This document implements OPM’s
requirements for the protection of
information and information systems.
Chief Information Ofﬁcer
March 31, 2011
Table of Contents
1. INTRODUCTION ... 4
1.1 Purpose ... 4
1.2 Scope and Applicability... 4
1.3 Compliance, Enforcement, and Exceptions ... 5
1.4 Document Organization ... 6
1.5 Maintenance of the Official Version ... 7
1.6 Legal Authority... 7
2. ROLE and RESPONSIBILITIES ... 8
2.1 OPM Director ... 8
2.2 Chief Information Officer (CIO) ... 8
2.3 Deputy Chief Information Officer (DCIO) ... 9
2.4 Chief Privacy Officer (CPO) ... 9
2.5 Chief Information Security Officer (CISO) ... 9
2.6 Information Systems Security Manager (ISSM) ... 10
2.7 Chief of Enterprise Architecture ... 11
2.8 Risk Executive (function) ... 11
2.9 Information Technology Security Working Group (ITSWG) ... 12
2.10 Privacy Program Manager ... 12
2.11 Authorizing Official (AO) ... 12
2.12 Information Owners... 13
2.13 System Owner (SO)... 13
2.14 Information System Security Officer (ISSO)... 14
2.15 Designated Security Officers (DSOs)... 14
2.16 Network Managers... 16
2.17 Data Center Managers... 16
2.18 Software Development Managers... 17
2.19 Database Managers... 17
2.20 Security Control Assessor... 17
2.21 OPM Managers and Supervisors... 18
2.22 Physical Security Manager ... 18
2.23 Facility Manager ... 19
2.24 OIG Role... 19
2.25 Contracting Officers and Procurement Officers ... 20
2.26 Contracting Officer's Technical Representative (COTR)... 20
2.27 OPM Users (Internal and External)... 20
3. SECURITY PROGRAM ... 22
3.1 Program Management Controls (PM) ... 23
4. PRIVACY PROGRAM ... 36
4.1 Privacy Framework ... 37
4.2 PII Handling Requirements ... 39
4.3 Privacy Compliance ... 40
4.4 Education and Awareness ... 43
4.5 Privacy Complaints ... 43
5. MANAGEMENT CONTROLS... 45
5.1 Planning (PL) ... 45
5.2 Security Assessment and Authorization (CA) ... 49
5.3 Risk Assessment (RA) ... 56
5.4 System and Services Acquisition (SA)... 60
6. OPERATIONAL CONTROLS... 67
6.1 Security Awareness and Training (AT) ... 67
6.2 CONFIGURATION MANAGEMENT (CM) ... 70
6.3 Contingency Planning (CP)... 78
6.4 Incident Response (IR) ... 84
6.5 Maintenance (MA)... 88
6.6 Media protection (MP)... 91
6.7 Physical and Environmental (PE)... 94
6.8 Personnel Security (PS)... 101
6.9 System and Information Integrity (SI)... 103
7. TECHNICAL CONTROLS ... 111
7.1 Access Controls (AC)... 111
7.2 Audit and Accountability (AU) ... 123
7.3 Identification and Authentication (IA) ... 128
7.4 System and Communications Protection (SC)... 135
APPENDIX A: ACRONYMS ... 144
APPENDIX B: GLOSSARY ... 146
APPENDIX C: REFERENCES... 163
APPENDIX D: WAIVER REQUEST FORM ... 167
APPENDIX E: RISK ACCEPTANCE MEMORANDUM... 170
APPENDIX F: RULES OF BEHAVIOR... 175
APPENDIX G: SAMPLE CONTRACT CLAUSE ... 177
APPENDIX H: OPM DEFINED SECURITY CONTROL PARAMETERS ... 185
Version Number Version Date Revision Summary
0.1 March 4, 2011 Draft ISPP - Document was revised in its entirety to clarify OPM’s information security and privacy policies and roles and
responsibilities, and to implement NIST SP 800-53 (Rev. 3) security controls.
0.2 March 14, 2011 Internal ITSP review and revisions. Entire document.
0.3 March 31, 2011 Adjust procedure review frequency from two-years to one-year.
A Message from the Chief Information Officer (CIO)
Meeting Security Requirements
Information security is a critical issue for all of us at the Office of Personnel Management (OPM). We are highly dependent on information resources to store, process, and transmit information while maintaining its confidentiality, integrity, and availability. OPM is required by law to ensure the security of information assets and the technology that is used to process them. Rapid advances in information systems require an increased awareness in the selection and application of appropriate security safeguards.
All users of OPM information resources should utilize this ISPP as guidance for the implementation of information security. It offers safeguards to protect the resources and the information that we rely on to carry out our important work.
Office of Personnel Management (OPM) Directive
OPM Directive Subject: Information Security and Privacy Number:
Original Issue Date: 3/31/2011 Date Last Reviewed: 3/31/2011
Scope This directive applies to all organizational units within OPM and is to be applied when information systems are used to accomplish the mission of OPM.
Policy It is the policy of OPM to establish and manage an Information Security and Privacy Program. This ISPP provides uniform policies to be followed by all users of OPM information resources.
Authorities a. Public Law 93-579, Privacy Act of 1974, dated September 27, 1975; b. Public Law 107-347, E-Government Act of 2002, which contains the
Federal Information Security Management Act (FISMA), signed by the President on December 17, 2002.
