Revision 3
U.S. General Services Administration
EXECUTIVE SUMMARY
The General Services Administration (GSA) agency-wide Assessment
and Authorization (A&A) process is based on the National
Institute of Standards and Technology (NIST) Risk Management
Framework (RMF) and the A&A process as described in NIST
Special Publication (SP) 800-37, Revision 2, “Risk Management
Framework for Information Systems and Organizations: A System Life
Cycle Approach for Security and Privacy.”
This Information Security Program Plan (ISPP) was developed in
order to provide stakeholders with the detailed information on what
GSA considers inheritable common controls and who the responsible
party is for implementing the control. NIST SP 800-53, Revision 4,
“Security and Privacy Controls for Federal Information Systems and
Organizations,” describes common controls and the responsibility
for them as:
Common controls are security controls whose implementation results
in a security capability that is inheritable by one or more
organizational information systems. Security controls are deemed
inheritable by information systems or information system components
when the systems or components receive protection from the
implemented controls but the controls are developed, implemented,
assessed, authorized, and monitored by entities other than those
responsible for the systems or components—entities internal or
external to the organizations where the systems or components
reside.
The organization assigns responsibility for common controls to
appropriate organizational officials (i.e., common control
providers) and coordinates the development, implementation,
assessment, authorization, and monitoring of the controls. The
identification of common controls is most effectively accomplished
as an organization-wide exercise with the active involvement of
chief information officers, senior information security officers,
the risk executive (function), authorizing officials, information
owners/stewards, information system owners, and information system
security officers.
The excerpt below from NIST SP 800-53 defines hybrid controls and
provides examples:
Organizations assign a hybrid status to security controls when one
part of the control is common and another part of the control is
system-specific. For example, an organization may choose to
implement the Incident Response Policy and Procedures security
control (IR- 1) as a hybrid control with the policy portion of the
control designated as common and the procedures portion of the
control designated as system-specific. Hybrid controls may also
serve as predefined templates for further control refinement.
Organizations may choose, for example, to implement the Contingency
Planning security control (CP-2) as a predefined template for a
generalized contingency plan for all organizational information
systems with information system owners tailoring the plan, where
appropriate, for system-specific uses.
This plan identifies control implementation status for all GSA-wide
common controls and identifies hybrid controls where a GSA
organization, platform, or general support system provides part of
the control implementation.All Privacy controls are included in
this plan whether they are common, hybrid, or system specific.
Where appropriate, the plan references GSA policies and guides that
provide further detail on control implementation.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration
Number of Change
Initial Version – April 23, 2015
N/A Desai/Davis New Plan Document GSA enterprise-wide common and
hybrid controls status and implementation guidance.
N/A
1 Klemens/ Dean
Revised guide to align with current format and style, edited, and
updated guide based on current control processes.
Update GSA enterprise-wide common and hybrid controls status and
implementation guidance.
Throughout
1 Feliksa/ Klemens
Revised guide to address Executive Order (EO) 13800 and the NIST
Cybersecurity Framework. Updated control parameters and
implementation details based on changes to GSA processes,
procedures, and guides.
Comply with EO 13800. Update GSA enterprise-wide common and hybrid
controls parameters and implementation details based on changes to
GSA processes, procedures, and guides.
Throughout
1 Dean/ Klemens/ Normand
Changes to controls designated as common
Changes to GSA guidance on control parameters, implementation
details, and Common Control designations
Throughout
U.S. General Services Administration
IT Security Procedural Guide: Information Security Program Plan
(ISPP), CIO-IT Security-18-90, Revision 3, is hereby approved for
distribution.
X Bo Berlas
GSA Chief Information Security Officer
Contact: GSA Office of the Chief Information Security Officer
(OCISO), Policy and Compliance Division (ISP), at
[email protected].
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration i
Table of Contents
1 Introduction
...................................................................................................................
1
2 References
.....................................................................................................................
3
3 Security Controls
............................................................................................................
5
3.1 Access Control (AC)
..........................................................................................................................
6 3.1.1 Access Control Policy and Procedures (AC-1)
..................................................................................................
6 3.1.2 Account Management | Dynamic Privilege Management (AC-2
(6)) ..............................................................
7 3.1.3 Use of External Information Systems (AC-20)
..................................................................................................
8 3.1.4 Use of External Information Systems | Limits On Authorized
Use (AC-20 (1)) ................................................ 9
3.1.5 Use of External Information Systems | Portable Storage
Devices (AC-20 (2)) ...............................................
10
3.2 Awareness and Training (AT)
.........................................................................................................
11 3.2.1 Security Awareness and Training Policy and Procedures
(AT-1)
....................................................................
11 3.2.2 Security Awareness Training (AT-2)
...............................................................................................................
12 3.2.3 Security Awareness Training | Insider Threat (AT-2 (2))
................................................................................
13 3.2.4 Role-Based Security Training
(AT-3)...............................................................................................................
13 3.2.5 Security Training Records (AT-4)
....................................................................................................................
14
3.3 Audit and Accountability (AU)
.......................................................................................................
15 3.3.1 Audit and Accountability Policy and Procedures (AU-1)
................................................................................
15 3.3.2 Audit Storage Capacity (AU-4)
.......................................................................................................................
16 3.3.3 Audit Review, Analysis, and Reporting (AU-6)
...............................................................................................
17 3.3.4 Audit Review, Analysis, and Reporting | Process
Integration (AU-6 (1))
....................................................... 18 3.3.5
Audit Review, Analysis, and Reporting | Correlate Audit
Repositories (AU-6 (3))......................................... 19
3.3.6 Audit Review, Analysis, and Reporting | Central Review and
Analysis (AU-6 (4)) ......................................... 19
3.3.7 Audit Reduction and Report Generation (AU-7)
............................................................................................
20 3.3.8 Audit Reduction and Report Generation | Automatic
Processing (AU-7 (1))
................................................ 21 3.3.9 Audit
Record Retention (AU-11)
....................................................................................................................
22
3.4 Security Assessment and Authorization
(CA).................................................................................
22 3.4.1 Security Assessment and Authorization Policies and
Procedures (CA-1)
...................................................... 22 3.4.2
Plan of Action and Milestones (CA-5)
............................................................................................................
23 3.4.3 Security Authorization (CA-6)
........................................................................................................................
24 3.4.4 Continuous Monitoring (CA-7)
.......................................................................................................................
25 3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1))
..........................................................................
27
3.5 Configuration Management (CM)
..................................................................................................
27 3.5.1 Configuration Management Policy and Procedures (CM-1)
..........................................................................
27 3.5.2 Baseline Configuration | Configure Systems, Components, Or
Devices For High- Risk Areas (CM-2 (7)) ...... 29 3.5.3 Least
Functionality | Authorized Software / Whitelisting (CM-7 (5))
............................................................ 29
3.5.4 Information System Component Inventory | Automated
Maintenance (CM-8 (2)) ...................................... 30
3.5.5 Information System Component Inventory | Automated
Unauthorized Component Detection (CM-8 (3)) 31 3.5.6 Information
System Component Inventory | No Duplicate Accounting of Components
(CM-8 (5)) ............. 32 3.5.7 Information System Component
Inventory | Centralized Repository (CM-8 (7))
.......................................... 33 3.5.8 User-Installed
Software (CM-11)
...................................................................................................................
33
3.6 Contingency Planning (CP)
.............................................................................................................
34 3.6.1 Contingency Planning Policy and Procedures (CP-1)
.....................................................................................
34
3.7 Identification and Authentication (IA)
...........................................................................................
35 3.7.1 Identification and Authentication Policy and Procedures
(IA-1)....................................................................
