1.0 |
Identification Data |
1.1 |
BSP Number |
|
0014 |
1.2 |
BSP Title/Name |
|
USAID Certification and
Accreditation of Its Core Financial System |
1.3 |
Version Number |
|
1.0 |
1.4 |
Adoption Date |
|
February 5, 2001 |
1.5 |
Approving Authority |
|
CIO Council Security
Practices Subcommittee (SPS) |
1.6 |
Responsible Organization |
|
United
States Agency for International Development (USAID), Bureau for Management,
Information Resources Management (M/IRM), Information Systems Security Team |
1.7 |
Level of BSP |
|
Candidate |
1.8 |
Security Processes or other
Framework(s) Supported |
|
In the BSP Security
Process Framework (SPF): Security Subprocess 9, Certification & Accreditation
(C&A). In the SSE CMM Framework:
BP.06. |
1.9 |
Reserved |
|
Not to be completed by the
drafter |
1.10 |
Points of Contact |
|
Government BSP Owner:
- James P. Craft, CISSP
USAID Information Systems Security Officer
1300 Pennsylvania Ave., Suite 2.12-032
Washington, DC 20523-2120
Telephone: 202-712-5460
Fax: 202-216-3053
E-mail: jcraft@usaid.gov or cassistance@usaid.gov
Vendor Partner:
|
|
|
2.0 |
What This BSP Does |
2.1 |
BSP's Purpose |
|
This BSP describes the
successful process the U.S. Agency for International Development (USAID) employed to
certify and accredit its core financial system. |
2.2 |
Requirements for this BSP |
|
- Office
of Management and Budget (OMB) Circular A-130, Appendix III, Security
of Federal Automated Information Resources, requires "that
a management official authorizes in writing use of the application by
confirming that its security plan as implemented adequately secures
the application. Results of the most recent review or audit of controls
shall be a factor in management authorizations."
- Public Law 97-255, Federal Managers
Financial Integrity Act of 1982, requires agency heads to annually evaluate and report
to Congress on the control and financial systems that protect the integrity of Federal
programs.
USAID Automated Directives Service
(ADS), Chapter 545, Automated Information Systems Security, provides
agency-wide information systems security policy.
|
2.3 |
Success Stories |
|
USAID removed the material
weakness from the Agency's New Management System (NMS) core financial system 18 months
earlier than originally programmed. Additionally, the experience gained from the NMS
C&A effort greatly prepared the team members to conduct a C&A of the Agency's
newly implemented, JFMIP compliant, core financial system, Phoenix. |
|
|
3.0 |
What This BSP Is |
3.1 |
Description of BSP |
|
The New Management System
(NMS) is the core financial system of the United States Agency for International
Development (USAID). In 1997, NMS Security and Access Controls were identified by the
Agency's Office of Inspector General (OIG) as constituting a "material weakness"
under the Federal Managers Financial Integrity Act (FMFIA). As a major step toward
remedying this issue, the USAID Chief Financial Officer (CFO) and the USAID Information
Systems Security Officer (ISSO) determined
that the NMS would be taken through formal Security Certification and Accreditation
(C&A). Two parallel developments were initiated: 1) Plan and execute the C&A of
the NMS and 2) Build a general methodology to guide future C&A efforts within USAID.
This BSP illustrates a typical utilization of that general methodology, now called
USAIDCAP, applied to the NMS effort. |
3.1.2 |
General
USAID's general C&A methodology,
now called USAIDCAP, consists of
four phases and hinges on a System Security Authorization Agreement (SSAA)
package. USAIDCAP remains under development at the time of this BSP's
creation.
Phase I: Initial Actions
- A high-level summary of the proposed USAID IT
Security Certification and Accreditation Process was developed and forwarded to senior
USAID management for approval. The package was a compendium of the planning,
investigation, and remedial activities necessary to produce formal certification and
accreditation of the NMS (in the USAIDCAP this package is called a System Security
Authorization Agreement (SSAA)). Areas previously addressed to sufficient levels, for
instance, contingency planning in the NMS
Security Plan, were not subjected to explicit effort as part of this C&A task.
- The major planning activities
in support of NMS Certification and Accreditation were captured in a
C&A Plan.
- Five major technical fixes were identified in
support of NMS security requirements prior to development of the NMS Security Plan. The C&A Team tracked the status of these fixes
and served as the application engineers in support of associated software Problem Reports
(PRs).
- Security roles and responsibilities, specifically for
NMS Systems Security Managers, were documented and signed by USAID management.