References a. Office of Management and Budget (OMB) Circular A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Systems, dated February 8, 1996;
b. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, dated September 1996; c. NIST Special Publication 800-16, Information Technology Security
Training Requirements, dated April 1998;
d. NIST Special Publication 800-18, Rev. 1, Guide For Developing Security
Plans For Information Technology Systems, dated February 2006;
e. NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, dated October 2003; f. NIST Special Publication 800-53, Rev.3, Recommended Security
Controls for Federal Information Systems, dated August 2009;
g. NIST Special Publication 800-61, Computer Security Incident Handling
Guide, dated January 2004, and
h. NIST Federal Information Processing Standards (FIPS).
a. The OPM ChiefInformation Officer (CIa) shaH designate an employee to serve as the ChiefInformation Security Officer (CISO). The CISO is responsible for formulating and directing the IT Security and Privacy Program for OPM, and subsequently, the creation ofthe ISPP.
b. The CIa, CISO, System Owners (SO), Information System Security Officers (ISSO), and Designated Security Officers (DSO) ofthe various OPM Offices shall:
(1) Implement the policies and procedures set forth in the ISPP, and; (2) Submit any new or revised regulations, forms, handbooks, or other publications, which are pertinent to or impact the Information Security and Privacy Program, to the CISO or the CIa for review and approval prior to publication.
Offlce of Primary Chief Information Officer Interest
e E. Perry Chief Information Offic
Efficient and effective security requires roles, policies, and processes to be clearly defined and understood by everyone. An information security policy is the primary building block for every information security effort. Policies establish both direction and management support. The security and policy programs support the Office of Personnel Management's (OPM) mission by protecting its employees, reputation, legal position, and physical and financial resources through the selection and application of appropriate requirements and policies.
The OPM Information Technology (IT) Security Program is charged with ensuring three core principles:
• Confidentiality ensures OPM information is protected from unauthorized disclosure. • Integrity ensures OPM information is protected from unauthorized, unanticipated, or
unintentional modification. This includes, but is not limited to:
• Authenticity – The verification of the identity of a user, user device, or the data being stored, transmitted, or otherwise exposed to possible unauthorized modification in an information system, or the establishment of the validity of a transmitted message.
• Non-repudiation – Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can deny processing the data.
• Accountability – Property that enables the tracing of system activities to their sources who may then be held responsible for such activities. Auditing is a primary means of establishing accountability.
• Availability ensures OPM information resources (system or data) are accessible on a timely basis to meet mission requirements or to avoid substantial losses. Availability also includes ensuring resources are used only for intended purposes.
1.2 Scope and Applicability
The policies in this document, and its references and attachments, apply to all OPM information resources. OPM information includes data that is owned, sent, received, or processed by the agency and includes information in either physical or digital form. OPM information resources include OPM hardware, software, media, and facilities.
Everyone who uses, manages, operates, maintains, or develops OPM applications or data
Enforcement: The CIO is responsible for continually reviewing the status of OPM's Information Security and Privacy Programs by monitoring:
• The effectiveness of security and privacy control measures;
• Compliance with existing policies, procedures, standards, and guidelines; and • User awareness of information security and privacy.
Violations of the policy contained in the ISPP may result in the loss or limitation of access to OPM information systems and information. Anyone who violates the policy may face
administrative action ranging from counseling to removal from the OPM, as well as, criminal penalties or financial liability, depending on the severity of the misuse.
OPM employees and contractors are subject to penalties established by the Privacy Act of 1974. Certain penalties apply to the misuse or unauthorized disclosure of personally identifiable information. The Act (5 U.S.C. 552a (g)) provides for civil remedies for injured parties, including actual damages, attorney fees, and litigation costs.
A policy violation is an infringement or nonobservance of OPM policy. If policy violation is suspected, OPM employees shall report it to their OPM supervisor, manager, associate director, or office director, as appropriate. Contractors shall report suspected violations to their
contracting officer’s technical representative and the System Owner. The following preemptive actions must be taken to isolate the suspected violators and systems to prevent additional risk to OPM:
• The suspected violator’s group lead shall notify the OPM (Department) for additional guidance;
• Management shall be responsible for any disciplinary actions • The CIO shall be responsible for any technical actions; and
• The CIO shall restrict access to OPM information systems until the violator proves, to the satisfaction of the CIO, that the issue is resolved and there is no future risk.
Exceptions: Policy waivers are approved deviations from a policy requirement that are only allowed when adherence to the policy is not feasible. Only the CIO or the CISO may approve a waiver to the ISPP. Waivers will be reviewed on a case-by-case basis. Attachment D contains a formal three-page waiver request form, which must be submitted by the System Owner (SO), Information System Security Officer (ISSO), Designated Security Officer (DSO), or OPM user for consideration and approval by the CISO or CIO. Each waiver must be submitted with a compelling business case justification and risk assessment.
OPM users are responsible for using the current official version of the ISPP posted on the OPM Intranet. OPM leadership will hold users responsible for adhering to the policies and standards in the current official version.
1.4 Document Organization
Office of Personnel Management has organized this policy to address information security and privacy as follows:
Chapter 1. Contains OPM’s overarching policy statement on information security and privacy. The scope and applicability is outlined revealing who the policy applies to and what resources the policy encompasses. Compliance, enforcement and exceptions of the policy are discussed, including OPM expectations regarding these issues.
Chapter 2. Provides a general overview of security and privacy responsibilities for everyone (referred to as “OPM users”) who uses, manages, operates, maintains, or develops OPM applications or data, based on specific job functions. Refer to Chapter 2 for details regarding specific roles and responsibilities. Some OPM users may have additional security and privacy responsibilities based on their job function.