35
3.8 Incident Response (IR)
...................................................................................................................
36 3.8.1 Incident Response Policy and Procedures (IR-1)
............................................................................................
36
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration ii
3.8.2 Incident Response Training (IR-2)
..................................................................................................................
37 3.8.3 Incident Response Testing (IR-3)
...................................................................................................................
39 3.8.4 Incident Response Testing | Coordination with Related
Plans (IR-3 (2))
....................................................... 40 3.8.5
Incident Handling (IR-4)
.................................................................................................................................
41 3.8.6 Incident Handling | Automated Incident Handling Processes
(IR-4 (1)) ........................................................
42 3.8.7 Incident Monitoring (IR-5)
.............................................................................................................................
43 3.8.8 Incident Reporting
(IR-6)................................................................................................................................
44 3.8.9 Incident Reporting | Automated Reporting (IR 6 (1))
....................................................................................
48 3.8.10 Incident Response Assistance (IR-7)
..............................................................................................................
49 3.8.11 Incident Response Assistance | Automation Support for
Availability of Information / Support (IR 7 (1)) .... 50 3.8.12
Incident Response Plan (IR-8)
........................................................................................................................
51
3.9 Maintenance (MA)
.........................................................................................................................
52 3.9.1 System Maintenance Policy and Procedures (MA-1)
.....................................................................................
52
3.10 Media Protection (MP)
..................................................................................................................
53 3.10.1 Media Protection Policy and Procedures (MP-1)
...........................................................................................
53 3.10.2 Media Use (MP-7)
..........................................................................................................................................
54
3.11 Physical and Environmental Protection (PE)
..................................................................................
55 3.11.1 Physical and Environmental Protection Policy and
Procedures (PE-1)
.......................................................... 55
3.12 Planning (PL)
..................................................................................................................................
56 3.12.1 Security Planning Policy and Procedures (PL-1)
.............................................................................................
56
3.13 Rules of Behavior (PL-4)
.................................................................................................................
57 3.13.1 Rules of Behavior | Social Media and Networking
Restrictions (PL-4 (1))
..................................................... 58 3.13.2
Information Security Architecture (PL-8)
.......................................................................................................
59
3.14 Program Management (PM)
..........................................................................................................
60 3.14.1 Information Security Program Plan (PM-1)
...................................................................................................
60 3.14.2 Senior Information Security Officer (PM-2)
...................................................................................................
62 3.14.3 Information Security Resources (PM-3)
.........................................................................................................
62 3.14.4 Plan of Action and Milestones Process (PM-4)
..............................................................................................
63 3.14.5 Information System Inventory (PM-5)
...........................................................................................................
64 3.14.6 Information Security Measures of Performance (PM-6)
...............................................................................
65 3.14.7 Enterprise Architecture (PM-7)
......................................................................................................................
66 3.14.8 Critical Infrastructure Plan (PM-8)
.................................................................................................................
67 3.14.9 Risk Management Strategy (PM-9)
................................................................................................................
68 3.14.10 Security Authorization Process (PM-10)
........................................................................................................
69 3.14.11 Mission/Business Process Definition (PM-11)
...............................................................................................
70 3.14.12 Insider Threat Program (PM-12)
....................................................................................................................
70 3.14.13 Information Security Workforce (PM-13)
......................................................................................................
71 3.14.14 Testing, Training, and Monitoring (PM-14)
....................................................................................................
72 3.14.15 Contacts with Security Groups and Associations (PM-15)
.............................................................................
73 3.14.16 Threat Awareness Program (PM-16)
.............................................................................................................
74
3.15 Personnel Security (PS)
..................................................................................................................
75 3.15.1 Personnel Security Policy and Procedures (PS-1)
..........................................................................................
75 3.15.2 Position Risk Designation (PS-2)
....................................................................................................................
76 3.15.3 Personnel Screening (PS-3)
............................................................................................................................
77 3.15.4 Personnel Termination (PS-4)
........................................................................................................................
78 3.15.5 Personnel Transfer (PS-5)
..............................................................................................................................
79 3.15.6 Access Agreements (PS-6)
.............................................................................................................................
80 3.15.7 Third-Party Personnel Security (PS-7)
............................................................................................................
81 3.15.8 Personnel Sanctions (PS-8)
............................................................................................................................
82
3.16 Risk Assessment (RA)
.....................................................................................................................
83 3.16.1 Risk Assessment Policy and Procedures (RA-1)
.............................................................................................
83 3.16.2 Risk Assessment (RA-3)
..................................................................................................................................
84 3.16.3 Vulnerability Scanning (RA-5)
........................................................................................................................
85 3.16.4 Vulnerability Scanning | Update Tool Capability (RA-5
(1))
...........................................................................
87
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration iii
3.16.5 Vulnerability Scanning | Update By Frequency / Prior to New
Scan / When Identified (RA-5 (2)) ............... 88 3.16.6
Vulnerability Scanning | Privileged Access (RA-5 (5))
....................................................................................
89
3.17 System and Services Acquisition (SA)
............................................................................................
89 3.17.1 System and Services Acquisition Policy and Procedures
(SA-1)
.....................................................................
89 3.17.2 Acquisition Process (SA-4)
.............................................................................................................................
90
3.17.2.1 Security Engineering Principles (SA-8)
.......................................................................................................
91 3.17.3 External Information System Services (SA-9)
.................................................................................................
92
3.18 System and Communications Protection (SC)
...............................................................................
93 3.18.1 System & Communications Protection Policy and
Procedures (SC-1)
........................................................... 93
3.18.2 Denial of Service Protection (SC-5)
................................................................................................................
94 3.18.3 Boundary Protection (SC-7)
...........................................................................................................................
95 3.18.4 Boundary Protection | Access Points (SC-7 (3))
.............................................................................................
96 3.18.5 Boundary Protection | Deny By Default / Allow By
Exception (SC-7 (5))
....................................................... 97 3.18.6
Boundary Protection | Deny By Default / Allow By Exception (SC-7
(5)) ....................................................... 97
3.18.7 Boundary Protection | Prevent Split Tunneling for Remote
Devices (SC-7 (7)) ............................................. 98
3.18.8 Boundary Protection | Prevent Unauthorized Exfiltration
(SC-7 (10))
.......................................................... 99
3.18.9 Mobile Code (SC-18)
......................................................................................................................................
99
3.19 System and Information Integrity (SI)
..........................................................................................
100 3.19.1 System & Information Integrity Policy &
Procedures (SI-1)
.........................................................................
100 3.19.2 Flaw Remediation (SI-2)
...............................................................................................................................
101 3.19.3 Flaw Remediation | Automated Flaw Remediation Status
(SI-2 (2))
........................................................... 103
3.19.4 Flaw Remediation | Time To Remediate Flaws / Benchmarks For
Corrective Actions (SI-2(3)) .................. 103 3.19.5
Malicious Code Protection (SI-3)
.................................................................................................................
104 3.19.6 Malicious Code Protection | Central Management (SI-3
(1))
......................................................................
105 3.19.7 Malicious Code Protection | Automatic Updates (SI-3 (2))
.........................................................................
106 3.19.8 Malicious Code Protection | Nonsignature-Based Detection
(SI-3 (7)) .......................................................
107 3.19.9 Information System Monitoring (SI-4)
.........................................................................................................
107 3.19.10 Information System Monitoring | Automated Tools for
Real-Time Analysis (SI-4 (2)) ................................ 109
3.19.11 Information System Monitoring | Inbound and Outbound
Communications Traffic (SI-4 (4)) ................... 110 3.19.12
Information System Monitoring | System-Generated Alerts (SI-4 (5))
........................................................ 110
3.19.13 Information System Monitoring | Analyze Traffic / Covert
Exfiltration (SI-4 (18)) ...................................... 111
3.19.14 Information System Monitoring | Host-Based Devices (SI-4
(23))...............................................................