- NMS-specific security training
was incorporated into the ongoing NMS training program. The C&A
Team evaluated the status of ongoing NMS security training and made
improvement recommendations. In addition,
user roles and responsibilities were
identified.
- Select, high-priority action items
from the existing NMS Security Plan
were considered for implementation prior to beginning the C&A effort.
These action items were selected to meet requirements of OMB Circular
A-130 and to address the material weakness of NMS Security and Access
Controls.
- As added assurance for the Certification
Authority, the contents of the Requirements Traceability Matrix (see C&A Plan,
Appendix C) were subjected to an independent verification and validation (IV&V)
review.
- The C&A Security Test Plan presented the details of who
would perform each test, how those tests would be conducted, where in
the system the tests would be applied, and when in the testing sequence they would be used, for testing and evaluating
the security requirements of the NMS in Certifying the system. The scope
of NMS security testing was comprehensive. This Test Plan called for
testing and evaluating the management, operational and technical control
requirements, to include personnel and physical aspects, identified
in the NMS Security Plan. Special attention was given to those aspects
of NMS security and access controls that were reported as an Agency
material weakness.
- The C&A Test Procedures presented test cases
and procedures for validation testing and evaluation of the NMS, leading
to findings that were formally presented to the Designated Accrediting
Authority.
- The Security Test and Evaluation Report addresses
the disposition of the NMS with respect to federal management, operational,
and technical control requirements, as well as personnel and physical
requirements identified in the NMS Security Plan.
- Each of the requirements in the
NMS Security Plan was evaluated and the amount of residual risk identified
in a Risk Assessment report. For the assessment
of NMS technical controls, this risk assessment relied heavily upon
the results of security penetration testing performed as part of the
NMS C&A process.
Phase II: Verification
The results of the Security Test
and Evaluation Report and risk assessments were analyzed and reported
in the Report of Findings.
Phase III: Certify & Accredit
The total package was then assembled
into an Approval Package. This package formed the
basis for both the certification and accreditation statements, and issuance of
the formal Authority to Operate certificate.
Phase IV: Post C&A
Following C&A, the OIG conducted an audit
to verify that the material weakness of NMS Security
and Access Controls warranted removal. The USAID ISSO then briefed senior USAID management
on the Agencys readiness to remove the
material weakness of NMS Security and Access Controls. |
3.1.3 |
Outputs
- The significant outputs of the
NMS C&A effort were the signed certification
and accreditation statements. They
are provided here for reference (sensitive information has been removed).
- USAID's C&A process is in its final stages of
development. Called USAIDCAP, the four-phase, System Security Authorization
Agreement-based process will serve as the Agency's overarching certification and accreditation guideline.
|
3.2 |
Relationship to Other BSPs |
|
BSP00006, How to
Accredit Information Systems for Operation. |
|
|
4.0
|
How To Use This BSP |
4.1 |
Implementation Guidance
|
|
- The C&A concept was unfamiliar to most
managers at USAID when the NMS C&A effort commenced. Because of this, it was very
important to keep a realistic set of expectations in the minds of all the stakeholders in
the process, and to take care that requirements-creep was carefully controlled as the
effort unfolded. To avoid a problem with
continuously expanding goals for the project, all stakeholders were involved during the
planning stage and throughout project execution. This practice assured everyone that their
concerns were being addressed. Frequent briefings on progress and findings helped to keep
expectations properly calibrated.
- Manage individual component activities in the
context of their contribution to the overall objective, vice perfecting each deliverable in isolation.
|
4.2 |
Implementation Resource
Estimates |
|
An NMS Security Plan was
already in place before the NMS C&A effort was initiated. Given this resource, and the
fact that all team members were very familiar with the system being certified, a technical
team of three (3) contractor personnel finished the C&A effort in four (4) months,
i.e., 12 person-months of effort. If team members must first learn the system, all would
require about one (1) additional month per person to finish the job. The Team members' skill levels consisted of one (1) senior
security test engineer, one (1) senior systems security analyst, and one (1) senior
security project manager. |
4.3 |
Performance Goals and
Indicators (Metrics) |
|
Besides comparing actual
task execution to a standard project time-line plan, an Earned Value Analysis (EVA) was
performed at the completion of each major milestone. EVA is generalized performance
management technique employed by USAID on its PRIME contract. |
4.4 |
Tools |
|
The standard MS-OFFICE
suite was very useful, particularly the MS-PROJECT and MS-WORD applications. |
4.5 |
Training Materials |
|
The NMS C&A team
members were technically competent at the task's initiation. No specialized skill training
was required. The NMS C&A team members
participated in the NMS Overview Training Class at the commencement of the effort. This
training permitted the team members to both learn about the major application as well as
observe the quality of training imparted to all users.