Chapter 3. Provides OPM Information Security Program policy. The program provides enterprise-wide checks and balances to ensure information security efforts are maximized, and the three core principals of Confidentiality, Integrity, and Availability are sufficiently addressed for OPM.
Chapter 4. Provides OPM Privacy Program policy. The program provides direction for handling and protection of information subject to the Privacy Act.
Chapter 5. Provides OPM Management Controls policy. Management controls are security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Chapter 6. Provides OPM Operational Controls policy. Operational controls are the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).
Chapter 7. Provides OPM Technical Controls policy. Technical controls are security controls (i.e., safeguards or countermeasures) that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Appendices. Contain applicable acronyms; glossary of key terms; references to applicable laws, guidance, etc.; standard forms and templates; OPM defined National Institute of Standards and Technology (NIST) control parameters; etc.
1.5 Maintenance of the Official Version
When document revisions are formally approved, the IT Security and Privacy Group (ITSP) will issue a new version or an amendment to the ISPP and post it to the OPM Intranet. If a change is not substantive but minor, policy can be changed by the CISO with approval from the CIO, without going through the standard approval process.
1.6 Legal Authority
OPM developed ISPP to comply with applicable laws and directives related to information security and privacy. This policy document acquires its legal authority from the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the E-Government Act of 2002, the Paperwork Reduction Act, the Clinger-Cohen Act of 1996, and all relevant National Institute of Standards and Technology (NIST) standards, regulations in the Code of Federal Regulations (CFR), and Office of Management and Budget (OMB) memorandums, circulars, and directives.
2. ROLE AND RESPONSIBILITIES
All Office of Personnel Management (OPM) users have information security and privacy responsibilities. The key roles and responsibilities for carrying out this policy are outlined below. 2.1 OPM Director
The Clinger-Cohen Act assigns to the agency head the responsibility for ensuring “the
information security policies, procedures, and practices of the executive agency are adequate.” The OPM Director shall:
• Provide information security protections commensurate with the risk and magnitude of the harm that would result from the misuse of the agency’s information resources, whether intentional or unintentional;
• Ensure that an information security and privacy program shall be developed, documented, and implemented;
• Ensure that senior OPM officials within the organization shall be given the necessary authority to secure the operations and assets under their control and meet their
responsibilities under security and privacy statutes and regulations;
• Designate a Chief Information Officer (CIO) and delegate authority to that individual to ensure compliance with applicable information security and privacy requirements;
• Ensure that the CIO, in coordination with other OPM officials, shall report as required by law and regulation on the effectiveness of OPM’s information security and privacy program, including progress on remedial actions;
• Designate a Chief Privacy Officer (CPO) to ensure compliance with applicable privacy requirements; and
• Ensure that OPM shall train personnel to support compliance with information security and privacy policies, processes, standards, and guidelines.
2.2 Chief Information Officer (CIO)
The OPM CIO shall lead the development, management, operations, and support of the
information technology (IT) infrastructure, with the assistance of the managers and staff in the Office of Chief Information Officer (OCIO). The CIO shall be responsible for establishing and maintaining the information security and privacy program at OPM and serves as the Chief Privacy Officer (also known as the OPM Senior Agency Official for Privacy). The CIO shall:
• Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required;
• Report as required by law and regulation to the OPM Director on the effectiveness of OPM’s information security and privacy program, including progress on remedial actions;
• Ensure compliance with information security- and privacy-related federal laws and regulations, as well as other Government-wide policies, mandates, and directives;
• Oversee the security of OPM’s information resources, which shall include the security authorization of general support systems such as the network and mainframe platforms; • Ensure the continuity of support to mission-critical systems and operations;
• Ensure the timely review and resolution of information security and privacy issues; • Ensure implementation of the management, operational, and technical information
security controls assigned to the CIO;
• Designate a Chief Information Security Officer (CISO) and a Privacy Program Manager; • Review and sign Privacy Impact Assessments (PIA) which shall be in accordance with
the OPM PIA Guide;
• Promote and support information security and privacy training for general users and those with significant information security or privacy responsibilities; and
• Monitor the activities of the OPM-wide Information Technology Security Working Group (ITSWG).
2.3 Deputy Chief Information Officer (DCIO)
The Deputy Chief Information Officer (DCIO) shall provide assistance and support in fulfilling the duties of the CIO. The DCIO shall:
• Assist the CIO in ensuring the timely review and resolution of information security and privacy issues;
• Assist the CIO in ensuring implementation of the management, operational, and technical information security controls assigned to the CIO; and
• Ensure the continuity of support to mission-critical systems and operations. 2.4 Chief Privacy Officer (CPO)
(OPM Chief Privacy Officer (CPO) shall be responsible for privacy compliance across the agency, including privacy compliance measures that apply to information security assets and activities. The CPO shall:
• Develop, promote, and support OPM’s privacy program; • Review and implement new and modified privacy policies;
• Represent OPM on interagency workgroups and initiatives involving privacy issues; and • Review and evaluate OPM’s PIA. The OPM Privacy Impact Assessment Guide provides
additional information on conducting and completing a PIA. 2.5 Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) is designated by the CIO. The CISO serves as the CIO’s primary information security adviser, and guides the information security activities of OPM’s Authorizing Officials (AO), SOs, and Designated Security Officers (DSO). The CISO shall:
• Head the Information Technology Security and Privacy office with the mission and resources to assist in ensuring agency compliance with information security requirements;
• Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; • Develop and maintain risk-based, cost-effective information security policies,
procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements;
• Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; • Ensure that agency personnel, including contractors, receive appropriate
information security awareness training;
• Train and oversee personnel with significant responsibilities for information security with respect to such responsibilities;
• Periodically test and evaluate the effectiveness of information security policies, procedures, and practices;
• Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;
• Develop and implement procedures for detecting, reporting, and responding to security incidents;
• Ensure preparation and maintenance of plans and procedures to provide
continuity of operations for information systems that support the operations and assets of the agency;
• Support the agency CIO in annual reporting to the agency head on the
effectiveness of the agency information security program, including progress of remedial actions;
• Conduct/coordinate information security audits at OPM and contractor facilities; and • Chair OPM’s IT Security Working Group (ITSWG) and serve as secretariat.
