3. SECURITY PROGRAM
3.1 Program Management Controls (PM)
National Institute of Standards and Technology (NIST) 800-53 Program Management (PM) family of security controls focuses on information security requirements that are independent of any particular information system and are essential for managing information security programs.
Organizations specify the individuals within the organization responsible for the development, implementation, assessment, authorization, and monitoring of the information security program management controls. Organizations document program management controls in the
information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system.
Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization.
Policy: OPM shall establish and maintain a robust, cost-effective security program that
incorporates the security controls specified herein, and shall develop OPM-wide security controls to enhance both the Federal and OPM-specific security controls to ensure the confidentiality, integrity, and availability of the OPM information systems, network and data, and in accordance with federal policies, standards, procedures, and guidance.
The OPM Information Security and Privacy Policy (ISPP) shall serve as the foundation for the OPM security program. Policy shall be adjusted (at least every two years) and shall be related to the risk of the agency and/or business units not being able to perform their functions. OPM shall develop an organization-wide information security program plan to supplement individual security plans developed for each information system.
3.1.1 Information Security Program Plan (PM-1)
The information security program plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the organization-wide program management controls and organization-defined common controls. The security plans for individual information systems and the organization-wide information security program plan together, provide a complete coverage for all security controls employed within the organization.
Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
The policies under this family are implemented with the OPM-wide Program Management Procedure. Program management procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.
3.1.2 Senior Information Security Officer (PM-2)
The Chief Information Security Officer (CISO) is the information security official for a federal agency, as defined in applicable federal laws, Executive Orders, directives, policies or
regulations. Organizations often refer to this organizational official as the Senior Information Security Officer or Senior Agency Information Security Officer (SAISO).
OPM shall appoint a CISO with the mission and resources to coordinate, develop, implement, and maintain an OPM-wide information security program.
The Chief of IT Security and Privacy (ITSP) shall assume the role and responsibilities of OPM's CISO.
3.1.3 Information Security Resources (PM-3)
Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process.
OPM shall:
• Ensure all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
• Consider a business case/Exhibit 300/Exhibit 53 to record the resources required (to include information technology and security); and
• Ensure information security resources are available for expenditure as planned.
In coordination with the Office of the Chief Information Officer, System Owners (SO) shall integrate and explicitly identify funding for information security technologies and programs into IT investment and budgeting plans. OPM General Support Systems (GSS) and Major
Applications (MA) shall be mapped to an Exhibit 300 and/or Exhibit 53, and shall have appropriate security budgeting and justification.
National Institute of Standards and Technology (NIST) Special Publication 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, provides a systematic approach to selecting, managing, and evaluating IT security investments.
3.1.4 Plan of Action and Milestones Process (PM-4)
The Plan of Action and Milestones (POA&Ms) is a key document in the information security program and is subject to federal reporting requirements established by the Office of
Management and Budget (OMB). The POA&Ms updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities.
OMB Federal Information Security Management Act (FISMA) reporting guidance contains instructions regarding organizational POA&Ms.
OPM shall implement a process for ensuring that POA&Ms for the security program and the associated organizational information systems are maintained and that OPM is documenting the remedial information security actions to mitigate risk to OPM operations and assets, individuals, other organizations, and the Nation.
Remedial information security actions (i.e., corrective actions) shall include:
• All recommendations from external audits, reviews, or evaluations (e.g., GAO, OIG, or Departmental compliance and assistance review reports);
• Actions to mitigate significant vulnerabilities found in periodic testing that the SO or Authorizing Official (AO) deems necessary to report; and
• Actions to correct deficiencies found in self-assessments.
3.1.5 Information System Inventory (PM-5)
This control addresses the inventory requirements in Federal Information Security Management Act (FISMA). OMB provides guidance on developing information systems inventories and associated reporting requirements.
OPM shall develop and maintain an inventory of it's FISMA information systems.
FISMA (through 44 USC 3505) requires that agencies maintain an inventory of “major
information systems”, to include major national security systems. Major Applications (MA) are all defined to be major information systems. Additionally, some General Support Systems (GSS) are major information systems. These typically include platforms and other
infrastructural elements. FISMA also requires that the inventory include an identification of the interfaces between each such system and all other systems and networks, including those not operated by or under the control of the agency. The inventory shall be updated at least annually.