At the end of the NMS C&A effort, 3 slides
were added to the standard "New-NMS User" briefing materials, to familiarize
users with the additional tasks involved in
secure system operations. |
|
|
Appendices |
A |
Executive Overview and
Briefing |
|
An example
management briefing used to kick-off the NMS
C&A effort. |
B |
Reference List |
|
- Clinger-Cohen Act of 1996.
- Department of Defense Instruction
No. 5200.40, DoD Information Technology Security Certification and Accreditation
Process (DITSCAP), December 30, 1997.
- General Accounting Office "Federal
Information System Control Audit Manual" (FISCAM).
- International Standard 15408, Common Criteria,
Version 2.0, May 1998.
- National Computer Security Center (NCSC)
NCSC-TG-027, Guide to Understanding Information System Security Officer Responsibilities
for Automated Information Systems, May 1992.
- National Computer Security Center (NCSC)
NCSC-TG-028, Assessing Controlled Access
Protection, May 1992.
- National Computer Security Center (NCSC)
NCSC-TG-029, Introduction to Certification and Accreditation, January 1994.
- National Computer Security Center (NCSC)
NCSC-TG-031, Certification and Accreditation Process Handbook for Certifiers,
July 1996.
- National Computer Security Center (NCSC)
NCSC-TG-032, Accreditors Guideline,
July 1997.
- National Institute of Standards and Technology
(NIST) Special Publication 800-12, Introduction to Computer Security, the NIST
Handbook, October 1995.
- National Institute of Standards and Technology
(NIST) Special Publication 800-14, Generally Accepted Principles and Practices for
Securing Information Technology Systems, September 1996.
- National Institute of Standards and Technology (NIST) Special
Publication 800-18, Guide for Developing Security Plans for Information Technology
Systems, December 1998.
- Federal Information Processing Standards (FIPS)
Publication 102, Guideline for Computer Security Certification and Accreditation,
September 1983.
- Federal Information Processing Standards (FIPS)
Publication 191, Guideline for the
Analysis of Local Area Network Security, November 1994.
- National Security Agency (NSA), National Security
Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000,
National Information Assurance Certification and Accreditation Process (NIACAP) ,
April 2000.
- National Security Agency (NSA), National Security Telecommunications and Information
Systems Security Instruction (NSTISSI) No. 4009, National Information systems
Security (INFOSEC) Glossary, January 1999.
- National Security Agency (NSA), National Security
Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4012,
National Training Standard for Designated Approving
Authority (DAA).
- National Security Agency (NSA), National Security
Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4013,
National Training Standard for System Administrators in Information Systems Security
(INFOSEC) , August 1997.
- National Security Agency (NSA), National Security
Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4014, National Training Standard for Information
Systems Security officers (ISSO, August 1997).
- Office of Management and Budget (OMB)
Memorandum 99-05, Instructions on Complying with Presidents Memorandum of May
14, 1998, Privacy and Personal Information in Federal Records.
- Office of Management and Budget (OMB) Memorandum 00-13, Policies and Data Collection on
Federal Web Sites.
- Office of Management and Budget (OMB)
Memorandum 99-18, Privacy Policies on Federal Web Sites.
- Office of Management and Budget (OMB)
Circular A-130, Appendix III, Security of Federal Automated Information
Resources.
- Office of Management and Budget (OMB)
Circular A-123, Management Accountability and Control Paperwork Reduction Act of
1995, June 21, 1995.
- Presidential Decision Directive 67, Enduring
Constitutional Government and Continuity of Government.
- Public Law 100-235, Computer Security Act
of 1987.
|
C |
Procurement Information |
|
The USAID has
contracted for general IRM support with CSC under the Agency's Principal
Resource for Information Management Enterprise-wide (PRIME) contract (GS00K96AJD0012)
with FEDSIM. USAID obtains its information system security support from
CSC under the PRIME contract using the Performance Work Statement (PWS)
at Appendix C *.doc. |
D |
Evaluation Information
|
|
Not to be completed by the
drafter |
E |
Recommended Changes |
|
Not to be completed by the
drafter |
F |
Glossary |
|
None applicable |