112 3.19.15 Security Alerts, Advisories, and Directives (SI-5)
.........................................................................................
113 3.19.16 Software, Firmware, and Information Integrity (SI-7)
.................................................................................
114 3.19.17 Software, Firmware, and Information Integrity |
Integrity (SI-7 (1))
........................................................... 114
3.19.18 Software, Firmware, and Information Integrity | Integration
of Detection and Response (SI-7 (7)) .......... 115 3.19.19 Memory
Protection (SI-16)
..........................................................................................................................
116
4 Privacy Controls
.........................................................................................................
116
4.1 Authority and Purpose (AP)
.........................................................................................................
116 4.1.1 Authority to Collect (AP-1)
...........................................................................................................................
116 4.1.2 Purpose Specification (AP-2)
........................................................................................................................
117
4.2 Accountability, Audit, and Risk Management (AR)
......................................................................
118 4.2.1 Governance and Privacy Program (AR-1)
.....................................................................................................
118 4.2.2 Privacy Impact and Risk Assessment (AR-2)
................................................................................................
119 4.2.3 Privacy Requirements for Contractors and Service
Providers (AR-3)
.......................................................... 120
4.2.4 Privacy Monitoring and Auditing (AR-4)
......................................................................................................
121 4.2.5 Privacy Awareness and Training (AR-5)
.......................................................................................................
122 4.2.6 Privacy Reporting (AR-6)
..............................................................................................................................
123 4.2.7 Privacy Enhanced System Design and Development (AR-7)
........................................................................
124 4.2.8 Accounting of Disclosures (AR-8)
.................................................................................................................
124
4.3 Data Quality and Integrity (DI)
.....................................................................................................
125 4.3.1 Data Quality (DI-1)
.......................................................................................................................................
125 4.3.2 Data Quality | Validate PII (DI-1 (1))
............................................................................................................
126
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration iv
4.3.3 Data Quality | Re-Validate PII (DI-1 (2))
.......................................................................................................
127 4.3.4 Data Integrity and Data Integrity Board
(DI-2).............................................................................................
128 4.3.5 Data Integrity and Data Integrity Board | Publish
Agreements on Website (DI-2 (1)) ................................
129
4.4 Data Minimization and Retention (DM)
......................................................................................
130 4.4.1 Minimization of Personally Identifiable Information
(DM-1)
......................................................................
130 4.4.2 Minimization of Personally Identifiable Information |
Locate/Remove/Redact/ Anonymize PII (DM-1 (1)) 131 4.4.3 Data
Retention and Disposal (DM-2)
...........................................................................................................
131 4.4.4 Data Retention and Disposal | System Configuration (DM-2
(1))
................................................................
132 4.4.5 Minimization of PII Used in Testing, Training, and
Research
(DM-3)...........................................................
133 4.4.6 Minimization of PII used in Testing, Training, and
Research | Risk Minimization Techniques (DM-3 (1)) .. 134
4.5 Individual Participation and Redress (IP)
.....................................................................................
135 4.5.1 Consent (IP-1)
..............................................................................................................................................
135 4.5.2 Consent | Mechanisms Supporting Itemized or Tiered
Consent (IP-1 (1))
.................................................. 136 4.5.3
Individual Access (IP-2)
................................................................................................................................
136 4.5.4 Redress (IP-3)
...............................................................................................................................................
137 4.5.5 Complaint Management (IP-4)
....................................................................................................................
138 4.5.6 Complaint Management | Response Times (IP-4 (1))
..................................................................................
139
4.6 Security (SE)
.................................................................................................................................
140 4.6.1 Inventory of Personally Identifiable Information (SE-1)
..............................................................................
140 4.6.2 Privacy Incident Response (SE-2)
.................................................................................................................
141
4.7 Transparency (TR)
........................................................................................................................
141 4.7.1 Privacy Notice
(TR-1)....................................................................................................................................
141 4.7.2 Privacy Notice | Real-Time or Layered Notice (TR-1 (1))
.............................................................................
143 4.7.3 System of Records Notices and Privacy Act Statements
(TR-2)
...................................................................
143 4.7.4 System of Records Notices and Privacy Act Statements |
Public Website Publication (TR-2 (1)) ............... 144 4.7.5
Dissemination of Privacy Program Information (TR-3)
................................................................................
145
4.8 Use Limitation (UL)
......................................................................................................................
146 4.8.1 Internal Use (UL-1)
.......................................................................................................................................
146 4.8.2 Information Sharing with Third Parties (UL-2)
.............................................................................................
146
Appendix A: Acronyms
......................................................................................................
148
Table 1-1: CSF Functions and Categories/Unique Identifiers
................................................... 1
Table 3-1: Definitions of Key Terms
........................................................................................
5
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 1
1 Introduction
Information security is vital to the General Services
Administration’s (GSA) infrastructure and systems, and their
effective performance and protection is a key component of GSA’s
overall security program. Proper management of information
technology systems is essential to ensure the confidentiality,
integrity and availability of the data transmitted, processed or
stored by GSA information systems.
Executive Order (EO) 13800, “Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure” requires all agencies
to use “The Framework for Improving Critical Infrastructure
Cybersecurityy (the Framework) developed by NIST or any successor
document to manage the agency’s cybersecurity risk.” This National
Institute of Standards and Technology (NIST) document is commonly
referred to as the Cybersecurity Framework (CSF).
The five core CSF Functions are:
Identify (ID): Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and
capabilities.
Protect (PR): Develop and implement the appropriate safeguards to
ensure delivery of critical infrastructure services.
Detect (DE): Develop and implement the appropriate activities to
identify the occurrence of a cybersecurity event.
Respond (RS): Develop and implement the appropriate activities to
take action regarding a detected cybersecurity event.
Recover (RC): Develop and implement the appropriate activities to
maintain plans for resilience and to restore any capabilities or
services that were impaired due to a cybersecurity event.
The CSF functions, category unique identifiers, and category
descriptions are listed in Table 1-1.
Table 1-1: CSF Functions and Categories/Unique Identifiers
CSF Function
The data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes are identified and
managed consistent with their relative importance to organizational
objectives and the organization’s risk strategy.
ID.BE – Business Environment
The organization’s mission, objectives, stakeholders, and
activities are understood and prioritized; this information is used
to inform cybersecurity roles, responsibilities, and risk
management decisions.
ID.GV - Governance The policies, procedures, and processes to
manage and monitor the
organization’s regulatory, legal, risk, environmental, and
operational requirements are understood and inform the management
of cybersecurity risk.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 2
CSF Function
ID.RM - Risk Management Strategy
The organization’s priorities, constraints, risk tolerances, and
assumptions are established and used to support operational risk
decisions.
ID.SC – Supply Chain Risk Management
The organization’s priorities, constraints, risk tolerances, and
assumptions are established and used to support risk decisions
associated with managing supply chain risk. The organization has
established and implemented the processes to identify, assess and
manage supply chain risks
DETECT (DE)
DE.AE - Anomalies and Events
Anomalous activity is detected and the potential impact of events
is understood.
DE.CM - Security Continuous Monitoring
The information system and assets are monitored to identify
cybersecurity events and verify the effectiveness of protective
measures.
DE.DP - Detection Processes
Detection processes and procedures are maintained and tested to
ensure awareness of anomalous events.