The key distinction between “major” and “non-major/minor” systems is the degree of attention to security required: “special attention” and “attention,” respectively. To add further clarity to this distinction, it is OPM policy that systems shall be considered “major information systems” if they meet one of the following criteria:
• Systems with a FIPS 199 security categorization level of Moderate and High based on the following criteria;
• Information contained, processed, stored, or transmitted requires special protection, or the information system is critical to the agency's mission.
• Any system that is called out in a major CPIC (Capital Planning and Investment Control) investment.
• Any system that is comprised of (or contains) an OPM-designated Critical Infrastructure Protection asset.
Minor systems may be included in the inventory as part of a MA or GSS when considered part of the security authorization boundary, and not listed separately. Note that the business owner of the minor system must be consulted and agree to whether the system will be assessed separately or not. Whether in a stand-alone Security Authorization or as a component of a major system Security Authorization, the security controls in a minor application must still be described and tested. Candidates for systems that can be included as part of a larger system Authorization are systems with a FIPS-199 categorization of LOW ITSP provides consultation as part of the OPM System Registration process, and can help determine the appropriate handling of information systems as they relate to the OPM System Inventory and Authorization.
An “information system” is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
A “major information system” is an information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.
• A "major application" is an application that requires special attention to security due to the risk and magnitude resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.
• A "general support system" is considered a major information system when special management attention is required, there is high development, operating, or maintenance costs; and the system/information has a significant role in the administration of agency programs.
A "minor application" is an application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the information in the application.
FISMA and Reporting of Contractor Systems
FISMA requires Federal agencies to be responsible for security of “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” FISMA requirements apply to Federal information as well as Federal information systems.
OMB clarifying guidance states that FISMA requirements may apply to contractors, grantees, State and local governments, industry partners, and others…and that Agencies must develop policies for information security oversight of users with privileged access to Federal data.
OMB’s guidance promulgates the FISMA requirements to provide security protections
“...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency."
To implement these requirements, the following definition of contractor systems under FISMA will apply:
A system is considered a FISMA reportable contractor system when it is operated by an external (i.e., non-OPM) organization (e.g., contractor, grantee, State or local government, industry partner, fiscal agent, other Federal agency) that collects, processes, or handles OPM-owned information on behalf of OPM; and
A system or application that is being run by another Federal agency exclusively for OPM would be reported as part of OPM’s inventory. In the case where OPM, along with other organizations, is using another agency for services (e.g., payroll processing) the system would not be reported
as an OPM system since it would be reported under the FISMA reporting chain by the agency providing the service.
Examples of systems operated by external organizations that are FISMA reportable include:
• Outsourced systems, network operations, telecommunications services;
• Government Owned, Contractor Operated (GOCO) systems; or
• Major applications or general support systems operated by external organizations under contracts to support OPM’s mission.
Per OMB guidance, in most cases “incidental systems” are not reportable to FISMA. OMB provides the following example of incidental systems:
• Corporate human resource or financial management systems acquired by an external organization solely to assist managing corporate resources assigned to a government contract provided the system does not use OPM information or interconnect with OPM’s network infrastructure.
3.1.6 Information Security Measures of Performance (PM-6)
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program.
OPM shall develop, monitor, and report on the results of information security measures of performance.
3.1.7 Enterprise Architecture (PM-7)
Enterprise architecture implemented by an organization must align with the Federal Enterprise Architecture. The integration of information security requirements and associated security controls into the organization’s enterprise architecture helps to ensure that security
considerations are addressed by organizations early in the system development life cycle.
Security requirements and control integration are most effectively accomplished through the application of the Risk Management Framework and supporting security standards and
guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security requirements and security controls into enterprise architectures.
OPM shall develop enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
The OPM Enterprise Architecture is guided by the Federal Enterprise Architecture Framework (FEAF) for the integration of business and technology. The FEAF incorporates the use of several associated OMB reference models. These models are included as a process of the IT Governance Process. The OMB Federal Enterprise Architecture Framework reference models are as follows:
• The Performance Reference Model (PRM), which is a standard to measure the performance of major IT investments.
• The Technical Reference Model (TRM), which is used to identify the standards, specifications, and technologies that support and enable the delivery of service.
• The Business Reference Model (BRM), which describes the business operations of the Federal Government.
• The Service Component Reference Model (SRM), which classifies service
programs/processes with respect to how they support business and/or performance objectives.