2.6 Information Systems Security Manager (ISSM)
The Information Systems Security Manager (ISSM) is responsible for providing assistance and support to the CISO in managing the OPM information security program, with a strong focus on
supporting the implementation of appropriate security controls spelled out in the provisions of applicable information security statutes and regulations. The ISSM shall:
• Assist the CISO in the implementation and enforcement of OPM’s information security and privacy policies and procedures;
• Coordinate the development of Security Assessment and Authorization documentation. Additional information shall be found in OPM’s Security Assessment and Authorization Procedure;
• Coordinate a standard Security Assessment and Authorization process that shall be used throughout the agency, shall provide internal Security Assessment and Authorization guidance or policy; and shall review security authorization packages prior to CIO review; • Coordinate the preparation and maintenance of plans and procedures to provide
continuity of operations for information systems that support OPM’s operations and assets;
• Coordinate the development, update, and release of appropriate information security awareness training; and
• Coordinate necessary information requested for internal and external reviews and inspections to ensure compliance with established policies and procedures. 2.7 Chief of Enterprise Architecture
The Chief of Enterprise Architecture is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. Enterprise Architecture is the description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the
enterprise’s overall security posture. 2.8 Risk Executive (function)
The Risk Executive (function) is performed by a team which is comprised of the CISO, Deputy CIO, Chief of Enterprise Architecture, and Chief of Quality Assurance. The Risk Executive (function) has inherent U.S. Government authority and is assigned to government personnel only. The Risk Executive (function) shall:
• Provide a comprehensive, holistic approach for addressing risk throughout OPM; an approach that provides a greater understanding of the integrated operations of OPM; • Provide an OPM forum to consider all sources of risk (including aggregated risk) to OPM
operations and assets, individuals, other organizations, and the Nation; and
• Ensure that the shared responsibility for supporting OPM mission/business functions using external providers of information and services receives the needed visibility and is elevated to the appropriate decision-making authorities.
2.9 Information Technology Security Working Group (ITSWG)
The Information Technology Security Working Group (ITSWG) oversees OPM compliance with information security mandates and OPM information security-related policies. It provides input to program office and OPM-wide planning efforts and approaches in response to emerging information security and privacy issues. Responsibilities of the ITSWG are described in the ITSWG Charter.
2.10 Privacy Program Manager
The Privacy Program Manager is responsible for overseeing the OPM privacy program, with a strong focus on protecting Personally Identifiable Information (PII) and implementing the provisions of privacy statutes and regulations. The Privacy Program Manager shall:
• Develop program plans for addressing privacy-related laws and regulations at OPM and manage implementation of the plans;
• Develop and maintain an OPM-wide information security and privacy program, including the policies, procedures, and control techniques required;
• Evolve the privacy program and address new and changing privacy policies and standards;
• Identify trends and recommend to the CISO actions to address organizational, privacy-related weaknesses identified through privacy audits and privacy-privacy-related assessments such as PIAs;
• Advise the CIO, CISO and OPM program offices on the implications and requirements of privacy-related statutes and regulations;
• Review PIA and recommend action to the CIO; (See OPM’s PIA Guide for more information.);
• Develop OPM-wide related communications and training, and coordinate their delivery; • Serve as secretariat to OPM’s privacy-related action teams; and
• Track actual or suspected losses of or unauthorized access to PII, and follow up on remediation efforts, and prepare reports as requested.
2.11 Authorizing Official (AO)
The Authorizing Official (AO) is an executive with the authority to formally assume
responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation. The role of an AO has inherent U.S. Government authority and is assigned to government personnel only. Only an executive can accept risk. Risk justification must be supported with a compelling business case. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple AOs. The AO shall:
• Have budgetary oversight for an information system or be responsible for the mission and/or business operations supported by the system;
• Review Security Assessment and Authorization documentation and discuss concerns with the CISO as necessary;
• Deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist;
• Coordinate their activities with the CISO, System Owner (SO), Information System Security Officers (ISSO), Security Control Assessors, and other interested parties during the security authorization process;
• Establish agreements among AOs, if multiple AOs, and document in the SSP; and • Be responsible for ensuring all activities and functions delegated to an Authorizing
Official Designated Representatives are carried out. 2.12 Information Owners
Information Owners are responsible for the security of the information they own that resides within an OPM system. Information owners are responsible for coordinating with the SO to establish controls regarding the generation, collection, processing, dissemination, and disposal of information residing on an OPM system. Information Owners shall:
• Establish rules for appropriate use and protection of OPM information; • Safeguard all PII that OPM owns, sends, receives, or processes;
• Provide input to SOs regarding security requirements for the information systems where the information resides; and
• Determine who should have access, what privileges, and the level of access to the information.