PROTECT (PR)
PR.AC - Identity Management, Authentication and Access
Control
Access to physical and logical assets and associated facilities is
limited to authorized users, processes, and devices, and is managed
consistent with the assessed risk of unauthorized access to
authorized activities and transactions.
PR.AT - Awareness and Training
The organization’s personnel and partners are provided
cybersecurity awareness education and are trained to perform their
cybersecurity related duties and responsibilities consistent with
related policies, procedures, and agreements.
PR.DS - Data Security
Information and records (data) are managed consistent with the
organization’s risk strategy to protect the confidentiality,
integrity, and availability of information.
PR.IP - Information Protection Processes and Procedures
Security policies (that address purpose, scope, roles,
responsibilities, management commitment, and coordination among
organizational entities), processes, and procedures are maintained
and used to manage protection of information systems and
assets.
PR.MA - Maintenance
Maintenance and repairs of industrial control and information
system components are performed consistent with policies and
procedures.
PR.PT - Protective Technology
Technical security solutions are managed to ensure the security and
resilience of systems and assets, consistent with related policies,
procedures, and agreements.
RESPOND (RS)
Response processes and procedures are executed and maintained, to
ensure response to detected cybersecurity incidents.
RS.CO - Communications
Response activities are coordinated with internal and external
stakeholders (e.g. external support from law enforcement
agencies).
RS.AN - Analysis Analysis is conducted to ensure effective response
and support recovery
activities.
RS-MI - Mitigation Activities are performed to prevent expansion of
an event, mitigate its effects,
and resolve the incident.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 3
CSF Function
RECOVER (RC)
Recovery processes and procedures are executed and maintained to
ensure restoration of systems or assets affected by cybersecurity
incidents.
RC.IM - Improvements
Recovery planning and processes are improved by incorporating
lessons learned into future activities.
RC.CO - Communications
Restoration activities are coordinated with internal and external
parties (e.g. coordinating centers, Internet Service Providers,
owners of attacking systems, victims, other CSIRTs, and
vendors).
The CSF complements, and does not replace, GSA’s risk management
process and cybersecurity program. GSA uses NIST’s Risk Management
Framework (RMF) as its foundation for managing information system
risk. More detailed information on how the CSF relates to GSA’s use
of the NIST RMF is contained in GSA IT Security Procedural Guide
06-30, “Managing Enterprise Risk.”
1.1 Purpose
The purpose of this Information Security Program Plan (ISPP) is to
provide information on GSA’s security program by describing the
common and hybrid controls where the GSA enterprise or a capability
managed at the enterprise level implements either all (common) or
part (hybrid) of the control requirements. The ISPP provides
details regarding these controls, including each control’s
implementation status, control type, and implementation
information/guidance for Federal and Contractor operated
systems.
1.2 Scope
Security controls/enhancements from NIST SP 800-53, Revision 4
included in this plan are:
Common controls - where the GSA enterprise provides the entire
control;
Hybrid controls - where the GSA enterprise provides a part of the
control;
Security Training and Awareness (AT) controls;
Program Management (PM) controls; and
Privacy controls.
The implementation guidance provided in this plan is applicable to
GSA Federal Employees, contractors and vendors of GSA, who operate,
manage, maintain, and protect GSA information systems (Federal and
Contractor systems) and data.
2 References
Note: GSA updates its IT security policies and procedural guides on
independent cycles which may introduce conflicting guidance until
revised documents are developed. In addition, many of
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 4
the references listed are updated by external organizations which
can lead to inconsistencies with GSA policies and guides. When
conflicts or inconsistencies are noticed, please contact
[email protected] for guidance.
Federal Laws, Regulations, Publications:
5 USC 552a, “Privacy Act of 1974 Privacy Act of 1974”
44 USC 31, “Records Management by Federal Agencies”
EO 13556, “Controlled Unclassified Information”
EO 13800, “Presidential Executive Order on Strengthening the
Cybersecurity of Federal Networks and Critical
Infrastructure”
HSPD-12, “Homeland Security Presidential Directive 12: Policy for a
Common Identification Standard for Federal Employees and
Contractors”
OMB Circular A-123, “Management’s Responsibility for Enterprise
Risk Management and Internal Control”
OMB Circular A-130, “Managing Information as a Strategic
Resource”
OMB M-06-16, “Protection of Sensitive Agency Information”
OMB M-06-19, “Reporting Incidents Involving Personally Identifiable
Information and Incorporating the Cost for Security in Agency
Information Technology Investments”
OMB M-07-12, “Preparing for and Responding to a Breach of
Personally Identifiable Information”
Public Law 113–283, “Federal Information Security Modernization Act
of 2014’’
FIPS Publications:
FIPS PUB 140-2, “Security Requirements for Cryptographic
Modules”
FIPS PUB 199, “Standards for Security Categorization of Federal
Information and Information Systems”
FIPS-PUB 200, “Minimum Security Requirements for Federal
Information and Information Systems”
FIPS PUB 201-2, “Personal Identity Verification (PIV) of Federal
Employees and Contractors”
NIST Publications:
NIST Cybersecurity Framework, “Framework for Improving Critical
Infrastructure Cybersecurity”
NIST SP 800-18, Revision 1, “Guide for Developing Security Plans
for Federal Information Systems”
NIST SP 800-37, Revision 2, “Risk Management Framework for
Information Systems and Organizations: A System Life Cycle Approach
for Security and Privacy”
NIST SP 800-53, Revision 4, “Security and Privacy Controls for
Federal Information Systems and Organizations”
NIST SP 800-53A, Revision 4, “Assessing Security and Privacy
Controls for Federal Information Systems and Organizations”
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 5
NIST SP 800-60, Volume 1, Revision 1, “Volume I: Guide for Mapping
Types of Information and Information Systems to Security
Categories”
NIST SP 800-60, Volume 2, Revision 1, “Volume II: Appendices to
Guide for Mapping Types of Information and Information Systems to
Security Categories”
NIST SP 800-61, Revision 2, “Computer Security Incident Handling
Guide”
NIST SP 800-115, “Technical Guide to Information Security Testing
and Assessment”
NIST SP 800-128, “Guide for Security-Focused Configuration
Management of Information Systems”
NIST SP 800-137, “Information Security Continuous Monitoring (ISCM)
for Federal Information Systems and Organizations”
NIST SP 800-160, Volume 1, “Systems Security Engineering:
Considerations for a Multidisciplinary Approach in the Engineering
of Trustworthy Secure”
GSA Directives, Policies, and Procedures:
GSA Order OAS P 1820.1, “GSA Records Management Program”
GSA Order CIO 2100.1, “GSA Information Technology (IT) Security
Policy”
GSA Order CIO 2100.3, “Mandatory Information Technology (IT)
Security Training Requirement for Agency and Contractor Employees
with Significant Security Responsibilities”
GSA Order CIO 2104.1, “General Rules of Behavior”
GSA Order CIO 2110.4, “GSA Enterprise Architecture Policy”
GSA Order CIO 2130.2, “GSA Enterprise IT Governance”
GSA Order ADM 2181.1, “Homeland Security Presidential Directive-12,
Personal Identity Verification and Credentialing, and Background
Investigations for Contractors”
GSA Order ADM 2400.1, “Insider Threat Program”
GSA Order ADM P 9732.1, “Personnel Security and Suitability Program
Handbook”
GSA Order HRM 9751.1, “Maintaining Discipline”
All CIO-IT Security Procedural or Technical Guides referenced in
this document are available on the GSA IT Security Procedural
Guides or Technical Guides InSite pages.
3 Security Controls
Table 3-1 provides definitions with examples of key terms used
within this plan.
