certification and accreditation - usps · certification and accreditation 4 certification and...
TRANSCRIPT
Certification and Accreditation
Publication 805-A, May 2015 1
Certification and Accreditation The Postal Service Process For Protecting Its Electronic Information Resources
Publication 805-A, May 2015
Certification and Accreditation
2
Phase
C&A Deliverable
New & Major Information Resource Modifications
Recertifications Service Based Contracts NS & NCAll Other Information
Resources
Deliverables Responsible Deliverables Responsible Deliverables Responsible Deliverables Responsible
2 Information Resource
Characterization
Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
2 BIA Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
3 Security Specs Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
3 Security Plan Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
3 Site Security Review
Yes ISSO & USPIS If applicable ISSO & USPIS Yes ISSO & USPIS
4 SOPs If applicable Project Mgr. If applicable Project Mgr. Yes Project Mgr.
4 Operation Training Materials
If applicable Project Mgr. If applicable Project Mgr. Yes Project Mgr.
4-5 Contingency Plans
Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.
4 NCRB Request Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
5 ST&E Plan Yes Project Mgr. Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.
6 Security Code Review
Based on Requirements
Project Mgr. Based on Policy
Requirements
Project Mgr. If applicable Project Mgr. Based on Policy
Requirements
Project Mgr.
6 ST&E Testing & Report
Yes Project Mgr. Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.
6 Vulnerability Scan
Yes CISO Yes CISO Yes CISO Yes for Sensitive
CISO
6 Penetration Test If applicable CISO If applicable CISO If applicable CISO
6 Independent Reviews
If applicable Project Mgr. If applicable Project Mgr. If applicable Project Mgr.
6 Risk Assessment
Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
6 Risk Mitigation Plan
Yes for High/ Mod Risk
Project Mgr. Yes for High/ Moderate Risk
Project Mgr. Yes for High/ Mod Risk
Project Mgr. Yes for High/ Mod Risk
ISSO
6 Evaluation Report
YES ISSO Yes ISSO Yes ISSO
6 Certification Letter
YES ISSO Mgr. Yes Certifier Yes Certifier
6 Accreditation Letter
YES Mgr. CISO Yes Accreditor Yes Accreditor
6 Risk Acceptance Letter
Yes for vulner-ability that will
not be miti-gated
VP IT and VP Functional
Business Area
Yes for vulner-ability that will
not be miti-gated
VP IT and VP Functional
Business Area
Yes for vulner-ability that will
not be miti-gated
VP IT and VP Functional
Business Area
Yes for vulner-ability that will
not be miti-gated
VP IT and VP Functional
Business Area
8 Contingency Test Results
Yes Business Relationship Management Portfolio Mgr. & Executive
Sponsor
Yes Business Relationship Management Portfolio Mgr. & Executive
Sponsor
Yes Business Relationship Management Portfolio Mgr. & Executive
Sponsor
8 Revised C&A Documents
As needed or every 3 years
ISSO & Project Mgr.
As needed or every 2 years;
annually for PCI
ISSO & Project Mgr
As needed or every 2 years;
annually for PCI
ISSO & Project Mgr.
As needed or every 2 years
ISSO & Project Mgr.
9 Retirement Request
Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
9 Retirement Certification
Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.
Certification and Accreditation (C&A) Requirements for Information Resources
Certification and Accreditation
Publication 805-A, May 2015 3
C&A Phases and Major Deliverables
The C&A process consists of several interrelated phases that are conducted concurrently with the development and deployment of new information resources (technical solutions) and the retirement of existing information resources. Each phase in the C&A process corresponds to a phase in the Technical Solutions Life Cycle using either the Waterfall Development or the Agile Scrum Development Methodologies.
The objectives of the C&A process are to do the following:
¡ Determine sensitivity and criticality of information processed.
¡ Define security requirements.
¡ Identify and implement security controls and processes.
¡ Test security solutions.
¡ Evaluate the effectiveness of security controls and processes chosen to protect the information resource, assess threats and vulnerabilities.
¡ Obtain management approval for deployment or continued use.
Publication 805-A, May 2015
Certification and Accreditation
4
Certification and Accreditation Activities in Conjunction with the Waterfall Development Methodology PhasesPhase 1, Initiate and PlanIn this phase: ¡ The proposed technical solution is registered or updated in EIR. ¡ The project is planned. ¡ An ISSO is assigned. ¡ The C&A process is initiated.
Phase 2, RequirementsIn this phase, the application characteristics are documented including internal and external dependencies, and a Business Impact Assessment (BIA) is conducted to collect privacy-related information, to ensure compliance with privacy laws and regulations, to define sensitivity and criticality of the technical solution, and to determine information security requirements required to protect the technical solution.
Phase 3, DesignIn this phase: ¡ The design for the technical solution is developed and documented in an
architecture diagram. ¡ Security specifications are defined for contracts and acquisitions to protect the
technical solution commensurate with its business value. ¡ Information security controls and processes are identified to satisfy the security
requirements defined in the BIA and are documented in a security plan. ¡ A site security review is requested (if required).
Phase 4, BuildIn the build phase: ¡ Information security controls and processes are built (or acquired) and integrated in
the information resource. ¡ Connectivity requirements are defined. ¡ A request is submitted to the Network Connectivity Review Board. ¡ Contingency planning is initiated (if required) to address unexpected interruptions to
business activities supported by this information resource.