2.13 System Owner (SO)
The System Owner is the official responsible for the overall security, procurement, development, integration, modification, or operation and maintenance of an information system. The SO shall: • Categorize the information system according to the potential impact to OPM of a breach
of confidentiality, integrity, or availability;
• Ensure the implementation of the security controls appropriate to the risk rating established through the categorization process for the system;
• Identify and evaluate security risks and vulnerabilities and establish risk mitigation plans; • Approve System Security Plans (SSPs), and review Memorandums of Agreement or
Understanding (MOA/U), and Plans of Action and Milestones (POA&Ms) and determine whether significant changes in the information systems or environments of operation require reauthorization;
• Ensure the management, operational and technical information security controls are implemented and operating as intended for all of their information systems;
• Ensure system users and support personnel receive the requisite security and privacy training;
• Ensure that DSOs are identified and provide security-related support;
• Ensure that program office senior management is aware of the resources required to assess and authorize information systems allowing appropriate work plans and budgets to be developed;
• Ensure appropriate staff (system administrators, technical developers, and other staff) are assigned to coordinate with the DSO in developing Security Assessment and
Authorization documentation (See OPM’s Security Assessment and Authorization Procedure for more information);
• Provide necessary system-related documentation to the CISO;
• Take appropriate steps to reduce or eliminate system vulnerabilities identified in the Security Assessment and Authorization process;
• Ensure PIAs are conducted on all systems before implementation or enhancement, in accordance with OPM’s Privacy Impact Assessment Guide;
• Review acquisition documentation to ensure adequate and cost-effective security measures and safeguards are included; and
• Ensure all contracts for IT services, both software and hardware, include clauses incorporating OPM’s System Security Plan (SSP) and related references. 2.14 Information System Security Officer (ISSO)
The Information System Security Officer has the detailed knowledge and expertise required to manage the security aspects of an information system and is assigned responsibility for the day-to-day security operations of a system. The ISSO shall:
• Ensure that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the SO;
• Serve as a principal advisor on all matters, technical and otherwise, involving the security of an information system;
• Ensure physical and environmental protection, personnel security, incident handling, and security training and awareness; and
• Assist in the development of the security policies and procedures and to ensure compliance with those policies and procedures; and Monitor a system and its
environment of operation, in close coordination with the SO. This includes developing and updating the SSP, managing and controlling changes to the system, and assessing the security impact of those changes.
2.15 Designated Security Officers (DSOs)
The Designated Security Officer (DSO) is appointed by an OPM Program Office or Department to represent the interests of the program office or department in carrying out the security
• Work closely with the CISO, ISSO, and appropriate staff in the program offices to protect information resources from misuse, whether intentional or unintentional. This effort will involve reviewing, evaluating, and recommending appropriate information security and privacy measures along with safeguards;
• Conduct periodic security reviews of system facilities to ensure safeguards are commensurate with the system information being stored, processed, or transmitted; • Update system security documentation and work with the SO and ISSO to assess the
security impact of any information system changes;
• Coordinate with the Software Development Managers and ensure security requirements and issues are addressed consistent with this policy;
• Assist the CISO, Information Systems Security Manager, and ISSO in the identification, implementation, and assessment of common security controls;
• Ensure the implementation of any modifications necessary and correct security control deficiencies found during security assessment testing;
• Advise users of the security features and procedures to be used for information systems; • Establish access control criteria and administrative procedures consistent with OPM
• Review and approve new user accounts for system and network access after obtaining supervisor or management approval;
• Ensure the development and timely completion of reports to security and privacy including those related to POA&Ms, system inventory, security controls testing and monitoring, contingency plan testing etc.;
• Ensure all actual and suspected security incidents and breaches of PII are reported to the OPM Situation Room (SitRoom);
• Assist in the investigation of actual or suspected security incidents and breaches of PII as appropriate;
• Participate in internal/external reviews, inspections, and audits to ensure compliance with federal laws and OPM policy;
• Review acquisition documentation to ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement; • Develop and maintain (with the assistance of the CISO) an annually verified list of
systems requiring security authorization;
• Coordinate the Security Assessment and Authorization process for program office systems (See OPM’s Security Assessment and Authorization Procedure for more information.); and
2.16 Network Managers
The Network Manager of any network that handles OPM applications or data, wherever the network resides, provides in-depth technical information security support for OPM’s
infrastructure. The Network Manager shall:
hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional;
• Work closely with the CISO, Information Systems Security Manager, Privacy Program Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional;
• Manage or oversee incident reporting activities relevant to OPM information as appropriate, which may include service as the point of contact for the United States Computer Emergency Readiness Team (US-CERT). This responsibility is shared with the CISO; and
• Assist in the investigation of actual and suspected security incidents and breaches of PII as appropriate.
2.17 Data Center Managers
The Data Center Manager of any facility that handles OPM applications or data, wherever the data center resides, provides information security protection for OPM’s data. The Data Center Manager shall:
• Plan and manage day-to-day security-related activities and install and operate the
appropriate hardware and software needed to safeguard and protect information resources from misuse, whether intentional or unintentional;
• Formulate, test, and maintain contingency and Disaster Recovery Procedures and Plans; • Work closely with the CISO, Information Systems Security Manager, Privacy Program
Manager, and DSO, as appropriate, to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional;
• Review other acquisition documentation and shall ensure the inclusion of appropriate information security-related clauses, consistent with this policy and the Policy on IT Procurement;
• Ensure regular backups of data, software, applications, and information; and
• Report any actual or suspected breaches of PII to the OPM Situation Room (SitRoom), in accordance with the reporting procedures on the Privacy Web pages on the OPM Intranet.
