DHS Sensitive Systems Policy Directive 4300A Version 8 0 March 14 2011 This is the implementation of DHS Management Directive 140-01 Information Technology System Security July 31 2007 DEPARTMENT OF HOMELAND SECURITY DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A This page intentionally left blank DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A FOREWORD The Department of Homeland Security DHS 4300 series of information security policy is the official series of publications relating to Departmental standards and guidelines adopted and promulgated under the provisions of DHS Management Directive 140-01 Information Technology System Security Comments concerning DHS Information Security publications are welcomed and should be submitted to the DHS Director for Information Systems Security Policy at INFOSEC@dhs gov or addressed to DHS Director of Information Security Policy OCIO CISO Stop 0182 Department of Homeland Security 245 Murray Lane SW Washington DC 20528-0182 Robert C West DHS Chief Information Security Officer DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A This page intentionally left blank DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A TABLE OF CONTENTS 1 0 INTRODUCTION 1 1 1 Information Security Program 1 1 2 Authorities 1 1 3 Policy Overview 2 1 4 Definitions 2 1 4 1 Classified National Security Information 2 1 4 2 National Intelligence Information 2 1 4 3 National Security Information 2 1 4 4 Foreign Intelligence Information 2 1 4 5 Sensitive Information 3 1 4 6 Public Information 3 1 4 7 Information Technology 3 1 4 8 DHS System 3 1 4 8 1 General Support System 3 1 4 8 2 Major Application 4 1 4 9 Component 4 1 4 10 Trust Zone 4 1 4 11 Continuity of Operations 4 1 4 12 Continuity of Operations Plan 5 1 4 13 Essential Functions 5 1 4 14 Vital Records 5 1 4 15 Operational Data 5 1 4 16 Federal Information Security Management Act 5 1 4 17 Personally Identifiable Information 7 1 4 18 Sensitive Personally Identifiable Information 7 1 4 19 Privacy Sensitive System 7 1 4 20 Strong Authentication 7 1 4 21 Two-Factor Authentication 7 1 5 Waivers and Exceptions 8 1 5 1 Waivers 8 1 5 2 Exceptions 8 1 5 3 Waiver or Exception Requests 8 1 5 4 U S Citizen Exception Requests 10 1 6 Information Sharing and Electronic Signature 10 1 7 Changes to Policy 11 2 0 ROLES AND RESPONSIBILITIES 12 2 1 Information Security Program Roles 12 2 1 1 DHS Senior Agency Information Security Officer 12 2 1 2 DHS Chief Information Security Officer 12 2 1 3 Component Chief Information Security Officer 14 2 1 4 Component Information Systems Security Manager 16 2 1 5 Risk Executive 17 2 1 6 Authorizing Official 18 2 1 7 Security Control Assessor 19 i v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 2 2 2 1 8 Information Systems Security Officer 20 Other Roles 20 2 2 1 Secretary of Homeland Security 20 2 2 2 Under Secretaries and Heads of DHS Components 21 2 2 3 DHS Chief Information Officer 22 2 2 4 Component Chief Information Officer 23 2 2 5 DHS Chief Security Officer 24 2 2 6 DHS Chief Privacy Officer 24 2 2 7 DHS Chief Financial Officer 25 2 2 8 Program Managers 26 2 2 9 System Owners 26 2 2 10 Common Control Provider 27 2 2 11 DHS Employees Contractors and Others Working on Behalf of DHS 28 3 0 MANAGEMENT POLICIES 29 3 1 Basic Requirements 29 3 2 Capital Planning and Investment Control 30 3 3 Contractors and Outsourced Operations 31 3 4 Performance Measures and Metrics 31 3 5 Continuity Planning for Critical DHS Assets 32 3 5 1 Continuity of Operations Planning 32 3 5 2 Contingency Planning 33 3 6 System Engineering Life Cycle 34 3 7 Configuration Management 34 3 8 Risk Management 36 3 9 Security Authoziation and Security Assessments 36 3 10 Information Security Review and Assistance 39 3 11 Security Working Groups and Forums 39 3 11 1 CISO Council 39 3 11 2 DHS Information Security Training Working Group 40 3 12 Information Security Policy Violation and Disciplinary Action 40 3 13 Required Reporting 41 3 14 Privacy and Data Security 41 3 14 1 Personally Identifiable Information 41 3 14 2 Privacy Threshold Analyses 43 3 14 3 Privacy Impact Assessments 43 3 14 4 System of Records Notices 44 3 14 5 Protecting Privacy Sensitive Systems 45 3 14 6 Privacy Incident Reporting 46 3 14 7 E-Authentication 47 3 15 DHS CFO Designated Systems 47 3 16 Social Media 49 3 17 Health Insurance Portability and Accountability Act 50 4 0 OPERATIONAL POLICIES 52 4 1 Personnel 52 4 1 1 Citizenship Personnel Screening and Position Categorization 52 4 1 2 Rules of Behavior 53 ii v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 4 10 4 11 4 12 4 13 5 0 4 1 3 Access to Sensitive Information 53 4 1 4 Separation of Duties 53 4 1 5 Information Security Awareness Training and Education 54 4 1 6 Separation From Duty 54 Physical Security 55 4 2 1 General Physical Access 55 4 2 2 Sensitive Facility 56 Media Controls 56 4 3 1 Media Protection 56 4 3 2 Media Marking and Transport 57 4 3 3 Media Sanitization and Disposal 57 4 3 4 Production Input Output Controls 57 Voice Communications Security 58 4 4 1 Private Branch Exchange 58 4 4 2 Telephone Communications 58 4 4 3 Voice Mail 58 Data Communications 58 4 5 1 Telecommunications Protection Techniques 58 4 5 2 Facsimiles 59 4 5 3 Video Teleconferencing 59 4 5 4 Voice Over Data Networks 59 Wireless Network Communications 60 4 6 1 Wireless Systems 60 4 6 2 Wireless Portable Electronic Devices 61 4 6 2 1 Cellular Phones 63 4 6 2 2 Pagers 63 4 6 2 3 Multifunctional Wireless Devices 63 4 6 3 Wireless Tactical Systems 64 4 6 4 Radio Frequency Identification 64 Overseas Communications 65 Equipment 66 4 8 1 Workstations 66 4 8 2 Laptop Computers and Other Mobile Computing Devices 66 4 8 3 Personally Owned Equipment and Software 66 4 8 4 Hardware and Software 67 4 8 5 Personal