This regulation establishes policies to ensure comprehensive protections are in place to safeguard all information technology resources. PACC-IRM, and USDA managers must ensure that protections are in place to protect against accidental or deliberate, unauthorized alteration, destruction, delay, theft, access, use or damage to systems, data, applications, equipment, and telecommunications. This regulation also defines USDA's information and telecommunications security missions, goals, scope, and responsibilities.

This regulation cancels DR 3140-1, "USDA ADP Security Policy," dated July 19, 1984.

This regulation applies to all USDA organizational elements and their employees, other Federal agencies, State agencies, contractors, and sub-contractors who are involved in development of systems, obtaining, transmitting, using, and processing USDA information, data, on behalf of USDA. This regulation also applies to USDA computers operated on behalf of the USDA by State and local government or other private organizations to accomplish a USDA function. Finally, it includes anyone involved in the design, development, acquisition, installation, operation, maintenance and use of USDA ADP, telecommunications, LANs, and WANs.

The Computer Security Act of 1987, (Public Law 100-235) and OMB Circular No. A-130, Appendix III, dated February 8, 1996, "Security of Federal Automated Information Resources" require all Federal agencies (Departments) to plan for the security of all sensitive information systems throughout their life cycle.

OMB Circular No. A-130, Appendix III establishes a minimum set of controls to be included in Federal AIS security programs; and assigns Federal agencies the responsibilities for security of automated information. It also links agency automated information system security programs and agency management control systems established in accordance with

OMB Circular No. A-123, "Management Accountability and Control." The ISSP is designed to meet the requirements of Federal Laws and guidance. It also ensure the availability of telecommunications, ADP resources, and Word processing (WP) services, and to provide adequate physical protection to all IT resources.

All responsible officials must assume that controls are placed and administered where they are most effective. Local procedures must be developed, documented, implemented, and monitored to ensure reasonable and effective management of both traditional and new technology.

All USDA entities shall organize, implement, and maintain an information systems security program that ensures adequate security of all USDA information. It applies to all USDA agencies, programs, teams, organizations, contractors, consultants, appointees, employees of USDA funded councils, associations, State, local as well as other government agencies, and committees that use, process, manage USDA information or meet the requirements of the definition of "operator of Federal computer system (The Computer Security Act of 1987)."

The USDA Agency ADP Security Officer title is changed to ISSPM. This title is directly in line with titles used by NIST to address the Federal Information Systems Security community. The new title reflects the expanded role of the ADP Security Officer, a role which no longer focusses on the ADP environment only.

Security must be addressed in the System life-cycle (Planning Phase). It must be applied where it can be the most effective and with the least cost to the agencies. Ensure most cost effective and reasonable security approaches by including the ISSPM in the early stages of planning and technical reviews.

Establishment of security controls in all general support systems are hereby required in accordance with OMB Circular No. A-130, Appendix III.

The following public laws and Federal guidance are applicable to the USDA ISSP:

a External

b USDA Internal Regulations

AIS Automated Information Systems

ADP Automated Data Processing

ART Acquisition Review Team

DISSPM Departmental Information System Security Program Manager

DOS Disk Operating System

FOISM Field Office Information Security Managers

GAO General Accounting Office

IRM Information Resources Management

ISPO Information Service Processing Organization

IS Information System

ISSPM Information Systems Security Program Manager

ISSP Information System Security Program

IT Information Technology

LAN Local Area Network

NIST National Institute of Standards and Technology

NSA National Security Agency

OIG Office of the Inspector General

OMB Office of Management and Budget

PACC-IRM Policy Analysis and Coordination Center

Information Resources Management

SIRMO Senior IRM Official

TCP/IP Transmission Control Protocol/Internet Protocol

WAN Wide Area Network

WP Word Processing

USDA United States Department of Agriculture

a Access to Information. Refers to providing the public, upon their request, access to government information to which they are entitled under appropriate law.

b Adequate Security. Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, unauthorized access to, or modification, of information. This includes ensuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability through the use of cost-effective management, personnel, operational, and technical controls.

c Application. The use of information resources (information and information technology) to satisfy a specific set of user requirements.

