certification and accreditation - usps · certification and accreditation 4 certification and...

Certification and Accreditation

Publication 805-A, May 2015 1

Certification and Accreditation The Postal Service Process For Protecting Its Electronic Information Resources

Publication 805-A, May 2015


2

Phase

C&A Deliverable

New & Major Information Resource Modifications

Recertifications Service Based Contracts NS & NCAll Other Information

Resources

Deliverables Responsible Deliverables Responsible Deliverables Responsible Deliverables Responsible

2 Information Resource

Characterization

Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.

2 BIA Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.

3 Security Specs Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.

3 Security Plan Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.

3 Site Security Review

Yes ISSO & USPIS If applicable ISSO & USPIS Yes ISSO & USPIS

4 SOPs If applicable Project Mgr. If applicable Project Mgr. Yes Project Mgr.

4 Operation Training Materials

If applicable Project Mgr. If applicable Project Mgr. Yes Project Mgr.

4-5 Contingency Plans

Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.

4 NCRB Request Yes Project Mgr. Yes Project Mgr. Yes Project Mgr. Yes Project Mgr.

5 ST&E Plan Yes Project Mgr. Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.

6 Security Code Review

Based on Requirements

Project Mgr. Based on Policy

Requirements

Project Mgr. If applicable Project Mgr. Based on Policy

Requirements

Project Mgr.

6 ST&E Testing & Report

Yes Project Mgr. Yes Project Mgr. If applicable Project Mgr. Yes Project Mgr.

6 Vulnerability Scan

Yes CISO Yes CISO Yes CISO Yes for Sensitive

CISO

6 Penetration Test If applicable CISO If applicable CISO If applicable CISO

6 Independent Reviews

If applicable Project Mgr. If applicable Project Mgr. If applicable Project Mgr.

6 Risk Assessment


6 Risk Mitigation Plan

Yes for High/ Mod Risk

Project Mgr. Yes for High/ Moderate Risk

Project Mgr. Yes for High/ Mod Risk

Project Mgr. Yes for High/ Mod Risk

ISSO

6 Evaluation Report

YES ISSO Yes ISSO Yes ISSO

6 Certification Letter

YES ISSO Mgr. Yes Certifier Yes Certifier

6 Accreditation Letter

YES Mgr. CISO Yes Accreditor Yes Accreditor

6 Risk Acceptance Letter

Yes for vulner-ability that will

not be miti-gated

VP IT and VP Functional

Business Area


not be miti-gated


Business Area


not be miti-gated


Business Area


not be miti-gated


Business Area

8 Contingency Test Results

Yes Business Relationship Management Portfolio Mgr. & Executive

Sponsor


Sponsor


Sponsor

8 Revised C&A Documents

As needed or every 3 years

ISSO & Project Mgr.

As needed or every 2 years;

annually for PCI

ISSO & Project Mgr

As needed or every 2 years;

annually for PCI

ISSO & Project Mgr.

As needed or every 2 years

ISSO & Project Mgr.

9 Retirement Request


9 Retirement Certification


Certification and Accreditation (C&A) Requirements for Information Resources



C&A Phases and Major Deliverables

The C&A process consists of several interrelated phases that are conducted concurrently with the development and deployment of new information resources (technical solutions) and the retirement of existing information resources. Each phase in the C&A process corresponds to a phase in the Technical Solutions Life Cycle using either the Waterfall Development or the Agile Scrum Development Methodologies.

The objectives of the C&A process are to do the following:

¡ Determine sensitivity and criticality of information processed.

¡ Define security requirements.

¡ Identify and implement security controls and processes.

¡ Test security solutions.

¡ Evaluate the effectiveness of security controls and processes chosen to protect the information resource, assess threats and vulnerabilities.

¡ Obtain management approval for deployment or continued use.



4

Certification and Accreditation Activities in Conjunction with the Waterfall Development Methodology PhasesPhase 1, Initiate and PlanIn this phase: ¡ The proposed technical solution is registered or updated in EIR. ¡ The project is planned. ¡ An ISSO is assigned. ¡ The C&A process is initiated.

Phase 2, RequirementsIn this phase, the application characteristics are documented including internal and external dependencies, and a Business Impact Assessment (BIA) is conducted to collect privacy-related information, to ensure compliance with privacy laws and regulations, to define sensitivity and criticality of the technical solution, and to determine information security requirements required to protect the technical solution.

Phase 3, DesignIn this phase: ¡ The design for the technical solution is developed and documented in an

architecture diagram. ¡ Security specifications are defined for contracts and acquisitions to protect the

technical solution commensurate with its business value. ¡ Information security controls and processes are identified to satisfy the security

requirements defined in the BIA and are documented in a security plan. ¡ A site security review is requested (if required).

Phase 4, BuildIn the build phase: ¡ Information security controls and processes are built (or acquired) and integrated in

the information resource. ¡ Connectivity requirements are defined. ¡ A request is submitted to the Network Connectivity Review Board. ¡ Contingency planning is initiated (if required) to address unexpected interruptions to

business activities supported by this information resource.

Phase 5, Security Integration TestingIn the security integration testing phase, a security test plan is developed and contingency plans are completed.