Use of Government Office Equipment and DHS Systems Computers 68 4 8 6 Wireless Settings for Peripheral Equipment 68 Department Information Security Operations 69 Security Incidents and Incident Response and Reporting 70 4 10 1 Law Enforcement Incident Response 72 Documentation 73 Information and Data Backup 73 Converging Technologies 74 TECHNICAL POLICIES 75 5 1 Identification and Authentication 75 iii v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 5 2 5 3 5 4 5 5 5 6 5 7 5 1 1 Passwords 75 Access Control 76 5 2 1 Automatic Account Lockout 77 5 2 2 Automatic Session Termination 77 5 2 3 Warning Banner 78 Auditing 79 Network and Communications Security 79 5 4 1 Remote Access and Dial-In 79 5 4 2 Network Security Monitoring 80 5 4 3 Network Connectivity 81 5 4 4 Firewalls and Policy Enforcement Points 83 5 4 5 Internet Security 84 5 4 6 Email Security 85 5 4 7 Personal Email Accounts 86 5 4 8 Testing and Vulnerability Management 86 5 4 9 Peer-to-Peer Technology 87 Cryptography 87 5 5 1 Encryption 87 5 5 2 Public Key Infrastructure 88 5 5 3 Public Key Private Key 90 Malware Protection 91 Product Assurance 92 6 0 DOCUMENT CHANGE REQUESTS 94 7 0 QUESTIONS AND COMMENTS 94 APPENDIX A ACRONYMS 95 APPENDIX B GLOSSARY 101 APPENDIX C REFERENCES 106 APPENDIX D DOCUMENT CHANGE HISTORY 109 iv v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 0 INTRODUCTION This document articulates the Department of Homeland Security DHS Information Security Program policies for sensitive systems Procedures for implementing these policies are outlined in a companion publication DHS 4300A Sensitive Systems Handbook The handbook serves as a foundation for Components to develop and implement their information security programs The baseline security requirements BLSRs included in the handbook must be addressed when developing and maintaining information security documents 1 1 Information Security Program The DHS Information Security Program provides a baseline of policies standards and guidelines for DHS Components This document provides direction to managers and senior executives for managing and protecting sensitive systems It also outlines policies relating to management operational and technical controls necessary for ensuring confidentiality integrity availability authenticity and nonrepudiation within the DHS information system infrastructure and operations Policy elements are designed to be broad in scope Specific implementation information can often be found in specific National Institute for Standards and Technology NIST publications such as NIST Special Publication SP 800-53 Recommended Security Controls for Federal Systems and Organizations The policies and direction contained in this document apply to all DHS Components Information security policies and implementing procedures for National Security Systems are covered in separate publications DHS National Security Systems Policy Directive 4300B and DHS 4300B National Security Systems Handbook These publications are available on the DHS Chief Information Security Officer CISO website Policy elements are effective when issued Any policy elements that have not been implemented within ninety 90 days shall be considered a weakness and either a system or program Plan of Action and Milestones POA M must be generated by the Component for the identified weaknesses Whenever the DHS Security Compliance tools Risk Management System RMS and TrustedAgent FISMA TAF require updating to reflect policy element changes tool changes shall be available to the Department within forty-five 45 days of the policy changes 1 2 Authorities The following list provides the authoritative references for the DHS sensitive information security program Additional references are located in Appendix C of this document • Public Law 107-347 E-Government Act of 2002 including Title III Federal Information Security Management Act FISMA • Office of Management and Budget OMB Circular A-130 Management of Federal Information Resources • DHS Management Directive MD 140-01 Information Technology Security Services • NIST Federal Information Processing Standards FIPS 200 Minimum Security Requirements for Federal Information and Information Systems • NIST SP 800-53 Recommended Security Controls for Federal Information Systems and Organizations 1 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 3 Policy Overview DHS information security policies delineate the security management structure and foundation to measure progress and compliance Policies in this document are organized under three areas • Management Controls – Focus on managing both the system information security controls and system risk These controls consist of risk mitigation techniques and concerns normally addressed by management • Operational Controls – Focus on mechanisms primarily implemented and executed by people These controls are designed to improve the security of a particular system or group of systems and often rely on management and technical controls • Technical Controls – Focus on security controls executed by information systems These controls provide automated protection from unauthorized access or misuse They facilitate detection of security violations and support security requirements for applications and data 1 4 Definitions The following definitions apply to the policies and procedures outlined in this document Other definitions may be found in the National Information Assurance IA Glossary as well as the Privacy Incident Handling Guidance and the Privacy Compliance documentation 1 4 1 Classified National Security Information Information that has been determined pursuant to Executive Order 13526 Classified National Security Information to require protection against unauthorized disclosure and is marked to indicate its