Table 3-1: Definitions of Key Terms
Key Term Definition Example
Common Control Security controls that can be inherited from GSA
OCISO and/or any other GSA Service/Staff Office by one or more GSA
or Vendor/Contractor information systems.
For Federal Systems, GSA implements the Access Control Policy and
Procedures (AC- 1) security control as a common control provided by
GSA OCISO.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 6
Key Term Definition Example
Hybrid* Security controls where one part can be inherited from GSA
OCISO, a general support system or platform, a GSA Service/Staff
Office and another part requires system-specific
implementation.
For Vendor/Contractor System, GSA implements the Access Control
Policy and Procedures (AC-1) security control as a hybrid control
with the policy portion of the control designated as common and the
procedures portion of the control designated as
system-specific.
System Specific Control Security controls that require system-
specific implementation and are the primary responsibility of
information system owners and their respective authorizing
officials.
For Vendor/Contractor Systems, the Denial of Service Protection
(SC-5) security control is a system-specific control, since
implementation is primarily the responsibility of Vendor/Contractor
System owners.
Federal System (i.e., Agency System)
An information system in GSA’s inventory processing or containing
GSA or Federal information where the infrastructure and/or
applications are NOT wholly operated, administered, managed, and
maintained by a Contractor.
Enterprise Infrastructure Operations (EIO) is a major information
system that is owned by GSA and operated internally by GSA
employees and contractors.
Vendor/Contractor System
An information system in GSA’s inventory processing or containing
GSA or Federal information where the infrastructure and
applications are wholly operated, administered, managed, and
maintained by a contractor in non-GSA facilities.
An application that processes GSA data but is not owned by GSA. The
system is located at a Vendor/Contractor’s facility and is operated
and managed by the Vendor/Contractor.
*Note: Controls noted as Implemented and Hybrid within this plan
indicate that only the Common part of the Hybrid control is
implemented. System Owners are still responsible for ensuring the
implementation of the system specific part of the control. Hybrid
controls are only considered fully implemented when both the Common
and System Specific parts are implemented.
3.1 Access Control (AC)
The organization:
a. Develops, documents, and disseminates to [personnel with IT
security responsibilities as defined in GSA CIO Order
2100.1]:
1. An access control policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access
control policy and associated access controls; and
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 7
b. Reviews and updates the current: 1. Access control policy
[annually, as part of CIO 2100.1, GSA IT Security Policy]; and 2.
Access control procedures [biennially].
AC-1 Control Summary Information
Federal System Common Control Implementation
Part a 1. The GSA access control policy is defined in the GSA IT
Security Policy, CIO 2100.1, which addresses purpose, scope, roles,
responsibilities, management commitment, coordination among
organizational entities, and compliance regarding access control
for GSA systems. This policy is disseminated GSA-wide via GSA’s
InSite centralized agency web site.
2. Access control procedures are documented in CIO-IT
Security-01-07, “IT Security Procedural Guide: Access Control.”
This guide is disseminated GSA-wide via GSA’s InSite centralized
agency web site.
Part b 1. The GSA OCISO is responsible for reviewing and updating
CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing
and updating CIO-IT Security-01-07 biennially.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
may defer to the GSA policy and guide or implement their own access
control policies and procedures which comply with GSA’s
requirements with the approval of the Authorizing Official
(AO).
3.1.2 Account Management | Dynamic Privilege Management (AC-2
(6))
The information system implements the following dynamic privilege
management capabilities: [CDM and enterprise endpoint and network
security tools].
AC-2 (6) Control Summary Information
Implementation Status:
U.S. General Services Administration 8
AC-2 (6) Control Summary Information
Planned
System Specific Control
System Specific Control
AC-2(6) Control Implementation Federal System Common Control
Implementation
GSAs robust security fabric and multi-level security tools and
technologies at the server, workstation and network layers provide
the following management capabilities.
Workstation and Server Endpoint Security Measures o Next Gen AV -
Cylance and Cylance Protect o Application whitelisting - Bit9 o
Endpoint Security - FireEye HX, a multi-level defense solution that
includes signature-based, and
behavioral based engines and intelligence-based indicators of
compromise; include MalwareGuard, a Machine Learning based
protection engine on FireEye/Mandiant IOCs.
o PIV authentication to the network and privileged accounts o Cisco
Umbrella - DNS Secure Internet Gateway solution
Network/Enterprise Security Measures o FireEye Email Threat
Prevention - Real time email attachment executable sandboxing and
URL analysis.
Automatically integrates with ALL GSA HX nodes to verify exposures
of any detected ETP signatures across HX nodes.
o FireEye Managed Defense - Active sweeps and hunts across GSA
endpoints against FireEye IOCs and anomalous activity.
o Web Application Firewalls
Additional Planned Mitigations o CyberArk - privileged managed
solution
The combination of tools and capabilities as identified above form
a layered defense that effectively meets the requirement for
dynamic privileged management capabilities.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.1.3 Use of External Information Systems (AC-20)
The organization establishes terms and conditions, consistent with
any trust relationships established with other organizations
owning, operating, and/or maintaining external information systems,
allowing authorized individuals to:
a. Access the information system from external information systems;
and
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 9
b. Process, store, or transmit organization-controlled information
using external information systems.
AC-20 Control Summary Information
System Specific Control
System Specific Control
AC-20 Control Implementation Federal System Common Control
Implementation
Part a CIO Order 2100.1 and CIO-IT Security-06-30 identify the
conditions under which external information systems can be accessed
via an Interconnection Security Agreement (ISA).
Part b CIO Order 2100.1 and CIO-IT Security-06-30 whether
organizational information can be processed, stored, or transmitted
to external systems, GSA’s rules of behavior (RoB) govern the terms
and conditions.
Federal System System-Specific Expectation: System Owners, ISSOs,
and ISSMs must document the terms and conditions in ISAs and
RoBs.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.1.4 Use of External Information Systems | Limits On Authorized
Use (AC-20 (1))
The organization permits authorized individuals to use an external
information system to access the information system or to process,
store, or transmit organization-controlled information only when
the organization:
a. Verifies the implementation of required security controls on the
external system as specified in the organization's information
security policy and security plan; or
b. Retains approved information system connection or processing
agreements with the organizational entity hosting the external
information system.
AC-20(1) Control Summary Information
U.S. General Services Administration 10
AC-20(1) Control Summary Information
System Specific Control
System Specific Control
AC-20(1) Control Implementation Federal System Common Control
Implementation
Part a CIO Order 2100.1 and CIO-IT Security-06-30 identify the
requirement, via an ISA, for verification that adequate security
controls are in place to use an external information system.
Part b CIO Order 2100.1 and CIO-IT Security-06-30 require a signed
ISA be approved by GSA and the external system’s organization in
order to access the information system.
Federal System System-Specific Expectation: System Owners, ISSOs,
and ISSMs must document in collaboration with the external
information system the security controls and facilitate signing of
an ISA.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.1.5 Use of External Information Systems | Portable Storage
Devices (AC-20 (2))
The organization [restricts] the use of organization-controlled
portable storage devices by authorized individuals on external
information systems.
AC-20(2) Control Summary Information
System Specific Control
System Specific Control
U.S. General Services Administration 11
AC-20(2) Control Summary Information
Federal System Common Control Implementation
CIO 2100.1 and CIO-IT Security-06-32, “Media Protection,” state
that GSA restricts the use of digital storage devices, including
portable devices, to devices provided by GSA or provided by
organizations approved by GSA on GSA information systems. All
portable storage must be encrypted with a FIPS 140-2 certified
encryption module.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.2 Awareness and Training (AT)
3.2.1 Security Awareness and Training Policy and Procedures
(AT-1)
The organization:
a. Develops, documents, and disseminates to [personnel with IT
security responsibilities as defined in GSA CIO Order
2100.1]:
1. A security awareness and training policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security
awareness and training policy and associated security awareness and
training controls; and
b. Reviews and updates the current: 1. Security awareness and
training policy [annually, as part of CIO 2100.1, GSA IT
Security Policy]; and 2. Security awareness and training procedures
[biennially].
