discovery through network monitoring, or notifications or questions from customers,
business partners, or internal organizations.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
28
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Security Vulnerability Scanning
CenturyLink performs authenticated security vulnerability scans of EIS systems and
other systems across the company with frequencies reflecting criticality, typically
weekly. Additional scans are performed manually in production and test environments to
ensure that appropriate updates have been applied when new, critical vulnerability
alerts have been released.
Security Penetration Testing (G.5.6.4 (18, 20))
CenturyLink engages independent security assessment firms to conduct, on an
annual basis, internal and external penetration tests and provide an independent
penetration test report documenting the results of vulnerability analyses and
exploitability of identified vulnerabilities.
Government Assessment and Testing (G.5.6.4 (20))
We will continue to allow GSA employees (or GSA-designated third-party
contractors) to conduct security A&A activities, including control reviews, in accordance
with NIST SP 800-53 R4/800-53A R4 and GSA IT Security Procedural Guide 06-30,
“Managing Enterprise Risk.” Such activities can include operating system vulnerability
scanning, web application scanning, and database scanning of applicable systems that
support the processing, transportation, storage, or security of government information.
GSA’s security scans may run unauthenticated or be configured to use authentication
credentials of a user with elevated privileges.
TASK 2-4—SECURITY PLAN APPROVAL
CenturyLink’s ISSO and EIS National Security and Emergency Preparedness
(NS/EP) and Security Program Manager will review EIS system security plans and their
supporting documentation before submitting them to GSA’s ISSO, ultimately for review
and approval by GSA’s authorizing official or designated representative.
Security controls applied to EIS information systems subject to FISMA requirements
will be itemized by control type (specific, hybrid, or common) in their respective system
security plans. CenturyLink’s risk assessment processes will inform and guide security
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
29
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
control selection processes to achieve the level of security and compliance necessary
for the EIS BSS gateway.
STEP 3—IMPLEMENT SECURITY CONTROLS
TASK 3-1—SECURITY CONTROL IMPLEMENTATION
Implement the security controls specified in the security plan.
Security controls are implemented by appropriate teams across diverse platforms:
national networks, corporate networks, customer networks, IT systems, databases, and
applications. CenturyLink’s Industrial Security Information Assurance staff connects with
each team, communicates security requirements, and facilitates implementations.
Information assurance staff also integrates with service providers to ensure security
compliance across provider-managed systems.
Business Partners and Service Providers
CenturyLink engages IBM Global Services to perform operating system and
database administration on many of our production systems. The following controls are
inherited from IBM:
Access controls
– Network access and jumpstation systems granularly control access and
authorization and centrally log activity to provide forensic information and
accountability.
– CenturyLink access controls are applied in addition to IBM access controls,
providing another layer of control with the ability to block or terminate access
and monitor access and configurations.
Configuration management controls: IBM uses configuration control and
monitoring agents that ensure that configurations are kept within security
baselines and software is kept current and patched.
TASK 3-2—SECURITY CONTROL DOCUMENTATION
Information assurance personnel document security control implementations in the
system security plan and supporting documentation. Operations teams provide artifacts
to demonstrate security compliance on systems they manage. Information assurance
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
30
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
personnel assemble artifacts for audit and assessment purposes. Security control
documentation will be provided to GSA as itemized in Task 5-2.
STEP 4—ASSESS SECURITY CONTROLS
TASK 4-1—ASSESSMENT PREPARATION
Assessment preparation involves the development, review, and approval of a plan to
assess security controls. CenturyLink’s Industrial Security Information Assurance team
continuously assesses the system’s security with help from our cyber defense team,
NOC/SOC personnel, and subcontractors such as security penetration testing firms.
Those same teams coordinate to prepare for outside assessments such as periodic
authorization to operate assessments performed by GSA.
TASK 4-2—SECURITY CONTROL ASSESSMENT
CenturyLink will assess the security controls in accordance with procedures defined
in the security assessment plan. Security controls on CenturyLink systems are
assessed internally by our information assurance, security operations center, and
corporate cyber defense teams, in addition to periodic assessments and penetration
tests by independent third-party assessors. Government systems receive periodic
security assessments from our government customers and independent third-party
assessment firms. Commercial customers and business partners also perform security
audits of provided services and our overall corporate security program.
