Jump to main content.

Site Help

    Topics

    Glossary

    Site Map

Entering Intranet
Many links on the Web Guide are available to EPA Intranet users only. If you are an outside contractor working for EPA, please contact your EPA representative for more information. If you are another federal agency or other party interested in EPA's web policies and procedures, please contact EPA through the "Contact Us" page on this site.

Questions?


Call the EPA Call Center
EPA Call Center

PDF Disclaimer

You will need Adobe Acrobat Reader to view PDF files. See EPA's PDF page for more information about getting and using the free Acrobat Reader.

Security Plans

Every application that is going to be deployed in the Agency central environment or any NCC managed resource is required to have a signed Application Security Plan.

It is the program office's responsibility to determine the sensitivity of their data and the risk associated with it, and to write an application security plan in accordance with EPA policy and guidance. Per EPA Directive 2195A1, it is the responsibility of the respective information manager to determine sensitivity and to develop security plans.

Each program office may have its own specific security review procedures. A "Management Official", who is not the person responsible for security of the application, must authorize use of the application by signing an authorization statement. The authorization must be based on the security plan and any tests conducted. The SIRMO must also approve the security plan. The program office's Information Security Officer is the authority to turn to for guidance on the security plan review procedures. The ISO must also maintain on file a copy of the current security plan.

Agency policy and guidance for the application security plan is available on the Web in the Information Security Manual at: http://intranet.epa.gov/itsecurity/. Entering Intranet The separate Guidance documents on this site http://intranet.epa.gov/itsecurity/certaccrassess/itsecurityplan.html Entering Intranet include examples of security plans in its appendices.

Note: The links above are on the EPA Intranet, they are not visible to computers outside the EPA LAN.
However, there are some publicly available security resources. The first is NIST Special Publication 800-18 Rev. 1 (PDF, 460KB, 48 pages) Exit EPA Disclaimer "Guide for Developing Security Plans for Information Technology Systems." The second is OMB A-130 appendix III. Exit EPA Disclaimer

OEI/OTOP/IT Policy and Planning Division is available to answer questions and help interpret the Information Security Manual and other agency information technology policies.

As operator of the General Support System (web infrastructure, etc) upon which the application will run, it is NCC's responsibility to review the security plan for identifiable risks and to make sure that the application will not compromise security of the NCC General Support System. NCC does not approve security plans, but we may refuse to deploy an application until identified risks are adequately addressed. NCC will also advise the client office of any known residual risks associated with the general support system or network that the application's security should consider. Therefore, client offices should work with NCC early in the life-cycle process to ensure security is adequately considered.

Top of Page



Local Navigation



Jump to main content.




0