General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-1 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

2.0 RISK MANAGEMENT FRAMEWORK PLAN [L.29.3A), C.1.8.7] 2.1 Risk Management Framework (RMF) Approach [L.29.3.a), C.1.8.7]

Level 3 is committed to maintaining the security, confidentiality, integrity, and

availability of its networks and services, and of customer data transported therein. Level

3 operates an integrated security architecture managed by several dedicated security

groups. They are responsible to identify and correct vulnerabilities that affect the

commercial and internal networks, associated products and services, and related

support systems. Level 3 believes that the early detection and analysis of security

threats that could impact the network is critical to consistently asses the security level

being provided.

The EIS Service RMF supports the following goals:

For guidance, the Level 3 EIS Service RMF Plan draws upon the following

documentation:

Federal Information Security Management Act (FISMA) of 2002; (44 U.S.C.

Section 301. Information security).

Federal Information Security Modernization Act of 2014; (to amend Chapter 35

of 44 U.S.C.).

FIPS PUB 199, “Standards for Security Categorization of Federal Information

and Information Systems.” Dated February 2004.

FIPS PUB 200, “Minimum Security Requirements for Federal Information and

Information Systems.” Dated March 2006.

NIST SP 800-18 Revision 1, “Guide for Developing Security Plans for Federal

Information Systems.” Dated February 2006.

NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” Dated

September 2012.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-2 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

NIST SP 800-34 Revision 1, “Contingency Planning Guide for Information

Technology Systems.” Dated May 2010.

NIST SP 800-37 Revision 1, “Guide for Applying the Risk Management

Framework to Federal Information Systems: A Security Lifecycle Approach.”

Dated February 2010.

NIST SP 800-40 Revision 3, “Guide to Enterprise Patch Management

Technologies.” Dated July 2013.

NIST SP 800-47, “Security Guide for Interconnecting Information Technology

Systems.” Dated August 2002.

NIST Special Publication 800-53 Revision 4, “Security and Privacy Controls for

Federal Information Systems and Organizations.” Dated April 2013.

NIST Special Publication 800-53A, Revision 4, “Assessing Security and Privacy

Controls in Federal Information Systems and Organizations, Building Effective

Assessment Plans.” Dated December 2014.

NIST SP 800-60 Revision 1, “Guide for Mapping Types of Information and

Information Systems to Security Categories.” Dated August 2008.

NIST SP 800-60 Revision 1, “Guide for Mapping Types of Information and

Information Systems to Security Categories.” Dated August 2008.

NIST SP 800-160 “Systems Security Engineering.” Draft dated May 2014.

NIST SP 800-161 “Supply Chain Risk Management Practices for Federal

Information Systems and Organizations.” Dated April 2015.

NIST SP 800-171, “Protecting Controlled Unclassified Information in the

Nonfederal Information Systems and Organizations.” Dated June 2015.

DODI 8510.01 “Risk Management Framework (RMF) for DOD Information

Technology (IT).” Dated 12 March 2014.

Led by the Chief Information Security Officer (CISO), the Level 3 Security

Compliance organization is responsible for the design, maintenance, and enforcement

of the security framework and other security initiatives within Level 3 Communications.

As illustrated in Figure 2.1-1, this organization supports the governance of

functions described in NIST SP 800-37.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-3 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

From an EIS services perspective, NIST SP 800-37

organizations. Security Architecture provides a focus for research and development in

identifying, investigating, and testing newly discovered security trends, capabilities, and

technologies. This group is also responsible for the overall security architecture used to

protect the Level 3 systems and infrastructure. The focus of

of

Level 3’s assets and infrastructure as well as the testing and integration of this

technology into the logical and physical environment.

management of internally developed systems. The Level 3 procurement organization is

also integrated into this layer to ensure that risk management constructs are

incorporated into the procurement/supply chain.

Figure 2.1-1. Level 3 Risk Management Approach per NIST SP 800-37 Tiers.

As suggested in Figure 2.1-1, within the EIS services risk management

construct, there are multiple Level 3 organizations supporting relative NIST SP 800-37

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-4 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

process to ensure the availability and reliability of network and security applications and

services within defined SLAs. These organizations also ensure adherence to all

processes in the documentation and implementation of systems. Additionally, Level 3

maintains a

.

, systems, applications,

and functions, and to test functional aspects of code used within the infrastructure.

Protection of service infrastructure extends to the physical security of the service

environment. Level 3’s

.

In support of informed risk determination, Level 3 has

. Level 3

implements security technology and process controls to measure compliance with risk

management practices. The risk determination model is based upon ensuring that

security is covered at the following layers:

)

2.2 Systems Development Life Cycle [L.29.3.a), C.1.8.7] Security requirements for internally developed systems are included during the

planning, development, and implementation stages. Level 3 employs an

to ensure processes and

systems are fully optimized. From a services perspective, each product/service

maintains a systems registry that includes

. Level 3 utilizes a

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-5 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

have access to this system.