TASK 4-3—SECURITY ASSESSMENT REPORT (G.5.6.4 (17))
Security assessment details will be developed and maintained in quarterly plans of
action and milestones (POA&Ms) which are completed in agreement with GSA IT
Security Procedural Guide 06-30 and delivered to government customers quarterly.
Raw reports of security vulnerability scans and penetration test reports are included.
Scans associated with the POA&M will be performed as an authenticated user with
elevated privileges and include all networking components that fall within the EBAB.
The appropriate vulnerability scans will be submitted with the initial security A&A
package. Vulnerability scanning results will be managed and mitigated in the POA&M
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
31
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
and submitted with the quarterly POA&M. An annual information system user
certification/authorization review will be annotated on the POA&M.
TASK 4-4—REMEDIATION ACTIONS (G.5.6.4 (22)
In the event of security vulnerabilities or weaknesses, service tickets are opened by
information assurance personnel and directed to the appropriate engineering or
operations groups. The ticketing system tracks the testing, implementation, and
resolution of the findings. Resolutions are verified by security vulnerability scans or
other applicable methods.
CenturyLink will mitigate all security risks found during the security A&A and
continuous monitoring activities. All critical and high-risk vulnerabilities will be mitigated
within 30 days and all moderate risk vulnerabilities will be mitigated within 90 days from
the date vulnerabilities are formally identified. Updates on the status of all critical and
high vulnerabilities that have not been closed within 30 days will be provided on a
monthly basis.
TASK 4-5—ADDITIONAL SECURITY REQUIREMENTS (G.5.6.6)
CenturyLink will ensure that proper privacy and security safeguards are adhered to
in accordance with the FAR Part 52.239-1, Section I. All deliverables identified in RFP
Section G.5.6.4 will continue to be labeled as CUI and CenturyLink Confidential. Per
company and government policy all external transmission/dissemination of CenturyLink
data to or from a GSA computer must be encrypted in accordance with FIPS PUB 140-
2, “Security requirements for Cryptographic Modules.”
In accordance with the FAR (see Section I, 52.224-1, “Privacy Act Notification” and
FAR 52.224-2, “Privacy Act.”), CenturyLink will continue to cooperate in good faith with
GSA to create non-disclosure agreements that other third parties must sign when acting
as the federal government’s agent and will ensure they are signed by the third parties
as required to maintain compliance.
CenturyLink agrees not to publish or disclose in any manner, without the CO’s
written consent, the details of any safeguards either designed or developed by
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
32
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
CenturyLink under this contract or otherwise provided by the government (except for
disclosure to a consumer agency for purposes of security A&A verification).
CenturyLink will continue to support the government or its agents to carry out a
program of inspection to safeguard against threats and hazards to the confidentiality,
integrity and availability of any non-public government data collected and stored by
CenturyLink. This includes providing the government logical and physical access to
CenturyLink’s facilities, installations, technical capabilities, operations, documentation,
records, and databases within 72 hours of the request. Automated audits will include the
following methods:
Authenticated and unauthenticated operating system/network vulnerability scans
Authenticated and unauthenticated web application vulnerability scans
Authenticated and unauthenticated database application vulnerability scans
Internal and external penetration testing
The scanning tools and their configurations will be approved by the government in
advance. The results of CenturyLink-conducted scans and/or penetration tests will be
provided, in full, to the government.
CenturyLink will perform personnel security/suitability in accordance with FAR Part
52.204-9 and the requirements of G.5.6.6.1.
STEP 5—AUTHORIZE INFORMATION SYSTEM
TASK 5-1—PLAN OF ACTION AND MILESTONES
Quarterly POA&Ms are prepared by information assurance personnel and delivered
to government customers.
TASK 5-2—SECURITY ASSESSMENT AND AUTHORIZATION PACKAGE (G.5.6.3,
G.5.6.4 (1 THROUGH 16, 21, 23))
CenturyLink will develop and maintain the documentation necessary to obtain an
ATO. Information assurance personnel produce the security A&A package and submit it
to the appropriate authorizing official for adjudication.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
33
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
The typical security A&A package includes the following.
Security Assessment Boundary and Scope Document (BSD) (G.5.6.4 (1)) initially
completed and submitted within 15 days of the NTP and updated annually
SSP
Rules of Behavior (RoB) (G.5.6.4 (5)) with annual updates
Privacy Impact Assessment (PIA) (G.5.6.4 (10)) with annual updates
800-53 Control Tailoring Workbook (CTW) (G.5.6.4 (3)) with annual updates.
