General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-1 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
2.0 RISK MANAGEMENT FRAMEWORK PLAN [L.29.3A), C.1.8.7] 2.1 Risk Management Framework (RMF) Approach [L.29.3.a), C.1.8.7]
Level 3 is committed to maintaining the security, confidentiality, integrity, and
availability of its networks and services, and of customer data transported therein. Level
3 operates an integrated security architecture managed by several dedicated security
groups. They are responsible to identify and correct vulnerabilities that affect the
commercial and internal networks, associated products and services, and related
support systems. Level 3 believes that the early detection and analysis of security
threats that could impact the network is critical to consistently asses the security level
being provided.
The EIS Service RMF supports the following goals:
For guidance, the Level 3 EIS Service RMF Plan draws upon the following
documentation:
Federal Information Security Management Act (FISMA) of 2002; (44 U.S.C.
Section 301. Information security).
Federal Information Security Modernization Act of 2014; (to amend Chapter 35
of 44 U.S.C.).
FIPS PUB 199, “Standards for Security Categorization of Federal Information
and Information Systems.” Dated February 2004.
FIPS PUB 200, “Minimum Security Requirements for Federal Information and
Information Systems.” Dated March 2006.
NIST SP 800-18 Revision 1, “Guide for Developing Security Plans for Federal
Information Systems.” Dated February 2006.
NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” Dated
September 2012.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-2 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
NIST SP 800-34 Revision 1, “Contingency Planning Guide for Information
Technology Systems.” Dated May 2010.
NIST SP 800-37 Revision 1, “Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Lifecycle Approach.”
Dated February 2010.
NIST SP 800-40 Revision 3, “Guide to Enterprise Patch Management
Technologies.” Dated July 2013.
NIST SP 800-47, “Security Guide for Interconnecting Information Technology
Systems.” Dated August 2002.
NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for
Federal Information Systems and Organizations.” Dated April 2013.
NIST Special Publication 800-53A, Revision 4, “Assessing Security and Privacy
Controls in Federal Information Systems and Organizations, Building Effective
Assessment Plans.” Dated December 2014.
NIST SP 800-60 Revision 1, “Guide for Mapping Types of Information and
Information Systems to Security Categories.” Dated August 2008.
NIST SP 800-60 Revision 1, “Guide for Mapping Types of Information and
Information Systems to Security Categories.” Dated August 2008.
NIST SP 800-160 “Systems Security Engineering.” Draft dated May 2014.
NIST SP 800-161 “Supply Chain Risk Management Practices for Federal
Information Systems and Organizations.” Dated April 2015.
NIST SP 800-171, “Protecting Controlled Unclassified Information in the
Nonfederal Information Systems and Organizations.” Dated June 2015.
DODI 8510.01 “Risk Management Framework (RMF) for DOD Information
Technology (IT).” Dated 12 March 2014.
Led by the Chief Information Security Officer (CISO), the Level 3 Security
Compliance organization is responsible for the design, maintenance, and enforcement
of the security framework and other security initiatives within Level 3 Communications.
As illustrated in Figure 2.1-1, this organization supports the governance of
functions described in NIST SP 800-37.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-3 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
From an EIS services perspective, NIST SP 800-37
organizations. Security Architecture provides a focus for research and development in
identifying, investigating, and testing newly discovered security trends, capabilities, and
technologies. This group is also responsible for the overall security architecture used to
protect the Level 3 systems and infrastructure. The focus of
of
Level 3’s assets and infrastructure as well as the testing and integration of this
technology into the logical and physical environment.
management of internally developed systems. The Level 3 procurement organization is
also integrated into this layer to ensure that risk management constructs are
incorporated into the procurement/supply chain.
Figure 2.1-1. Level 3 Risk Management Approach per NIST SP 800-37 Tiers.
As suggested in Figure 2.1-1, within the EIS services risk management
construct, there are multiple Level 3 organizations supporting relative NIST SP 800-37
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-4 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
process to ensure the availability and reliability of network and security applications and
services within defined SLAs. These organizations also ensure adherence to all
processes in the documentation and implementation of systems. Additionally, Level 3
maintains a
.
, systems, applications,
and functions, and to test functional aspects of code used within the infrastructure.
Protection of service infrastructure extends to the physical security of the service
environment. Level 3’s
.
In support of informed risk determination, Level 3 has
. Level 3
implements security technology and process controls to measure compliance with risk
management practices. The risk determination model is based upon ensuring that
security is covered at the following layers:
)
2.2 Systems Development Life Cycle [L.29.3.a), C.1.8.7] Security requirements for internally developed systems are included during the
planning, development, and implementation stages. Level 3 employs an
to ensure processes and
systems are fully optimized. From a services perspective, each product/service
maintains a systems registry that includes
. Level 3 utilizes a
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-5 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
have access to this system.