2.3 Information System Boundaries [L.29.3.a), C.1.8.7] Level 3 has developed methods and procedures to protect Government

information within a system security boundary that is separate from the information

systems that control EIS services. There are in support of

EIS:

.

The methods, procedures, and controls implemented within the BSS security

boundary protect Government information within the BSS operating environment. All

EIS-related Government information is contained within the BSS security boundary.

Government information passed to systems outside of the

is provided in Figure 2.3-1.

Figure 2.3-1. Conceptual Agency Data Protection Schema.

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-6 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

2.4 Security Control Allocation [L.29.3.a), C.1.8.7] The services-based RMF primarily focuses on the protection within the D/A

information transport element of the EIS services. Services-based information system

controls are generally not applicable to protection of Government information as this

information is obfuscated through methods and procedures contained within the BSS

security boundary. Common Controls will be utilized within the systems where possible

and applicable.

2.5 The Risk Management Framework Process [L.29.3.a), C.1.8.7] Level 3 utilized NIST SP 800-37 and internal best practices in the development of

this EIS Services RMF Plan document. As a living document, it will be updated

throughout the EIS services SDLC. From NIST SP 800-37, the six RMF process steps1

are represented in Figure 2.5-1.

Figure 2.5-1. Risk Management Framework Process Steps (NIST SP 800-37).

1 NIST SP 800-37, Figure 2-2 Risk Management Framework

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-7 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

2.5.1 Step 1: Categorize Information System [L.29.3.a), C.1.8.7] 2.5.1.1 RMF Step 1 – Task 1-1, Security Categorization [L.29.3.a), C.1.8.7]

GSA has categorized all EIS services to be EIS services will

utilize the existing wherever possible.

2.5.1.2 RMF Step 1 - Task 1-2, Information System Description [L.29.3.a), C.1.8.7] Level 3 is proposing the following services for EIS. Service descriptions are

provided in detail in this Level 3 EIS Technical Volume. Network service boundaries are

the SDPs of the respective network service. (Technical Volume reference sections are

provided in parentheses adjacent to service bullet item below):

2 RFP #QTA0015THA3003, Amendment 4, Revisions, Questions, Answers and Clarifications to the EIS RFP, Question # 840, Section C, Section #1.8.7.3

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-12 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

needed they will work with Level 3 to follow the RMF process to secure Authorization

and Accreditation for their underlying services.

2.5.3 RMF Step 3: Implement Security Controls [L.29.3.a), C.1.8.7] The supporting the Level 3 enterprise services support the

implementation of the services base risk management framework. Level 3 has

implemented industry and company specific security controls in the current operational

environment.

In implementing security controls, Level 3 adheres to the following set of internal

guidelines for each control:

Description: The control’s implementation and how it satisfies the security

requirement are described.

Responsibility: The person(s) responsible for implementing and enforcing the

control solution is named.

Review Policy: The periodicity (daily, weekly, monthly, etc.) for reviewing the

control and its implementation is specified. This information includes the naming

of who conducts the review and what initiates it. The review initiation can be

according to a schedule and/or an event.

Documentation: Specify how reviews are documented and how we prove that

the control is implemented and reviewed. If a published policy is the basis for

the control’s implementation, then that policy will be included with the

documentation.

Alignment to NIST SP 800-53 controls will be demonstrated via the Authorization

process.

2.5.4 RMF Step 4: Assess Security Controls [L.29.3.a), C.1.8.7] Should a service level RMF assessment be required within a given Task Order,

The assessment will ensure the security controls were implemented as

designed and operating as expected prior to initiating EIS Security Authorization and

General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS)

Vol. 1 Technical RFP No. QTA0015THA3003 2-13 Use or disclosure of data contained on this page is subject to the restrictions on the title page of this proposal.

Accreditation process. The following functional areas will be supported in our

assessment process:

Audit and Assessment:

o

Mitigation and Remediation:

o

Re-assessment:

o

Package Submission:

o

2.5.5 RMF Step 5: Authorize Information System [L.29.3.a), C.1.8.7] Should a service level authorization be required, Level 3 will follow the EIS

Security Authorization and Accreditation process to obtain a formal ATO. Level 3 will

follow the EIS Security Authorization and Accreditation (Security A&A) process, as

outlined in NIST SP 800-37 Revision 1 and GSA IT Security Procedural Guide 06-30, to

obtain a formal ATO from the Government.

2.5.6 RMF Step 6: Monitor Security Controls [L.29.3.a), C.1.8.7] Level 3 follows a

. We will report on the

.