2.18 Software Development Managers
The Software Development Manager provides software development security support for OPM users, contractors, and non-OPM organizations or their representatives who are granted
authorized access to OPM’s development environment. The Software Development Manager shall:
• Plan, direct, and coordinate all activities associated with the development of software policies and procedures, software certification processes, and resolution of technical issues;
• Collaborate with the database, network, and data center managers to manage audit records showing the addition, modification, or deletion of information from an information system;
• Assess all security controls in an information system during the initial security authorization;
• Develop, document, and maintain a current OPM baseline guidance configuration of the information system and an inventory of the system’s constituent components; and • Enforce access restrictions associated with changes to the information system and
maintain records associated with changes to system accesses. 2.19 Database Managers
The Database Manager provides in-depth technical information security support for OPM users, contractors, and non-OPM organizations or their representatives who are granted authorized access to OPM’s database infrastructure. The Database Manager shall:
• Formulate, test, and maintain disaster recovery and contingency plans and procedures; • Work closely with appropriate personnel (i.e., CISO, Information Systems Security
Manager, Privacy Program Manager, and DSO) to review, evaluate, and recommend appropriate computer security measures and safeguards to protect information resources from misuse, whether intentional or unintentional;
• Ensure the integration of security and privacy policies into database design and maintenance for those databases that process OPM information;
• Review other acquisition documentation to ensure the inclusion of appropriate
information security-related clauses is consistent with this policy and the Policy on IT Procurement.
2.20 Security Control Assessor
The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security requirements for the system). The Security Control Assessor shall:
• Assess the management, operational, and security controls detailed in the System Security Plan of an information system in support of security authorization;
• Provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation;
• Recommend corrective actions to address identified vulnerabilities;
• Prepare the final security assessment report containing the results and findings from the assessment;
• Provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities; and
• Prepare a recommendation for security authorization of the system for the CISO and AO review and approval per OPM Security Assessment and Authorization Procedure. 2.21 OPM Managers and Supervisors
All OPM Managers and Supervisors are responsible for carrying out the applicable provisions of this policy and for supervising or directing the users who work for them to ensure their
compliance with this policy. OPM Managers and Supervisors shall: • Implement and enforce this policy;
• Ensure employees and contractors have appropriate background investigations;
• Ensure employees and contractors are appropriately trained for their information security-and privacy-related job activities;
• Determine appropriate access requirements for employees and contractors;
• Work with the office of the CIO to limit access for OPM users only to information resources needed to complete assigned job activities; and
• Review and approve new user accounts for system and network access. 2.22 Physical Security Manager
The OPM Physical Security Manager (PSM), located at the OPM Headquarters Office in
Washington, DC, shall establish security standards/guidelines and monitor implementation at the Headquarters Office. The same standards apply at other OPM facilities; however, the Facility Managers are responsible for implementing associated controls within those locations. The PSM shall monitor the implementation of OPM physical standards to ensure compliance at all OPM facilities.
The PSM reviews facilities physical access authorizations before access is granted, and reviews authorizations when individuals are reassigned or transferred to other positions within the organization. The PSM shall ensure:
• Physical security-related incidents are remediated, involving loss of or damage to OPM issued property, threats, assaults, or other criminal activity involving OPM;
• Review, coordination of, and the writing of physical security plans, directives, checklists, procedures, policies, assessments, and surveys;
• Establishment and implementation of physical security access control measures, procedures, and guidelines;
• Screening of individuals (i.e., conducting background investigations) requiring access to OPM facilities, information, and information systems is completed before authorizing access; and
• Access is terminated, exit interviews are conducted, all OPM information system-related property (e.g., keys, identification cards, building passes) are returned, and appropriate personnel have access to official records created by the terminated employee that are stored on OPM information systems.
2.23 Facility Manager
OPM Facility Managers are primarily responsible for building maintenance (e.g., HVAC, lighting, power, fire suppression, etc.). However, Facility Managers located at non-Headquarter facilities are responsible for implementing physical security controls following standards and guidelines established by the Physical Security Manager (PSM). The Facility Manager shall ensure implementation of the following at OPM facilities:
• Physical security controls at non-Headquarter facilities; • Redundant and parallel power cabling paths;
• Automatic voltage controls;
• Long-term alternate power supply for the information system and it is capable of maintaining minimally required operational capability in the event of extended loss of primary power source;
• Long-term alternate power supply that is not reliant on external power generation; • Emergency lighting for all areas within the facility supporting essential missions and
• Fire detection devices/systems for the information system activate automatically and notify the organization and emergency responders in the event of a fire;
• Temperature and humidity controls to maintain conditions that are conducive for maintaining information system longevity and functionality; and
• Mechanisms that protect the information system from water damage. 2.24 OIG Role
The Office of Inspectors General (OIG) is to ensure Federal Information Security Management Act (FISMA) compliance. The OIG evaluates how National Institute of Standards and
Technology (NIST) guidance is applied in the context of its mission/business responsibilities, operational environment, and unique organizational conditions. The OIG performs a yearly assessment on agency information systems assessing OPM compliance with FISMA and NIST
Special Publications to assure the security posture is valid and sound, according to NIST standards and guidelines.