2.3 Information System Boundaries [L.29.3.a), C.1.8.7] Level 3 has developed methods and procedures to protect Government
information within a system security boundary that is separate from the information
systems that control EIS services. There are in support of
EIS:
.
The methods, procedures, and controls implemented within the BSS security
boundary protect Government information within the BSS operating environment. All
EIS-related Government information is contained within the BSS security boundary.
Government information passed to systems outside of the
is provided in Figure 2.3-1.
Figure 2.3-1. Conceptual Agency Data Protection Schema.
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-6 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
2.4 Security Control Allocation [L.29.3.a), C.1.8.7] The services-based RMF primarily focuses on the protection within the D/A
information transport element of the EIS services. Services-based information system
controls are generally not applicable to protection of Government information as this
information is obfuscated through methods and procedures contained within the BSS
security boundary. Common Controls will be utilized within the systems where possible
and applicable.
2.5 The Risk Management Framework Process [L.29.3.a), C.1.8.7] Level 3 utilized NIST SP 800-37 and internal best practices in the development of
this EIS Services RMF Plan document. As a living document, it will be updated
throughout the EIS services SDLC. From NIST SP 800-37, the six RMF process steps1
are represented in Figure 2.5-1.
Figure 2.5-1. Risk Management Framework Process Steps (NIST SP 800-37).
1 NIST SP 800-37, Figure 2-2 Risk Management Framework
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-7 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
2.5.1 Step 1: Categorize Information System [L.29.3.a), C.1.8.7] 2.5.1.1 RMF Step 1 – Task 1-1, Security Categorization [L.29.3.a), C.1.8.7]
GSA has categorized all EIS services to be EIS services will
utilize the existing wherever possible.
2.5.1.2 RMF Step 1 - Task 1-2, Information System Description [L.29.3.a), C.1.8.7] Level 3 is proposing the following services for EIS. Service descriptions are
provided in detail in this Level 3 EIS Technical Volume. Network service boundaries are
the SDPs of the respective network service. (Technical Volume reference sections are
provided in parentheses adjacent to service bullet item below):
2 RFP #QTA0015THA3003, Amendment 4, Revisions, Questions, Answers and Clarifications to the EIS RFP, Question # 840, Section C, Section #1.8.7.3
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-12 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
needed they will work with Level 3 to follow the RMF process to secure Authorization
and Accreditation for their underlying services.
2.5.3 RMF Step 3: Implement Security Controls [L.29.3.a), C.1.8.7] The supporting the Level 3 enterprise services support the
implementation of the services base risk management framework. Level 3 has
implemented industry and company specific security controls in the current operational
environment.
In implementing security controls, Level 3 adheres to the following set of internal
guidelines for each control:
Description: The control’s implementation and how it satisfies the security
requirement are described.
Responsibility: The person(s) responsible for implementing and enforcing the
control solution is named.
Review Policy: The periodicity (daily, weekly, monthly, etc.) for reviewing the
control and its implementation is specified. This information includes the naming
of who conducts the review and what initiates it. The review initiation can be
according to a schedule and/or an event.
Documentation: Specify how reviews are documented and how we prove that
the control is implemented and reviewed. If a published policy is the basis for
the control’s implementation, then that policy will be included with the
documentation.
Alignment to NIST SP 800-53 controls will be demonstrated via the Authorization
process.
2.5.4 RMF Step 4: Assess Security Controls [L.29.3.a), C.1.8.7] Should a service level RMF assessment be required within a given Task Order,
The assessment will ensure the security controls were implemented as
designed and operating as expected prior to initiating EIS Security Authorization and
General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)
Vol. 1 Technical RFP No. QTA0015THA3003 2-13 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.
Accreditation process. The following functional areas will be supported in our
assessment process:
Audit and Assessment:
o
Mitigation and Remediation:
o
Re-assessment:
o
Package Submission:
o
2.5.5 RMF Step 5: Authorize Information System [L.29.3.a), C.1.8.7] Should a service level authorization be required, Level 3 will follow the EIS
Security Authorization and Accreditation process to obtain a formal ATO. Level 3 will
follow the EIS Security Authorization and Accreditation (Security A&A) process, as
outlined in NIST SP 800-37 Revision 1 and GSA IT Security Procedural Guide 06-30, to
obtain a formal ATO from the Government.
2.5.6 RMF Step 6: Monitor Security Controls [L.29.3.a), C.1.8.7] Level 3 follows a
. We will report on the
.