classified status 1 4 2 National Intelligence Information The following definition is provided in Public Law 108-458 Intelligence Reform and Terrorism Prevention Act of 2004 December 17 2004 “The terms ‘national intelligence’ and ‘intelligence related to national security’ refer to all intelligence regardless of the source from which derived and including information gathered within or outside the United States that – “ A pertains as determined consistent with any guidance issued by the President to more than one United States Government agency and “ B that involves – i threats to the United States its people property or interests ii the development proliferation or use of weapons of mass destruction or iii any other matter bearing on United States national or homeland security ” 1 4 3 National Security Information Information that has been determined pursuant to Executive Order 13526 Classified National Security Information or any predecessor order to require protection against unauthorized disclosure 1 4 4 Foreign Intelligence Information This type of information relates to the capabilities intentions and activities of foreign powers organizations or persons but does not include counterintelligence except for information on international terrorist activities 2 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 4 5 Sensitive Information Sensitive information is information not otherwise categorized by statute or regulation that if disclosed could have an adverse impact on the welfare or privacy of individuals or on the welfare or conduct of Federal programs or other programs or operations essential to the national interest Examples of sensitive information include personal data such as Social Security number trade secrets system vulnerability information pre-solicitation procurement documents such as statements of work and law enforcement investigative methods similarly detailed reports related to computer security deficiencies in internal controls are also sensitive information because of the potential damage that could be caused by the misuse of this information System vulnerability information about a financial system shall be considered Sensitive Financial Information All sensitive information must be protected from loss misuse modification and unauthorized access With the exception of certain types of information protected by statute e g Sensitive Security Information Critical Infrastructure Information there are no specific Federal criteria and no standard terminology for designating types of sensitive information Such designations are left to the discretion of each individual Federal agency “For Official Use Only” FOUO is the term used within DHS to identify unclassified information of a sensitive nature that is not otherwise categorized by statute or regulation DHS will adopt the term “Controlled Unclassified Information” CUI at a later date 1 4 6 Public Information This type of information can be disclosed to the public without restriction but requires protection against erroneous manipulation or alteration e g Public Web sites 1 4 7 Information Technology The Clinger-Cohen Act defines information technology IT as any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition storage manipulation management movement control display switching interchange transmission or reception of data or information by an Executive agency For purposes of the preceding definition “equipment” refers to that used by any DHS Component or contractor if the contractor requires the use of such equipment in the performance of a service or the furnishing of a product in support of DHS The term “information technology” includes computers ancillary equipment software firmware and similar procedures services including support services and related resources The term “information system ” as used within this policy document is equivalent to the term “IT system ” 1 4 8 DHS System A DHS system is any information system that transmits stores or processes data or information and is 1 owned leased or operated by any DHS Component 2 operated by a contractor on behalf of DHS or 3 operated by another Federal state or local Government agency on behalf of DHS DHS systems include general support systems and major applications 1 4 8 1 General Support System A general support system GSS is an interconnected set of information resources under the same direct management control that share common functionality A GSS normally includes hardware 3 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A software information applications communications data and users Examples of a GSS include a local area network LAN including smart terminals that support a branch office a Department-wide backbone a communications network or a Departmental data processing center including its operating system and utilities Note Security for GSS in use at DHS Headquarters shall be under the oversight of the DHS Office of the Chief Information Officer OCIO with support from the DHS Enterprise Operations Center EOC All other GSS shall be under the direct oversight of the respective Component CISOs with support from the appropriate Component Security Operations Center SOC All GSS must have an Information Systems Security Officers ISSO assigned 1 4 8 2 Major Application A major application MA is an automated information system AIS that “requires special attention to security due to the risk and magnitude of harm resulting from the loss misuse or unauthorized access to or modification of the information in the application 1” Note All Federal applications require some level of protection Certain applications because of the information in them however require special management oversight and should be treated as major An MA is distinguishable from a GSS by the fact