CenturyLink will document in Column E of the workbook included in RFP Section
J.8 all CenturyLink-implemented settings that are different from GSA-defined
settings, and where GSA-defined settings allow CenturyLink to deviate.
800-53 Control Summary Table (G.5.6.4 (4)) with annual updates
System Inventory (hardware, software, and related information) (G.5.6.4 (6)) with
annual updates
Incident Response Plan (IRP) (G.5.6.4 (14)) with annual updates (Reference:
NIST SP 800-53 R4 control IR-8; NIST SP 800-61; GSA CIO-T Security 01-02)
Incident Response Test Plan
Incident Response Test Report (G.5.6.4 (15)) with annual updates ((Reference:
NIST SP 800-53 R4 control IR-8; NIST SP 800-61; GSA CIO-IT Security 01-02)
Contingency Plan (CP) (G.5.6.4 (7)) with annual updates
– Disaster Recovery Plan (DRP) with annual updates
– Business Impact Assessment (BIA) with annual updates
Contingency Plan Test Plan (CPTP) (G.5.6.4 (8)) with annual updates
Contingency Plan Test Report (CPTPR) (G.5.6.4 (9)) with annual updates
Interconnection Security Agreements (ISA) (G.5.6.4 (2)) developed in
accordance with NIST SP 800-47. Provided with the security A&A package and
updated annually
Configuration Management Plan (CMP)(G.5.6.4 (11)) with annual updates
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
34
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
– System configuration settings for information technology products used within
the information system will be developed and maintained as part of the CMP
((G.5.6.4 (13))) with annual updates. These settings reflect the most
restrictive mode consistent with operational requirements. Systems are
configured in accordance with GSA technical guides, NIST standards, Center
for Internet Security (CIS) guidelines (Level 1), or industry best practices in
hardening systems, as deemed appropriate by the AO. (Reference: NIST SP
800-53 R4 control CM-6; NIST SP 800-128; GSA CIO-IT Security 01-05).
Systems Baseline Configuration Standard Document (G.5.6.4 (12)) a well
defined, documented, and up-to-date specification to which the information
system is built. Provided as a part of the CMP including annual updates
Audit Monitoring Program
Continuous Monitoring Program (security risk mitigation) with a Continuous
Monitoring Plan to document how our continuous monitoring of information
system will be accomplished (G.5.6.4 (16)) updated annually
– Access monitoring
– Configuration monitoring
– Vulnerability monitoring (scanning)
– Third-party penetration test report
– Automated reporting to customer (if customer is prepared for it)
Continuous Monitoring Plan
e-Authentication documents:
– e-Authentication Executive Summary
– e-Authentication Detail Report
– e-Authentication Risk and Requirements Assessment Tool (database file)
User Access Authorization & Management Process
Personnel Security Procedures
Suitability Report (employee background investigation report)
Security Test and Evaluation (ST&E) Plan
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
35
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
ST&E Report
Security/Risk Assessment Report (SAR) (G.5.6.4 (21))
– Identified SP 800-53 R4 gaps documented in SAR are tracked for mitigation
in a POA&M document
Annual FISMA Assessment (conducted per GSA Chief Information Officer (CIO)
IT Security Procedural Guide 04-26, FISMA Implementation) (G.5.6.4 (23))
Code Review Report (G.5.6.4 (19))
Independent Penetration Test Report (covering internal and external penetration
testing) (G.5.6.4 (18))
Document Management G.5.6.4 (24)
CenturyLink will develop and keep current all policy and procedure documents, as
outlined in the specified NIST documents and applicable GSA IT security procedural
guides. They will be verified and reviewed during the initial security assessment, and
updates will be provided to the GSA Information System Security Officer or Information
System Security Manager biennially, including the following:
a) Access Control Policy and Procedures (NIST SP 800-53 R4: AC-1)
b) Security Awareness and Training Policy and Procedures (NIST SP 800-53 R4:
AT-1)
c) Audit and Accountability Policy and Procedures (NIST SP 800-53 R4: AU-1)
d) Security Assessment and Authorization Policies and Procedures (NIST SP 800-
53 R4: CA-1)
e) Configuration and Management Policy and Procedures (NIST SP 800-53 R4:
CM-1)
f) Contingency Planning Policy and Procedures (NIST SP 800-53 R4: CP-1)
g) Identification and Authentication Policy and Procedures (NIST SP 800-53 R4: IA-
1)
h) Incident Response Policy and Procedures (NIST SP 800-53 R4: IR-1)
i) System Maintenance Policy and Procedures (NIST SP 800-53 R4: MA-1)
j) Media Protection Policy and Procedures (NIST SP 800-53 R4: MP-1)
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
36
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
k) Physical and Environmental Policy and Procedures (NIST SP 800-53 R4: PE-1)
l) Security Planning Policy and Procedures (NIST SP 800-53 R4: PL-1)
m) Personnel Security Policy and Procedures (NIST SP 800-53 R4: PS-1)
n) Risk Assessment Policy and Procedures (NISTSP 800-53 R4: RA-1)
o) Systems and Services Acquisition Policy and Procedures (NIST SP 800-53 R4:
SA-1)
p) System and Communication Protection Policy and Procedures (NIST SP 800-53
R4: SC-1)
q) System and Information Integrity Policy and Procedures (NIST SP 800-53 R4: SI-
1).