3.1.8 Critical Infrastructure Plan (PM-8)
Presidential Decision Directive (PDD) 63, "Critical Infrastructure Protection", Homeland Security Presidential Directive (HSPD)-7 "Critical Infrastructure Identification, Prioritization, and Protection", HSPD-8 "National Preparedness", and Executive Office (EO) 13231 "Critical Infrastructure Protection in the Information Age" require Federal Departments and agencies to identify, prioritize, and coordinate the protection of CI/KR (Critical Infrastructure / Key Resource) systems to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them. Federal departments and agencies are required to work with state and local governments as well as the private sector to accomplish this objective.
Critical Infrastructure means "systems and assets, whether physical or virtual, so vital to the United States the incapacity or destruction of such systems and assets would have a debilitating impact on security, nation economic security, national public health or safety, or any
combination of those matters." The term "key resources" means "publicly or privately controlled resources essential to the minimal operations of the economy and government."
OPM shall address information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
3.1.9 Risk Management Strategy (PM-9)
An organization-wide risk management strategy includes an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation
strategies, a process for consistently evaluating risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The use of a Risk Executive Function can facilitate consistent, organization-wide application of the risk
management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive.
OPM shall:
• Develop a comprehensive strategy to manage risk to OPM operations and assets,
individuals, other organizations, and the Nation associated with the operation and use of information systems; and
• Implement that strategy consistently across the organization.
OPM follows the NIST Risk Management Framework (RMF). In addition to supporting the authorization of information systems, the RMF tasks support the selection, development,
implementation, assessment, authorization, and ongoing monitoring of common controls inherited by organizational information systems. This approach recognizes the importance of security control effectiveness within information systems and the infrastructure supporting those systems.
OPM has also established a Risk Executive Function to manage enterprise risk.
3.1.10 Security Authorization Process (PM-10)
The security authorization process for information systems requires the implementation of the Risk Management Framework and the employment of associated security standards and
guidelines. Specific roles within the risk management process include a designated Authorizing Official (AO) for each organizational information system. Authorization is the official
management decision given by an agency executive to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
OPM shall:
• Manage (e.g., documents, tracks, and reports) the security state of organizational information systems through security authorization processes;
• Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
• Integrate fully the security authorization processes into an organization-wide risk management program.
All OPM General Support Systems (GSS) and Major Applications (MA) shall undergo a Security Assessment and Authorization prior to processing any OPM information that has security considerations due to its confidentiality, integrity, or availability requirements.
Security authorization shall be updated at least every three (3) years or when there is a significant change to the system. Information system security controls shall be continuously monitored and assessed annually to ensure continued effectiveness. All information system security controls shall be assessed for authorization; a subset of security controls shall be assessed as part of continuous monitoring.
Examples of changes that may require re-authorization are:
• Installation of a new or upgraded operating system, middleware component, or application;
• Modifications to system ports, protocols, or services;
• Installation of a new or upgraded hardware platform or firmware component; or
• Modifications to cryptographic modules or services;
• Connections added to information systems outside the accreditation boundary;
• Changes or enhancements to system functionality that affect its mission criticality, information types, user base, or classification of data supported by the information system; and/or
• Security incident(s) that result in significant changes to the information system.
3.1.11 Mission/Business Process Definition (PM-11)
Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (e.g., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated
information systems supporting the mission/business processes. Inherent in defining an organization’s information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations.
OPM shall:
• Define mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
• Determine information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
3.1.12 Use of Information Technology Resources
Everyone who uses, manages, operates, maintains, or develops OPM applications or data wherever they reside (referred to as “OPM users”) must comply with OPM’s Information Security and Privacy Policy, unless a specific waiver is obtained from the Chief Information Officer (CIO) or the CISO in accordance with the waiver process in Chapter 1. The Information Security and Privacy Policy also applies to all contractors acting on behalf of OPM and to non-OPM organizations or their representatives who are granted authorized access to non-OPM
information and information systems. Finally, this policy applies to other agencies’ systems as delineated in memorandums of understanding (MOUs) and interconnection security agreements (ISAs) with OPM.
The implementation standards in this policy and its references and attachments apply to all OPM information and information technology (IT) resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or
The implementation standards in this policy and its references and attachments apply to all OPM information and information technology (IT) resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or