2.25 Contracting Officers and Procurement Officers
Office of Personnel Management contracting officers are responsible for dealing with contractors and have sole authority to solicit proposals and negotiate, award, and modify contracts on behalf of OPM. Contracting Officers and Procurement Officers shall:
2.26 Contracting Officer's Technical Representative (COTR)
OPM Contracting Officer's Technical Representatives (COTR) are responsible for ensuring OPM-IT contractor business relationships are mutually beneficial and provide those products and services OPM needs. The COTR is a technical information conduit, business partner and a contracting and regulatory liaison between OPM and the IT contractor. The COTR shall:
• Ensure that a security clause for Federal Information Security Management Act (FISMA) compliance is added to all IT contracts.
• Notify the help desk and physical security of all departing contractors so associated accounts can be disables to prevent system access.
• Ensure that contractors complete annual security awareness training.
• Recommend with full justification, whether to provide government IT property to a Contractor for a proposed procurement;
• Maintain appropriate files to support the awarded IT contract thru the completed task; • Assist and participate in the award orientation apprising the IT contractor of all
post-award rights, duties and milestones of both parties affecting substantial performance; • Monitor the acquisition, control, and disposition of OPM IT property by OPM personnel
and by the IT contractor;
• Assess IT contractors for any loss, damage, or destruction of property; and • Document IT contractor performance.
2.27 OPM Users (Internal and External)
An OPM user is anyone who uses, manages, operates, maintains, or develops OPM applications or data. OPM users are responsible for complying with this policy and protecting information resources from loss, theft, misuse, unauthorized access, destruction, unauthorized modification, disclosure, or duplication (intentional or unintentional). The term “information resources” includes both Government information and information technology.
OPM users shall complete IT security awareness training prior to gaining access to OPM systems and repeat this training annually. OPM users shall comply with the OPM IT Rules Of Behavior at all times and locations. This includes compliance with all Office of Management and Budget (OMB), NIST, and OPM guidance as announced and/or published on the OPM Intranet. All individuals considered external to OPM using an OPM IT system shall comply with all Federal Government and OPM IT Security Policies, laws, and regulations, Inter-agency Memorandum of Understandings/Agreements (MOU/A), or other formal agreements with OPM. OPM users shall:
• Safeguard user identification, logon identification, and other credentials and passwords from unauthorized access, use, and disclosure;
• Comply with 5 CFR 1001.102, Privacy Act Rules of Conduct;
• Complete IT security awareness training prior to gaining access to OPM systems and complete this training annually.
• Complete any special security training required for the position they hold;
• Comply with OPM Computer User Responsibilitiesand OPM’s Policy on Personal Use of Government Office Equipment;
• Secure and log off from any computing environment when processing is complete; • Report any observed or suspected security incidents to the OPM Situation Room
(SitRoom), in accordance with OPM’s Incident Response and Reporting Guide; • Report any actual or suspected breaches of PII to the OPM Situation Room, in
accordance with the reporting procedures on the Privacy (PII) Web pages on the OPM Intranet; and
• Report any observed or suspected violations of this policy according to instructions provided in Chapter 3 of this policy. OPM employees must report violations to their OPM Supervisor or Manager. Contractors must report violations to their Contracting Officer’s Technical Representative (COTR).
3. SECURITY PROGRAM
The mission of the Office of Personnel Management (OPM) IT Security and Privacy (ITSP) Office is to implement and maintain an OPM wide information security and privacy program that safeguards information assets against unauthorized use, disclosure, modification, damage or loss. This is done by providing oversight over the implementation of management, operational and technical security controls to protect agency resources. ITSP also manages security and privacy risks by educating the OPM user community about related issues, assessing current policies, developing new policies and establishing mechanisms to respond to incidents and events that endanger information assets.
The ITSP administrative responsibilities include establishing and maintaining an information (IT) security and privacy program that is compliant with OPM's strategic goals and priorities, the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, the Clinger-Cohen Act of 1996 and other applicable federal IT security and privacy laws and directives. The organizational structure below provides a high-level representation of the ITSP security program areas.
Figure 1 ITSP Program Areas
This chapter contains the National Institute of Standards and Technology (NIST) SP 800-53 Program Management (PM) security control requirements as they relate to OPM's information
security program. The remaining 17 NIST SP 800-53 security control families are covered in Chapters 5-7. Chapter 4 includes the elements of OPM's Privacy Program.
3.1 Program Management Controls (PM)
National Institute of Standards and Technology (NIST) 800-53 Program Management (PM) family of security controlsfocuses on information security requirements that are independent of any particular information system and are essential for managing information security programs. Organizations specify the individuals within the organization responsible for the development, implementation, assessment, authorization, and monitoring of the information security program management controls. Organizations document program management controls in the
information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization.
Policy: OPM shall establish and maintain a robust, cost-effective security program that
incorporates the security controls specified herein, and shall develop OPM-wide security controls to enhance both the Federal and OPM-specific security controls to ensure the confidentiality, integrity, and availability of the OPM information systems, network and data, and in accordance with federal policies, standards, procedures, and guidance.