Phase 5, Security Integration TestingIn the security integration testing phase, a security test plan is developed and contingency plans are completed.
Phase 6, Customer Acceptance TestingIn the customer acceptance testing phase: ¡ A security code review is conducted (if required). ¡ Security testing is conducted to ensure the security controls and processes
implemented in the build phase are effective. ¡ The results of the test are documented in a report. ¡ Vulnerability scans are run. ¡ Penetration testing is conducted (if applicable).
Certification and Accreditation
Publication 805-A, May 2015 5
¡ The independent reviews for security code reviews, risk assessments, vulnerability scans, penetration testing, or security test validation are conducted (if required).
¡ A risk assessment is conducted and a risk mitigation plan is developed. ¡ The ISSR and/or project manager completes the C&A deliverables and submits them
to the ISSO. ¡ The ISSO evaluates the C&A deliverables and prepares an evaluation report
highlighting the risks associated with placing the information resource in production, escalates security concerns or forwards the C&A evaluation report and supporting documentation to the certifier for review.
¡ The certifier reviews the C&A evaluation report and the supporting C&A documentation, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and C&A supporting documentation to the accreditor.
¡ The accreditor reviews the certification letter, risk mitigation plan, and the supporting C&A documentation, and takes one of the following actions: [1] escalates security concerns, or [2] prepares and signs a full accreditation letter and forwards the full accreditation letter to the vice president functional business area (or executive sponsor if this responsibility is delegated) and vice president IT (or Business Relationship Management portfolio manager if this responsibility is delegated), or [3] prepares and signs a conditional accreditation with some requirements that must be met within a certain time frame forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure to Comply Letter to the VP IT and the VP functional business area.
¡ If a documented vulnerability associated with the medium or high residual risk will not be mitigated, [1] the VP IT and VP functional business area prepare and sign a Risk Acceptance Letter and forward the letter to the accreditor, or [2] if the VP IT and VP functional business area decide not to sign a Risk Acceptance Letter, the accreditor will issue a Failure To Comply Letter.
Phase 7 — Governance ComplianceThe Governance Compliance phase ensures that all deliverables are stored in the TSLC Artifacts Library and that all artifacts meet USPS IT SOX and IT governance requirements and controls, and have been approved by the Product Owner/Customer. There are no C&A activities or deliverables for this phase.
Phase 8, Release and ProductionAll three approvals (i.e., certification, accreditation, and risk acceptance) are required before deploying the information resource. The project manager deploys the information resource into production with the security controls documented in the security plan and tested in the Security Test and Evaluation (ST&E) and with any restrictions documented in the approval letters.
Other activities in Phase 8 are: ¡ Testing contingency plans. ¡ Maintaining security controls and processes.
Publication 805-A, May 2015
Certification and Accreditation
6
¡ Periodically testing security controls. ¡ Reviewing system and application logs. ¡ Updating C&A documentation. ¡ Re-initiating the C&A.
Phase 9, RetireThe Retirement phase ensures that appropriate archiving and security measures are taken and documented when decommissioning technology solution or components from the Postal Service Technology Infrastructure. Activities include:
¡ Retiring the information resource.
¡ Disposing of the data.
¡ Sanitizing the equipment and media (if required).
C&A Stakeholder Responsibilities
VP Functional Business Area ¡ Ensures resources are available for completing information security tasks throughout
an information resource life cycle. ¡ Works jointly with the vice president IT (or the Business Relationship Management
portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. The vice presidents of functional business areas may delegate this responsibility to the applicable executive sponsor. If this responsibility is delegated, notice to that effect must be in writing.
Executive Sponsor ¡ Ensures completion of all security tasks throughout an information resource life
cycle. ¡ (If the vice president functional business area delegated this responsibility) works
jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource.
VP IT ¡ Works jointly with the vice president functional business area (or the executive
sponsor if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risks and approve deployment of the information resource. The vice president of IT may delegate this responsibility to the applicable Business Relationship Management portfolio manager. If this responsibility is delegated, notice to that effect must be in writing.
Certification and Accreditation
Publication 805-A, May 2015 7
Business Relationship Portfolio Manager ¡ Serves as a liaison between the executive sponsor and IT providers. ¡ (If the vice president IT delegated this responsibility) works jointly with the vice
president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and risk mitigation plan and, if acceptable, accept residual risks and approve deployment of the information resource.
Information Systems Security Representative or Project Manager ¡ Ensures security controls are implemented. ¡ Notifies the executive sponsor, Business Relationship portfolio manager and ISSO of
any risks that emerge during development or acquisition of the application. ¡ Prepares or coordinates C&A documents.
Information Systems Security Officer ¡ Provides security guidance and expertise throughout the C&A process. ¡ Reviews the security testing and evaluates C&A documents. ¡ Prepares the C&A evaluation report and submits it to the certifier.
Certifier (Program Manager, C&A Process) ¡ Reviews the C&A evaluation report and supporting documents. ¡ If acceptable, prepares a certification letter and submits it to the accreditor.
Accreditor (Chief Information Security Officer) ¡ Reviews the certification letter and supporting documents. ¡ If acceptable, prepares accreditation letter and recommends deployment.
Where to find additional information and help
Information security policies and processes are available on PolicyNet at http://blue.usps.gov/cpim/hbkid.htm and C&A deliverables are incorporated in the eC&A application.
Information Security Hotline .................919-501-9350
E-mail comments to: [email protected].