AT-1 Control Summary Information
System Specific Control
System Specific Control
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 12
AT-1 Control Summary Information
Part a 1. The GSA security awareness training policy is defined in
the GSA IT Security Policy, CIO 2100.1, which addresses purpose,
scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance regarding security
awareness training for GSA employees and contractors. This policy
is disseminated GSA-wide via GSA’s InSite centralized agency web
site.
2. Security awareness training procedures are documented in the
CIO-IT Security-05-029, “Security and Privacy Awareness and Role
Based Training Program.” This guide is disseminated GSA-wide via
GSA’s InSite centralized agency web site.
Part b 1. The GSA OCISO is responsible for reviewing and updating
CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing
and updating CIO-IT Security 05-29 biennially.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
may defer to the GSA policy and guide or implement their own
security awareness and training policies and procedures which
comply with GSA’s requirements with the approval of the Authorizing
Official (AO) and concurrence from the CISO.
3.2.2 Security Awareness Training (AT-2)
The organization provides basic security awareness training to
information system users (including managers, senior executives,
and contractors):
a. As part of initial training for new users; b. When required by
information system changes; and c. [Annually] thereafter.
AT-2 Control Summary Information
System Specific Control
System Specific Control
AT-2 Control Implementation Federal System Common Control
Implementation
Part a New GSA personnel (i.e. contractors and federal employees)
are required to read and acknowledge GSA’s “General IT Rules of
Behavior” within 90 days of receiving network access. Process
details, including enforcement actions, can be found on the OCISO
Wiki.
Part b OCISO ISP coordinates multiple activities and campaigns
year-round to raise cybersecurity awareness: various phishing
campaigns against different user groups with an increased focus on
VIPs and privileged
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 13
AT-2 Control Summary Information
users; email campaigns reminding people of tax scams or a new cyber
threats, and lastly, our "IT Security and Privacy Awareness"
refresher course offered thru OLU.
Part c OCISO ISP coordinates multiple activities and campaigns
year-round to raise cybersecurity awareness, including the annual
"IT Security and Privacy Awareness" refresher course offered thru
OLU.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
with GSA email accounts receive the same training as GSA employees
and contractors. Vendor/contractors that access GSA information
systems but do not have a GSA ENT account need a method of
satisfying this control. This group of personnel must have explicit
authorization to access a GSA information system without an ENT
account.
3.2.3 Security Awareness Training | Insider Threat (AT-2 (2))
The organization includes security awareness training on
recognizing and reporting potential indicators of insider
threat.
AT-2(2) Control Enhancement Summary Information
Implementation Status:
System Specific Control
System Specific Control
AT-2(2) Control Implementation Federal System Common Control
Implementation
GSA Order ADM 2400.1A, “Insider Threat Program,” describes GSA’s
roles, responsibilities, and policy regarding its insider threat
program (ITP). ITP personnel, under the Associate Administrator for
Mission Assurance, are responsible for ensuring insider threat
information and training is provided at a minimum annually.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.2.4 Role-Based Security Training (AT-3)
The organization provides role-based security-related training to
personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or
performing assigned duties;
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 14
b. When required by information system changes; and c. [Annually]
thereafter.
AT-3 Control Summary Information
System Specific Control
System Specific Control
AT-3 Control Implementation Federal System Common Control
Implementation
Part a OCISO ISP manages training for personnel holding roles with
significant security responsibilities. These roles are listed in
"IT Security Procedural Guide: Security and Privacy Awareness and
Role- Based Training Program CIO-IT Security-05-29."
ISSMs/ISSOs/AOs receive role-based training within 6-months of
their role assignment. Privileged Users possessing a Short Name
Account are required to acknowledge the "Rules of Behavior for
Privileged Users" before obtaining that account, then annually
after that.
Part b Organizational and/or system changes may justify additional
security training. When this occurs, OCIO ISP will coordinate the
offering or identify adequate training content.
Part c Personnel holding significant security responsibilities
receive role-based training every year.
Federal System System-Specific Expectation: If the System Owner of
a Federal System decides additional training is necessary for
personnel holding significant security responsibilities within
their system, they'll need to offer that training to satisfy this
control. Otherwise, this control is fully inheritable. .
Vendor/Contractor System Control Expectation: If the System Owner
of a Vendor/Contractor System decides additional training is
necessary for personnel holding significant security
responsibilities within their system, they'll need to offer that
training to satisfy this control. Otherwise, this control is fully
inheritable.
3.2.5 Security Training Records (AT-4)
The organization:
b. Retains individual training records for [three years].
AT-4 Control Summary Information
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 15
AT-4 Control Summary Information
System Specific Control
System Specific Control
AT-4 Control Implementation Federal System Common Control
Implementation
Part a OCSIO manages training records for GSA employees and
contractors who take basic security awareness training. Completion
records are kept in GSA OLU. If OLU is not used, spreadsheets are
used to document training status.
Part b OLU records are kept for at least three years. Any records
kept in Google Sheets will be kept for at least three years.
Federal System System-Specific Expectation: System Owners are
required to maintain training records for any system specific role
based training provided to users of the information system.
Vendor/Contractor System Control Expectation: In addition to
GSA-provided training, vendors/contractors are required to track
and retain the completion of security training that is provided to
their employees.
3.3 Audit and Accountability (AU)
3.3.1 Audit and Accountability Policy and Procedures (AU-1)
The organization:
a. Develops, documents, and disseminates to [personnel with IT
security responsibilities as defined in GSA CIO Order
2100.1]:
1. An audit and accountability policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and
accountability policy and associated audit and accountability
controls; and
b. Reviews and updates the current: 1. Audit and accountability
policy [annually, as part of CIO 2100.1, GSA IT Security
Policy]; and 2. Audit and accountability procedures
[biennially].
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 16
AU-1 Control Summary Information
System Specific Control
System Specific Control
AU-1 Control Implementation Federal System Common Control
Implementation
Part a 1. The GSA audit and accountability policy is defined in the
GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope,
roles, responsibilities, management commitment, coordination among
organizational entities, and compliance regarding auditing and
accountability for GSA employees and contractors. This policy is
disseminated GSA-wide via GSA’s InSite centralized agency web
site.
2. Audit and accountability procedures are documented in GSA IT
Security Procedural Guide: CIO-IT Security-01-08, “Audit and
Accountability.” The procedures facilitate the implementation of
the audit policy and associated controls. This guide is
disseminated GSA-wide via GSA’s InSite centralized agency web
site.
Part b 1. The GSA OCISO is responsible for reviewing and updating
CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing
and updating CIO-IT Security 01-08 biennially.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
may defer to the GSA policy and guide or implement their own audit
and accountability policies and procedures which comply with GSA’s
requirements with the approval of the Authorizing Official
(AO).
3.3.2 Audit Storage Capacity (AU-4)
The organization allocates audit record storage capacity in
accordance with [GSA policies and guidance: audit log sizes are
documented in applicable GSA IT Security Technical Guides and
Standards (i.e., hardening and technology implementation guides)
available on the IT Security Technical Guides and Standards
webpage].
