TREASURY DIRECTIVE: 85-01
DATE:
SUBJECT: Department of the Treasury Information
Technology (IT) Security Program
1.
PURPOSE.
This Directive authorizes the issuance
of Treasury Department Publication (TD P) 85-01, "Treasury IT
Security Program," which contains Department-wide IT security requirements
and supporting guidance.
2.
POLICY.
unauthorized
access, use, disclosure, disruption, modification or destruction.
b. The Treasury IT Security Program (TD P 85-01) shall define
controls for providing such protection. The
Chief Information Officer (CIO) is authorized to prescribe, publish and
maintain TD P 85-01, which is issued as a separate document. It shall:
(1)
set
forth the minimum standards or requirements for the security of non-national
security and national security IT systems and the information they process,
store and communicate;
(2)
provide
uniform policies and standards (and when appropriate, general procedures) to be
used by the bureaus to address their IT security responsibilities in accordance
with applicable requirements issued by the Department, Office of Management and
Budget, Department of Defense, National Security Agency, General Services
Administration, Government Accountability Office, Department of Commerce, Department
of Homeland Security and National Institute of Standards and Technology; and
(3)
implement
and supplement, where necessary, Executive Orders, National Security
directives, and other Government regulations by providing guidance when such
regulations are not sufficiently detailed, or details are left to Departmental
discretion.
3.
SCOPE AND APPLICABILITY.
a. This Directive applies to all bureaus, offices and organizations
in the Department of the Treasury. The
policy applies to all Treasury employees including detailees, temporary
employees, and interns and contractors performing work for the Department of
the Treasury, its offices, and bureaus working on behalf of the Department
whether in a government office, traveling, alternate work site or other
location. The requirements in TD P 85-01
apply to all Departmental systems, including those operated by other
organizations on behalf of the Department.
b. The authority of the Inspectors General is set forth in Section 3
of the Inspector General Act and the Internal Revenue Service Restructuring and
Reform Act, and defined in Treasury Order 114-01 (OIG), and Treasury Order
115-01 (TIGTA), or successor orders. The
provisions of this directive shall not be construed to interfere with that
authority.
c. Those authorities reserved to the Assistant Secretary (Intelligence
and Analysis) concerning
d. The Treasury IT Security Program does not preclude a bureau or
office from applying more stringent internal requirements when appropriate, so long
as these are consistent with TD P 85-01.
4. DEFINITIONS
a. Confidentiality – preserving authorized restrictions on access and
disclosure, including means for protecting personal privacy and proprietary
information
b. Integrity – guarding against improper information modification or
destruction and includes ensuring information non-repudiation and authenticity
c. Availability – ensuring timely and reliable access to and use of
information
5. RESPONSIBILITIES.
a. The Deputy Assistant Secretary for Information Systems and
Chief Information Officer shall:
(1)
oversee
the creation and ensure the maintenance of an enterprise-wide IT Security
Program;
(2)
promote
the promulgation of processes and procedures which mitigate the risks to information
captured, processed, or maintained by the Department;
(3)
ensure
Treasury’s
compliance with the Federal Information Security Management Act;
(4)
maintain
TD P 85-01 and formally coordinate any changes thereto with the Office of the General
Counsel and Treasury Bureaus for review and comment prior to issuance; and
(5)
retain
discretion to review and approve bureau issuances that implement and supplement
the Treasury IT Security Program.
b. The Heads of Bureaus and Offices and the
Deputy Assistant Secretary for Headquarters Operations shall:
(1) ensure that an IT security program is
implemented within their organizations in accordance with TD P 85-01;
(2) refer to the policies and procedures set
forth in TD P 15-71, the Treasury Security Manual, regarding matters covered therein;
and
(3) submit new or revised bureau security
directives, regulations or handbooks that implement or supplement TD P 85-01 to
the CIO for review and approval prior to publication as the CIO may require. No issuance upon which CIO review is invoked shall
be published, implemented, adopted or used until approved.
c. The Bureau Chief Information Officers shall designate a
point of contact to coordinate all policy issues related to information systems
security (including IT security, operational security (threats/vulnerability
assessments), emissions security (TEMPEST), certificate management, electronic
authentication, continuity planning, and critical infrastructure protection).
6. SUPPLY OF TREASURY IT SECURITY PROGRAM. The text of TD P 85-01 may be accessed from
the Department of the Treasury Intranet IT security link.
7. AUTHORITIES.
a. Public Law 107-347, E-Government
Act of 2002, Title III, Federal
Information Security Management Act (FISMA) of 2002,
b. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources.
c. National Security Directive (NSD) 42, National Policy for the Security of National Security
Telecommunications and Information Systems (U),
d. Public Law 104-106, Clinger-Cohen
Act of 1996 [formally called Information
Technology Management Reform Act (ITMRA)],
e. Privacy Act of 1974, as amended.
5 USC 552a, Public Law 93-579,
f. Executive Order (E.O.) 13231,
Critical Infrastructure Protection in the Information Age,
g. Homeland Security
Presidential Directive (Hspd) 7, Critical Infrastructure Identification, Prioritization,
and Protection,
h. Department of State 12 Foreign Affairs Manual (FAM) 600, Information Security Technology.
8. CANCELLATION. Treasury Directive 85-01, Department of the
Treasury Information Technology (IT) Security Program, dated
9. OFFICE OF
PRIMARY INTEREST. Office of the
Deputy Assistant Secretary for Information Systems and Chief Information
Officer, Office of the Assistant Secretary for Management and Chief Financial
Officer.
/S/
Peter B. McCarthy
Assistant Secretary for
Management
and Chief Financial Officer