3.1.1 Information Security Program Plan (PM-1)
The information security program plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the organization-wide program management controls and organization-defined common controls. The security plans for individual information systems and the organization-wide information security program plan together, provide a complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
The policies under this family are implemented with the OPM-wide Program Management Procedure. Program management procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary. 3.1.2 Senior Information Security Officer (PM-2)
The Chief Information Security Officer (CISO) is the information security official for a federal agency, as defined in applicable federal laws, Executive Orders, directives, policies or
regulations. Organizations often refer to this organizational official as the Senior Information Security Officer or Senior Agency Information Security Officer (SAISO).
OPM shall appoint a CISO with the mission and resources to coordinate, develop, implement, and maintain an OPM-wide information security program.
The Chief of IT Security and Privacy (ITSP) shall assume the role and responsibilities of OPM's CISO.
3.1.3 Information Security Resources (PM-3)
Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process.
• Ensure all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
• Consider a business case/Exhibit 300/Exhibit 53 to record the resources required (to include information technology and security); and
• Ensure information security resources are available for expenditure as planned. In coordination with the Office of the Chief Information Officer, System Owners (SO) shall integrate and explicitly identify funding for information security technologies and programs into IT investment and budgeting plans. OPM General Support Systems (GSS) and Major
Applications (MA) shall be mapped to an Exhibit 300 and/or Exhibit 53, and shall have appropriate security budgeting and justification.
National Institute of Standards and Technology (NIST) Special Publication 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, provides a systematic approach to selecting, managing, and evaluating IT security investments.
3.1.4 Plan of Action and Milestones Process (PM-4)
The Plan of Action and Milestones (POA&Ms) is a key document in the information security program and is subject to federal reporting requirements established by the Office of
Management and Budget (OMB). The POA&Ms updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB Federal Information Security Management Act (FISMA) reporting guidance contains instructions regarding organizational POA&Ms.
OPM shall implement a process for ensuring that POA&Ms for the security program and the associated organizational information systems are maintained and that OPM is documenting the remedial information security actions to mitigate risk to OPM operations and assets, individuals, other organizations, and the Nation.
Remedial information security actions (i.e., corrective actions) shall include:
• All recommendations from external audits, reviews, or evaluations (e.g., GAO, OIG, or Departmental compliance and assistance review reports);
• Actions to mitigate significant vulnerabilities found in periodic testing that the SO or Authorizing Official (AO) deems necessary to report; and
• Actions to correct deficiencies found in self-assessments. 3.1.5 Information System Inventory (PM-5)
This control addresses the inventory requirements in Federal Information Security Management Act (FISMA). OMB provides guidance on developing information systems inventories and associated reporting requirements.
OPM shall develop and maintain an inventory of it's FISMA information systems. FISMA (through 44 USC 3505) requires that agencies maintain an inventory of “major
information systems”, to include major national security systems. Major Applications (MA) are all defined to be major information systems. Additionally, some General Support Systems (GSS) are major information systems. These typically include platforms and other
infrastructural elements. FISMA also requires that the inventory include an identification of the interfaces between each such system and all other systems and networks, including those not operated by or under the control of the agency. The inventory shall be updated at least annually. The key distinction between “major” and “non-major/minor” systems is the degree of attention to security required: “special attention” and “attention,” respectively. To add further clarity to this distinction, it is OPM policy that systems shall be considered “major information systems” if they meet one of the following criteria:
• Systems with a FIPS 199 security categorization level of Moderate and High based on the following criteria;
• Information contained, processed, stored, or transmitted requires special protection, or the information system is critical to the agency's mission.
• Any system that is called out in a major CPIC (Capital Planning and Investment Control) investment.
• Any system that is comprised of (or contains) an OPM-designated Critical Infrastructure Protection asset.
Minor systems may be included in the inventory as part of a MA or GSS when considered part of the security authorization boundary, and not listed separately. Note that the business owner of the minor system must be consulted and agree to whether the system will be assessed separately or not. Whether in a stand-alone Security Authorization or as a component of a major system Security Authorization, the security controls in a minor application must still be described and tested. Candidates for systems that can be included as part of a larger system Authorization are systems with a FIPS-199 categorization of LOW ITSP provides consultation as part of the OPM System Registration process, and can help determine the appropriate handling of information systems as they relate to the OPM System Inventory and Authorization.
An “information system” is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
A “major information system” is an information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.
• A "major application" is an application that requires special attention to security due to the risk and magnitude resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.
• A "general support system" is considered a major information system when special management attention is required, there is high development, operating, or maintenance costs; and the system/information has a significant role in the administration of agency programs.
A "minor application" is an application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the information in the application.
FISMA and Reporting of Contractor Systems
FISMA requires Federal agencies to be responsible for security of “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.” FISMA requirements apply to Federal information as well as Federal information systems.
OMB clarifying guidance states that FISMA requirements may apply to contractors, grantees, State and local governments, industry partners, and others…and that Agencies must develop policies for information security oversight of users with privileged access to Federal data. OMB’s guidance promulgates the FISMA requirements to provide security protections
“...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency."
To implement these requirements, the following definition of contractor systems under FISMA will apply:
A system is considered a FISMA reportable contractor system when it is operated by an external (i.e., non-OPM) organization (e.g., contractor, grantee, State or local government, industry partner, fiscal agent, other Federal agency) that collects, processes, or handles OPM-owned information on behalf of OPM; and
A system or application that is being run by another Federal agency exclusively for OPM would be reported as part of OPM’s inventory. In the case where OPM, along with other organizations, is using another agency for services (e.g., payroll processing) the system would not be reported