AU-4 Control Enhancement Summary Information
Implementation Status:
U.S. General Services Administration 17
AU-4 Control Enhancement Summary Information
Not Implemented
Not applicable
System Specific Control
System Specific Control
AU-4 Control Implementation Federal System Common Control
Implementation
Audit storage capacity is a hybrid control shared with GSA’s
SecTools FISMA system. Details on the common control implementation
is available in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.3 Audit Review, Analysis, and Reporting (AU-6)
The organization:
a. Reviews and analyzes information system audit records [daily
when security related events are forwarded to the Enterprise
Logging Platform for automated analysis and correlation, otherwise
on a periodic basis (specific period recommended by the GSA S/SO or
Contractor and approved by the GSA AO)] for indications of [GSA
S/SO or Contractor recommended inappropriate or unusual activity as
approved by the GSA AO]; and
b. Reports findings to [Information System Security Manager,
Information System Security Officer, System Owner (e.g., System
Program Manager, System Project Manager), Custodians, as designated
and approved by the GSA AO, via a dashboard when security related
events are forwarded to the Enterprise Logging Platform, otherwise
via manual reporting mechanisms].
AU-6 Control Summary Information
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 18
AU-6 Control Summary Information
System Specific Control
AU-6 Control Implementation Federal System Common Control
Implementation
Part a Audit review and analysis is a hybrid control shared with
GSA’s SecTools FISMA system. Details on the common control
implementation is available in the SecTools SSP.
Part b Audit reporting is a hybrid control shared with GSA’s
SecTools FISMA system. Details on the common control implementation
is available in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.4 Audit Review, Analysis, and Reporting | Process Integration
(AU-6 (1))
The organization employs automated mechanisms to integrate audit
review, analysis, and reporting processes to support organizational
processes for investigation and response to suspicious
activities.
AU-6(1) Control Enhancement Summary Information
Implementation Status:
System Specific Control
System Specific Control
AU-6(1) Control Implementation Federal System Common Control
Implementation
The integration of audit review, analysis, and reporting is a
control shared with GSA’s SecTools FISMA system. Details on the
common control implementation is available in the SecTools
SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 19
AU-6(1) Control Enhancement Summary Information
available in the SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.5 Audit Review, Analysis, and Reporting | Correlate Audit
Repositories (AU-6 (3))
The organization analyzes and correlates audit records across
different repositories to gain organization-wide situational
awareness.
AU-6(3) Control Enhancement Summary Information
Implementation Status:
System Specific Control
System Specific Control
AU-6(3) Control Implementation Federal System Common Control
Implementation
Correlation of audit repositories to gain organization-wide
situational awareness is a common control provided by GSA’s
SecTools FISMA system. Details on the common control implementation
are available in the SecTools SSP.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.6 Audit Review, Analysis, and Reporting | Central Review and
Analysis (AU-6 (4))
The information system provides the capability to centrally review
and analyze audit records from multiple components within the
system.
AU-6(4) Control Enhancement Summary Information
Implementation Status:
U.S. General Services Administration 20
AU-6(4) Control Enhancement Summary Information
Federal System Control Type:
System Specific Control
System Specific Control
AU-6(4) Control Implementation Federal System Common Control
Implementation
Central review and analysis of audit records from multiple system
components is a hybrid control shared with GSA’s SecTools FISMA
system. Details on the common control implementation is available
in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.7 Audit Reduction and Report Generation (AU-7)
The information system provides an audit reduction and report
generation capability that:
a. Supports on-demand audit review, analysis, and reporting
requirements and after-the- fact investigations of security
incidents; and
b. Does not alter the original content or time ordering of audit
records.
AU-7 Control Enhancement Summary Information
Implementation Status:
System Specific Control
System Specific Control
AU-7 Control Implementation Federal System Common Control
Implementation
Part a On-demand audit review, analysis, and reporting is a hybrid
control shared with GSA’s SecTools FISMA system. Details on the
common control implementation is available in the SecTools
SSP.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 21
AU-7 Control Enhancement Summary Information
Part b Maintaining the original content and time order of events is
a hybrid control shared with GSA’s SecTools FISMA system. Details
on the common control implementation is available in the SecTools
SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.3.8 Audit Reduction and Report Generation | Automatic Processing
(AU-7 (1))
The information system provides the capability to process audit
records for events of interest based on: [
Source IP
Destination IP
Account Names
Event Type].
Implementation Status:
System Specific Control
System Specific Control
AU-7(1) Control Implementation Federal System Common Control
Implementation
Automatic process of audit records for events of interest is a
hybrid control shared with GSA’s SecTools FISMA system. Details on
the common control implementation is available in the SecTools
SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 22
3.3.9 Audit Record Retention (AU-11)
The organization retains audit records online for [archived for a
period of not less than 180 days] to provide support for
after-the-fact investigations of security incidents and to meet
regulatory and organizational information retention
requirements.
AU-11 Control Enhancement Summary Information
Implementation Status:
System Specific Control
System Specific Control
AU-11 Control Implementation Federal System Common Control
Implementation
Audit record retention is a hybrid control shared with GSA’s
SecTools FISMA system. Details on the common control implementation
is available in the SecTools SSP.
Federal System System-Specific Expectation: Details on the system
specific control implementation guidance is available in the
SecTools SSP.
Vendor/Contractor System Control Expectation: Vendors/contractors
are required to comply with the control statement.
3.4 Security Assessment and Authorization (CA)
3.4.1 Security Assessment and Authorization Policies and Procedures
(CA-1)
The organization:
a. Develops, documents, and disseminates to [personnel with IT
security responsibilities as defined in GSA CIO Order
2100.1]:
1. A security assessment and authorization policy that addresses
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance;
and
2. Procedures to facilitate the implementation of the security
assessment and authorization policy and associated security
assessment and authorization controls; and
b. Reviews and updates the current:
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 23
1. Security assessment and authorization policy [annually, as part
of CIO 2100.1, GSA IT Security Policy]; and
2. Security assessment and authorization procedures
[biennially].
CA-1 Control Summary Information
System Specific Control
System Specific Control
CA-1 Control Implementation Federal System Common Control
Implementation
Part a 1. The GSA security assessment and authorization policy is
defined in the GSA IT Security Policy, CIO 2100.1, which addresses
purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance
regarding assessing and authorizing systems for GSA. This policy is
disseminated GSA-wide via GSA’s InSite centralized agency web
site.
2. Security assessment and authorization procedures are documented
in GSA IT Security Procedural Guide: CIO-IT Security-06-30,
“Managing Enterprise Risk.” Additional security and assessment
guides for specific types of systems have been developed and are
referenced in CIO- IT Security-06-30. The procedures in these
guides facilitate the security assessment and authorization of all
GSA systems. The guides are disseminated GSA-wide via GSA’s InSite
centralized agency web site.
Part b 1. The GSA OCISO is responsible for reviewing and updating
CIO 2100.1 annually. 2. The GSA OCISO is responsible for reviewing
and updating CIO-IT Security 06-30 biennially.
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
must adhere to GSA’s policy and guide regarding the security
assessment and authorization of GSA systems.
3.4.2 Plan of Action and Milestones (CA-5)
The organization: a. Develops a plan of action and milestones for
the information system to document the
organization's planned remedial actions to correct weaknesses or
deficiencies noted during the assessment of the security controls
and to reduce or eliminate known vulnerabilities in the system;
and
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 24
b. Updates existing plan of action and milestones [at least
quarterly] based on the findings from security controls
assessments, security impact analyses, and continuous monitoring
activities.