Phase 6, Customer Acceptance TestingIn the customer acceptance testing phase: ¡ A security code review is conducted (if required). ¡ Security testing is conducted to ensure the security controls and processes

implemented in the build phase are effective. ¡ The results of the test are documented in a report. ¡ Vulnerability scans are run. ¡ Penetration testing is conducted (if applicable).



¡ The independent reviews for security code reviews, risk assessments, vulnerability scans, penetration testing, or security test validation are conducted (if required).

¡ A risk assessment is conducted and a risk mitigation plan is developed. ¡ The ISSR and/or project manager completes the C&A deliverables and submits them

to the ISSO. ¡ The ISSO evaluates the C&A deliverables and prepares an evaluation report

highlighting the risks associated with placing the information resource in production, escalates security concerns or forwards the C&A evaluation report and supporting documentation to the certifier for review.

¡ The certifier reviews the C&A evaluation report and the supporting C&A documentation, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and C&A supporting documentation to the accreditor.

¡ The accreditor reviews the certification letter, risk mitigation plan, and the supporting C&A documentation, and takes one of the following actions: [1] escalates security concerns, or [2] prepares and signs a full accreditation letter and forwards the full accreditation letter to the vice president functional business area (or executive sponsor if this responsibility is delegated) and vice president IT (or Business Relationship Management portfolio manager if this responsibility is delegated), or [3] prepares and signs a conditional accreditation with some requirements that must be met within a certain time frame forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure to Comply Letter to the VP IT and the VP functional business area.

¡ If a documented vulnerability associated with the medium or high residual risk will not be mitigated, [1] the VP IT and VP functional business area prepare and sign a Risk Acceptance Letter and forward the letter to the accreditor, or [2] if the VP IT and VP functional business area decide not to sign a Risk Acceptance Letter, the accreditor will issue a Failure To Comply Letter.

Phase 7 — Governance ComplianceThe Governance Compliance phase ensures that all deliverables are stored in the TSLC Artifacts Library and that all artifacts meet USPS IT SOX and IT governance requirements and controls, and have been approved by the Product Owner/Customer. There are no C&A activities or deliverables for this phase.

Phase 8, Release and ProductionAll three approvals (i.e., certification, accreditation, and risk acceptance) are required before deploying the information resource. The project manager deploys the information resource into production with the security controls documented in the security plan and tested in the Security Test and Evaluation (ST&E) and with any restrictions documented in the approval letters.

Other activities in Phase 8 are: ¡ Testing contingency plans. ¡ Maintaining security controls and processes.



6

¡ Periodically testing security controls. ¡ Reviewing system and application logs. ¡ Updating C&A documentation. ¡ Re-initiating the C&A.

Phase 9, RetireThe Retirement phase ensures that appropriate archiving and security measures are taken and documented when decommissioning technology solution or components from the Postal Service Technology Infrastructure. Activities include:

¡ Retiring the information resource.

¡ Disposing of the data.

¡ Sanitizing the equipment and media (if required).

C&A Stakeholder Responsibilities

VP Functional Business Area ¡ Ensures resources are available for completing information security tasks throughout

an information resource life cycle. ¡ Works jointly with the vice president IT (or the Business Relationship Management

portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. The vice presidents of functional business areas may delegate this responsibility to the applicable executive sponsor. If this responsibility is delegated, notice to that effect must be in writing.

Executive Sponsor ¡ Ensures completion of all security tasks throughout an information resource life

cycle. ¡ (If the vice president functional business area delegated this responsibility) works

jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource.

VP IT ¡ Works jointly with the vice president functional business area (or the executive

sponsor if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risks and approve deployment of the information resource. The vice president of IT may delegate this responsibility to the applicable Business Relationship Management portfolio manager. If this responsibility is delegated, notice to that effect must be in writing.



Business Relationship Portfolio Manager ¡ Serves as a liaison between the executive sponsor and IT providers. ¡ (If the vice president IT delegated this responsibility) works jointly with the vice

president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and risk mitigation plan and, if acceptable, accept residual risks and approve deployment of the information resource.

Information Systems Security Representative or Project Manager ¡ Ensures security controls are implemented. ¡ Notifies the executive sponsor, Business Relationship portfolio manager and ISSO of

any risks that emerge during development or acquisition of the application. ¡ Prepares or coordinates C&A documents.

Information Systems Security Officer ¡ Provides security guidance and expertise throughout the C&A process. ¡ Reviews the security testing and evaluates C&A documents. ¡ Prepares the C&A evaluation report and submits it to the certifier.

Certifier (Program Manager, C&A Process) ¡ Reviews the C&A evaluation report and supporting documents. ¡ If acceptable, prepares a certification letter and submits it to the accreditor.

Accreditor (Chief Information Security Officer) ¡ Reviews the certification letter and supporting documents. ¡ If acceptable, prepares accreditation letter and recommends deployment.

Where to find additional information and help

Information security policies and processes are available on PolicyNet at http://blue.usps.gov/cpim/hbkid.htm and C&A deliverables are incorporated in the eC&A application.

Information Security Hotline .................919-501-9350

E-mail comments to: [email protected].



8

Pub 805-A PSN 7610-07-000-8289May 2015