TASK 5-3—RISK DETERMINATION
Determine the risk to organizational operations (including mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the nation.
Read and respond to task guidance in accordance with NIST SP 800-37, page 35 and
note 3.
TASK 5-4—RISK ACCEPTANCE
When a specific security vulnerability or finding cannot be completely resolved
without compensating or mitigating controls, information assurance personnel author an
acceptance of risk request and submit it to the customer’s ISSO for assessment and an
exception decision by the authorization official.
STEP 6—MONITOR SECURITY CONTROLS
TASK 6-1—INFORMATION SYSTEM AND ENVIRONMENT CHANGES
CenturyLink Information Assurance staff will determine the security impact of
proposed changes to the information system and its operational environment before
authorizing changes. Changes proposed for a government system are assessed by the
applicable change control board before implementation. A proposal for a significant
change in architecture or operations prompts a formal security risk assessment, which
documents the potential impacts and benefits of the change.
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
37
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Detailed changes to configurations of systems and network elements go through
formalized, documented change management processes that control which changes
can be made and when. These processes ensure that each proposed change has been
reviewed by the appropriate personnel and minimize the chance for a negative
outcome.
TASK 6-2—ONGOING SECURITY CONTROL ASSESSMENTS
Security controls are assessed on a continual basis, with weekly security
vulnerability scans of operating systems, databases, and web applications.
Code Review (G.5.6.4 (19))
For internally developed software, CenturyLink will conduct code analysis reviews
using HP Fortify and other code analysis tools, in accordance with GSA CIO Security
Procedural Guide 12-66 to examine for common flaws. CenturyLink will document
results in a code review report to be submitted prior to placing the EIS BSS gateway
system into production. The code review process is in integral part of CenturyLink’s
Agile/Sprint code release process that software frequently goes through, as code
updates are processed from development to test systems and test systems to
production systems.
TASK 6-3—ONGOING REMEDIATION ACTIONS
Remediation actions are initiated as soon as security vulnerabilities are known.
Actions are typically initiated with service tickets assigned to the appropriate
management team.
TASK 6-4—KEY UPDATES
System security plans and supporting documents are updated as systems evolve
and are included with quarterly POA&Ms as appropriate.
TASK 6-5—SECURITY STATUS REPORTING
The security status of each information system is reported to the authorizing official
and customer ISSO on the quarterly POA&M and supporting documentation. More
continuous security status reporting and automated continuous security monitoring data
Enterprise Infrastructure Solutions
Volume 2—Management Volume—BSS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
38
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
streams are provided to government customers in accordance with their prescribed
monitoring strategy.
TASK 6-6—ONGOING RISK DETERMINATION AND ACCEPTANCE
Authorizing officials review the reported security status of information systems on an
ongoing basis, in accordance with the monitoring strategy, to determine whether the risk
to organizational operations, organizational assets, individuals, other organizations, or
the nation remains acceptable.
TASK 6-7—INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING
CenturyLink follows a system-removal and decommissioning policy and procedures
that ensure that all data are securely erased or destroyed before storage elements
leave CenturyLink premises.