CA-5 Control Summary Information
System Specific Control
System Specific Control
CA-5 Control Implementation Federal System Common Control
Implementation
Part a POA&Ms are required upon the initial A&A of a system
based on the Security Assessment Report prepared when the system is
assessed. CIO-IT Security-06-30, “Managing Enterprise Risk,”
provides additional details about when and how specific
vulnerabilities must be included in a system’s POA&M. CIO-IT
Security-09-44, “Plan of Action and Milestones,” provides
additional on GSA’s POA&M management process. OCISO ISP tracks
that POA&Ms are implemented during an initial A&A of a
system.
Part b Both CIO-IT Security-06-30 and CIO-IT Security-09-44
identify the need to update POA&Ms at least quarterly and the
types of activities that would produce results requiring a
POA&M be created. OCISO ISP monitors that POA&Ms are
updated by conducting quarterly reviews to determine if subsequent
findings and actions are being performed.
Federal System System-Specific Expectation: FISMA System ISSOs in
collaboration with System Owners and other system personnel are
responsible for creating initial POA&Ms and updating them as
milestones or POA&M actions are completed, and at least on a
quarterly basis. Subsystems do not have their own POA&M, their
POA&Ms are integrated with the FISMA system’s POA&M.
Vendor/Contractor System Control Expectation: Vendors/contractors
must adhere to GSA’s policy and guide regarding POA&Ms.
3.4.3 Security Authorization (CA-6)
The organization:
a. Assigns a senior-level executive or manager as the authorizing
official for the information system;
b. Ensures that the authorizing official authorizes the information
system for processing before commencing operations; and
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 25
c. Updates the security authorization [as specified in CIO-IT
Security-06-30 and GSA's other Assessment and Authorization
processes identified therein].
CA-6 Control Summary Information
System Specific Control
System Specific Control
CA-6 Control Implementation Federal System Common Control
Implementation
Part a The GSA OCISO, Services/Staff Offices, and other
organizations, identify the authorizing official for all GSA
information systems.
Part b The GSA OCISO IST and ISP Divisions ensure that all GSA
information systems are authorized in accordance with CIO Order
2100.1 and CIO-IT Security-06-30 and other A&A processes
defined therein, before being put into operational
production.
Part c CIO Order 2100.1 and CIO-IT Security-06-30 require
authorizations to be updated in accordance with the timelines
defined in CIO-IT Security-06-30 and GSA’s other A&A process
guides. As specified in CIO-IT Security-06-30, authorizations are
updated at least every three years or upon significant changes.
Systems in ongoing authorization undergo biannual performance
metric monitoring which fulfills the update requirement.
Federal System System-Specific Expectation: System owners, ISSOs,
ISSMs, and system personnel are responsible for updating their
security authorization and submitting it to the OCISO in accordance
with the timelines defined in CIO-IT Security-06-30 and GSA’s other
A&A process guides.
Vendor/Contractor System Control Expectation: Vendors/contractors
must adhere to GSA’s policy and guides regarding the authorization
of GSA systems.
3.4.4 Continuous Monitoring (CA-7)
The organization develops a continuous monitoring strategy and
implements a continuous monitoring program that includes:
a. Establishment of [metrics as defined in CIO-IT Security-12-66]
to be monitored; b. Establishment of [monthly] for monitoring and
[annually] for assessments supporting
such monitoring; c. Ongoing security control assessments in
accordance with the organizational continuous
monitoring strategy;
U.S. General Services Administration 26
d. Ongoing security status monitoring of organization-defined
metrics in accordance with the organizational continuous monitoring
strategy;
e. Correlation and analysis of security-related information
generated by assessments and monitoring;
f. Response actions to address results of the analysis of
security-related information; and g. Reporting the security status
of organization and the information system to [Information
System Security Manager, Information System Security Officer,
System Owners, Acquisitions/Contracting Officers, Custodians;]
[monthly].
CA-7 Control Summary Information
System Specific Control
System Specific Control
Part a GSA OCISO has established continuous monitoring performance
metrics to be monitored in CIO-IT Security-12-66, “Information
Security Continuous Monitoring (ISCM) Strategy and Ongoing
Authorization (OA) Program.”
Part b GSA OCISO has established monthly and annual monitoring and
assessment requirements in CIO-IT Security-12-66.
Part c GSA OCISO requires systems to complete an annual FISMA
Self-Assessment (unless a full assessment has been completed) in
addition to the use of Continuous Diagnostics and Mitigation (CDM)
and other Enterprise Security Management tools to continually
assess the security status of systems.
Part d GSA OCISO requires systems to complete an annual FISMA
Self-Assessment (unless a full assessment has been completed) in
addition to the use of Continuous Diagnostics and Mitigation (CDM)
and other Enterprise Security Management tools to continually
assess the security status of systems.
Part e GSA leverages its deployment of CDM and other Enterprise
Security Management tools, their dashboards, and reports to
correlate findings and analysis of them with OCISO and system
personnel.
Part f System owners, ISSOs, ISSMs, and system personnel are
responsible for addressing findings from annual assessments and
GSA’s CDM and other Enterprise Security Management tools in
accordance with CIO-IT Security-06-30 and CIO-IT Security-17-80,
“Vulnerability Management Process.”
Part g GSA leverages its deployment of CDM and other Enterprise
Security Management tools, their
DocuSign Envelope ID: A2A4AFCB-D740-4653-AAD8-708E4E3DA749
U.S. General Services Administration 27
CA-7 Control Summary Information
dashboards, and reports to inform personnel with security
responsibilities for systems the status of their systems in
accordance with CIO-IT Security-06-30 and CIO-IT Security-17-80,
“Vulnerability Management Process.”
Federal System System-Specific Expectation: System owners, ISSOs,
ISSMs, and system personnel are responsible for responding to
findings from assessment activities and monitoring tools in
accordance with CIO-IT Security-06-30, CIO-IT Security-17-80, and
CIO-IT Security-12-66 (for systems in Ongoing Authorization).
Vendor/Contractor System Control Expectation: Vendors/contractors
must adhere to GSA’s policy and guides regarding continuous
monitoring of GSA systems.
3.4.5 Continuous Monitoring | Types Of Assessments (CA-7 (1))
The organization employs assessors or assessment teams with [S/SO
or Contractor recommended and AO approved level of independence] to
monitor the security controls in the information system on an
ongoing basis.
CA-7(1) Control Summary Information
System Specific Control
System Specific Control
CA-7(1) Control Implementation Federal System Common Control
Implementation
GSA OCISO personnel performing continuous monitoring assessments
using CDM and other Enterprise Security Management tools meet the
level of independence GSA requires (i.e., do not have a conflict of
interest for the systems being monitored).
Federal System System-Specific Expectation: None, common
control.
Vendor/Contractor System Control Expectation: Vendors/contractors
must adhere to GSA’s policy and guide regarding independence of
personnel performing continuous monitoring activities.
3.5 Configuration Management (CM)
The organization:
U.S. General Services Administration 28
a. Develops, documents, and disseminates to [personnel with IT
security responsibilities as defined in GSA CIO Order
2100.1]:
1. A configuration management policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration
management policy and associated configuration management controls;
and
b. Reviews and updates the current: 1. Configuration management
policy [annually, as part of CIO 2100.1, GSA IT
Security Policy]; and 2. Configuration management procedures
[biennially].
CM-1 Control Summary Information
System Specific Control
System Specific Control
CM-1 Control Implementation Federal System Common Control
Implementation
Part a 1. The GSA configuration management policy is defined in the
GSA IT Security Policy, CIO 2100.1, which addresses purpose, scope,
roles, responsibilities, management commitment, coordination among
organizational entities, and compliance regarding the configuration
management of GSA systems. This policy is disseminated GSA-wide via
GSA’s InSite centralized agency web site