d Confidentiality. The assurance that only properly authorized persons can view particular information. This refers to the treatment of data; confidentiality is achieved when specific information is not available or transmitted beyond those with an authorized need-to-know. A requirement that private or confidential information not be disclosed to unauthorized individuals.

e Critical Information. Information necessary for the continued operation of any USDA agency or organization, its automated information resources and services. This information may not be sensitive. However, the loss, denial, or modification of such information may cause grave damage to the operation of the organization. For example: the determination and prioritization of the critical information is necessary for emergency preparedness and disaster recovery. Critical information may be transmitted via E-Mail, without being encrypted. It's audience can be strictly controlled.

f Discretionary Access. The automated restricting of accesses to files, programs, protocols, resources, and information based on each user's need-to-know and least privilege requirement. Discretionary Access uses either built in system security capabilities or "third party" security enhancement products.

g Dissemination of Information. Refers to distributing government information to the public, whether through printed documents, or electronic or other media. "Dissemination of information" does not include intra-agency use of information, interagency sharing of information, or responding to requests for "access to information."

h Firewalls. It is a security policy and technology that define the services and access to be permitted, and an implementation of that policy in terms of a network configuration, one or more host systems and routers, and other security measures such as advanced authentication in place of static passwords. The main purpose of a firewall system is to restrict access to or from a protected network (i.e., a site). It implements a network access policy by forcing connections to pass through the firewall, where they can be examined and evaluated.

i General Support System. An interconnected set of information resources under the same direct management control, sharing common functionality. A general support system normally includes hardware, software, information, data, applications, and people. For example: a local area network (LAN), or a system can include smart terminals that support a branch office, an Agency-wide backbone, a communications network, a departmental data processing center, including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).

j Granularity. The relative fineness or courseness by which a mechanism such as access controls can be adjusted to implement discretionary access requirements.

k Information. Any communication or reception of knowledge, such as facts, data, or opinions, including numerical, graphic, or narrative forms, whether oral or maintained in any medium, including computerized data bases, paper, microfilm, or magnetic tape.

l Information Resources Management (IRM). The planning, budgeting, organizing, directing, training, and control associated with government information. The term encompasses both information itself and the related resources, such as personnel, equipment, funds, and technology.

m Information Security. The protection of information resources and technology from intentional or accidental unauthorized destruction, alteration, disclosure, denial, or delay.

n Information System (IS). The organized collection, processing, maintenance, transmission, and dissemination of information in accordance with defined procedures, whether automated or manual.

o Information Technology. The hardware and software operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf of the Federal Government to accomplish a Federal function, regardless of the technology involved, whether computers, telecommunications, or others. It includes automatic data processing equipment as that term is defined in Section 111(a)(2) of the Federal Property and Administrative Services Act of 1949. Automatic data processing and telecommunications activities related to certain critical national security missions, as defined in 44 U.S.C. 3502(2) and 10 U.S.C. 2315, are excluded.

p Information Technology Facility. An organizationally defined set of personnel, hardware, software, and physical facilities, a primary function of which is the operation of information technology.

q Least privilege. Refers to the information systems security objective and requirement of granting users only those accesses they need to perform their official duties. It requires that users be granted the lowest level of computer/system access that is consistent with job authority. Increases in privileges shall be requested and granted by written communications.

r Major Application. An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, unauthorized access to, or modification of the information in the application. Note: All Federal information requires some level of protection. Certain applications, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by redundant systems in which they operate.

s Major Information System. Information system that requires special continuing management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant impact on the administration of agency programs, finances, property, or other resources.

t Mandatory Access Controls. Consist of those access controls mandated in documented policies, procedures, system protocols, and systems parameters which serve as the mandatory minimum standards for all users regardless of their discretionary access requirements. The required protection functions and assurances that must be bound together to create a protection profile. For example: All users shall be required to have a unique, authorized userid and password assigned to them by the ISSPM before they can access the system.

u Need-to-Know. The necessity for access to, knowledge of, or possession of classified or other sensitive information in order to carry out officially sanctioned duties. Responsibility for determining whether a person's duties require possession or access to this information rests upon the individual having current possession (or ownership) of the information involved, and not upon the prospective recipient.

v Non-Discretionary Access Controls. Policies, procedures, practices, instructions or system options that are implemented or activated to counter periodic, nonrecurring or unique threats, such as Trojan horses, viruses, logic bombs, or improperly tested software. Non-Discretionary access controls are determined by ISSPMs and cannot be changed or deleted by unprivileged users, systems administrators or privileged users. Unprivileged users may utilize very limited discretionary administrative controls over these controls. These controls serve to enhance and strengthen Mandatory and Discretionary controls.

w Position Sensitivity. The determination by the organizations's management with the Support and consultation of the ISSPM of the potential for each position accessing the information system resource to cause great harm. System managers/administrators and privileged users shall require a higher level of sensitivity than a system operator. Systems which do not have separation of duties between system administrators/managers and IS ISSPMs require the highest position sensitivity.

x Preauthentication. A protocol or process for proving that a user knows her/his password before access to a system with a password is allowed. Preauthentication can be completed by the use of pin numbers, smart cards, biometrics or tokens.

y Privileged User. A user of a computer who is authorized to bypass normal access control mechanisms, usually to be able to perform system management functions. Policies shall clearly state limits to privileges and separation of duties.

z Reverse Intent. Is the name given to a common hacker technique offlipflopping a piece of security knowledge to identify a potential weaknesses. It is also the development and adoption of Information Systems Security policies, which by their wording, unintentionally and inadvertently reveal system vulnerabilities and capabilities that can be exploited by attackers. For example: a policy, which states: "System administrators shall not leave modems attached to the server in 'auto answer' or 'auto response' condition after normal working hours, during weekends and holidays" indicates to an attacker that the network has modems and is vulnerable to attack.

aa Separation of Duties. Refers to dividing roles and responsibilities so that a single individual cannot subvert a system or critical process. For example, ISSPMs shall perform security functions on systems, whole systems managers perform systems management functions. It is a form of checks and balances.

bb Sensitive Information. Any information, the loss, misuse, unauthorized access to, or modification of, which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy) Act, but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

cc Threat. Something in the system environment which, if paired with a corresponding vulnerability, could cause a harmful event to occur. The means through which the evidenced ability or intent of a threat agent to adversely affect an ADP system, facility, or operation may be manifested. The four basic threats are: (1) Denial of Service, (2) Unauthorized Use, (3) Unauthorized Manipulation, and (4) Unauthorized Disclosure of Information.

The goals of the USDA ISSP:

a Identify, protect and secure critical and sensitive USDA information, systems, applications, and data;

b Ensure that managers at all levels and entities provide adequate security for information resources and automated information systems (AIS) supporting their missions;

c Ensure annual information systems security awareness training and that employees and contractors at all levels of USDA are provided with sufficient guidance to discharge their responsibilities relating to AIS security;

d Ensure individual accountability for use of all automated information resources and AIS;

e Ensure audit ability and availability of all AIS;

f Ensure that all USDA ISSPMs have comprehensive and current information systems security training;

g Allocate sufficient resources to manage Information Systems Security needs in all USDA organizations, including Field Offices;

h Empower ISSPMs throughout USDA to have the authority equivalent to their responsibilities;

i Establish minimum mandatory information systems security standards that are applicable to all USDA and USDA funded organizations;

j Establish authority and guidelines for enforcement; and

k Provide authorization for disciplinary actions for Information Systems Security Non-compliance.

Information systems security responsibilities and accountability shall be explicit. The primary responsibility for security relating to all information technology resources is that of the end-user. The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of information systems shall be documented. The assignment of responsibilities may be internal to a USDA organization or may extend across organizational boundaries. (Source: An Introduction to Computer Security: The NIST Handbook).

a The Director of PACC-IRM will ensure that USDA:

b The Departmental ISSPM will:

c The Director of the Office of Operations will:

d The Director, Human Resources Management (HRM) will:

e The Director of the Office of Civil Rights Enforcement will:

f Director, Administrative Management Services will:

g Agency Administrators will:

h System Security Manager General Support System will:

i System Security Manager Major Applications will:

j Senior IRM Officials (SIRMO) will:

k Directors, Associate Directors, Division Chiefs, and other Managers throughout USDA will

l USDA Agency ISSPMs Additional ISSPM responsibilities which relate to specific areas of security may be found in DM 3140-2, "Duties and Responsibilities of the Information Systems Security Program Manager." Agency ISSPMs will:

m ADP Facility ISSPMs will:

n ADP Facility Managers will:

o Field Office Information Security Managers will:

p Users, Contractors and Sub-contractors will:

The USDA shall have a full-time ISSPM located in PACC-IRM. PACC-IRM shall staff the program office, as necessary, to ensure national and USDA computer security requirements can be met. Agencies shall have a ISSPM position which may be filled with a collateral-duty ISSPM. Agencies shall determine whether the position will be full-time or part time. Each agency shall determine the size of any security support staff, but must ensure personnel resources for security are adequate to meet national and USDA computer security requirements.

The USDA and Agencies ISSPMs shall ensure that information systems security requirements, procedures, and practices are included in computer security training materials. Each new employee will receive an orientation outlining their security responsibilities. Thereafter, the program managers shall ensure training is provided to their employees on a regular basis.

All USDA agencies must make security awareness and training mandatory for all employees that use, operate, supervise, or manage computer systems or use output from computer systems. Each USDA employee that uses computers or output from computers must be:

USDA employees, consultants, contractors, and sub- contractors working for USDA shall:

The ISSPM will ensure that anti-virus software is installed and used to check microcomputer systems, LAN servers, new software packages, and diskettes for viruses before use.

All USDA host computer systems capable of being accessed by communications connections, including local area networks and stand-a-lone systems, after completion of system booting procedures, must display a warning message at login. This message at a minimum must address the following, "The user has accessed a United States Government computer which requires prior authorization to access. Any person or computer assisted access is deemed to be unauthorized and can result in fines or imprisonment."

USDA systems will employ robust authentication measures for dial in and Internet access. Use of a firewall or router when the system uses TCP/IP to prevent intrusions is a centralized and convenient method of protecting USDA systems and networks. The use of passwords alone is not an adequate method of protecting systems that are connected to the Internet. This policy is not intended to deny access to public data. Rather, it is intended to protect data that has not been identified for public disclosure.

PACC-IRM has responsibility for determining the adequacy of security measures in place in systems used as gateways to the Internet. All such systems will be regularly reviewed by the Agency ISSPM for vulnerabilities from known threats. It is the responsibility of USDA agencies and staff offices that have or plan a gateway to the Internet to fund, implement, and maintain the prescribed protective features.

All USDA agencies and staff offices using the Internet must follow the guidance in DR 3140-2, "USDA Internet Security Policy," and DR 3300-1, "Telecommunications."

In accordance with OMB Circular No. A-130, Appendix III, each general support system and major application will have developed a security plan consistent with guidance issued by NIST as a MINIMUM. The current guidance is published in OMB Bulletin 90-08. PACC-IRM requires as a part of the OMB Bulletin 90-08 submission an annual IRM Security Program Status Report. The following topics are to be addressed in the status report part of the security plan submission:

THE SUBMISSION OF THE SECURITY PLAN SHALL BE DUE ON THE 14th OF APRIL EACH YEAR.

Report security breaches to the address listed below:

PACC-IRM

Departmental ISSPM

Room 427-W Jamie L. Whitten Federal Building

14th & Independence Ave. SW

Washington, D.C. 20250

Internet: WGant@.USDA.gov

Email: SIESNET: WGANT

Phone: 202-720-4301 FAX: 202-690-0574

All reports will be forwarded to the Office of The Inspector General.

All users of information and AIS, including contractors working for USDA, are responsible for complying with this information systems security policy as well as procedures and practices developed in support of this policy. Any contractor handling sensitive USDA data is subject to the security requirements specified in this Departmental Regulation.

Anyone suspecting misuse or attempted misuse of USDA information systems resources are responsible for reporting such activity to their management officials and to the ISSPM.

Violations of standards, procedures, or practices in support of this policy will be brought to the attention of management officials for appropriate action which will result in disciplinary action, that could include termination of employment.