that it is a discrete application whereas a GSS may support multiple applications Each MA must be under the direct oversight of a Component CISO Information System Security Manager ISSM and must have anISSO assigned 1 4 9 Component A DHS Component is any of the entities within DHS including all DHS offices and independent agencies 1 4 10 Trust Zone A Trust Zone consists of a group of people information resources data systems and or networks subject to a shared security policy set of rules governing access to data and services For example a Trust Zone may be set up between different network segments that require specific usage policies based on information processed such as law enforcement information 1 4 11 Continuity of Operations Internal organizational efforts to ensure that a viable capability exists to continue essential functions across a wide range of potential emergencies through plans and procedures that • Delineate essential functions and supporting information systems • Specify succession to office and the emergency delegation of authority • Provide for the safekeeping of vital records and databases • Identify alternate operating facilities • Provide for interoperable communications • Validate the capability through tests training and exercises 1 OMB Circular A-130 4 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 4 12 Continuity of Operations Plan A plan that provides for the continuity of essential functions of an organization in the event that an emergency prevents occupancy of its primary facility It provides the organization with an operational framework for continuing its essential functions when normal operations are disrupted or otherwise cannot be conducted from its primary facility 1 4 13 Essential Functions Functions that enable Federal Executive Branch agencies to provide vital services exercise civil authority maintain the safety and well being of the general populace and sustain the industrial economic base during an emergency 1 4 14 Vital Records Electronic and hardcopy documents references records databases and information systems needed to support essential functions under the full spectrum of emergencies Categories of these types of records may include • Emergency operating records – emergency plans and directive s orders of succession delegations of authority staffing assignments selected program records needed to continue the most critical agency operations as well as related policy or procedural records • Legal and financial rights records – protect the legal and financial rights of the Government and of the individuals directly affected by its activities Examples include accounts receivable records social security records payroll records retirement records and insurance records These records were formerly defined as “rights-and-interests” records • Records used to perform national security preparedness functions and activities Executive Order E O 12656 1 4 15 Operational Data Operational data is information used in the execution of any DHS mission 1 4 16 Federal Information Security Management Act FISMA requires each agency to develop document and implement an agency-wide information security program to provide a high-level of security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency contractor or other source Statutory requirements include 1 Periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access use disclosure disruption modification or destruction of information and information systems that support the operations and assets of the agency 2 Policies and procedures that a Are based on the risk assessments required by paragraph 1 above b Cost-effectively reduce information security risks to an acceptable level c Ensure that information security is addressed throughout the life cycle of each agency information system d Ensure compliance with 5 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A i Other Federal policies and procedures as may be prescribed by OMB and NIST or other agencies when appropriate ii Minimally acceptable system configuration requirements as determined by the agency iii Any other applicable requirements including standards and guidelines for national security systems issued in accordance with law and as directed by the President 3 Subordinate plans for providing adequate information security for networks facilities and systems or groups of information systems as appropriate 4 Security awareness to inform personnel including contractors others working on behalf of DHS and other users of information systems that support operations and assets of the Department of a Information security risks associated with their activities b Their responsibilities in complying with agency policies and procedures designed to reduce these risks 5 Periodic testing and evaluation of the effectiveness of information security policies procedures and practices to be performed with a frequency depending on risk but no less than annually This testing a Shall include testing of management operational and technical controls of every information system identified in the Department’s inventory b May include testing relied on by the Office of Inspector General 6 A process for planning implementing evaluating and documenting remedial actions to address any deficiencies in the information security policies procedures and practices of the Department 7 Procedures for detecting reporting and responding to security incidents consistent with standards and guidelines promulgated by the United States Computer Emergency Readiness Team US-CERT a Mitigating risks associated with incidents before substantial damage is done b Notifying and consulting with the US-CERT c Notifying and consulting with i Law enforcement agencies and relevant Offices of Inspector General ii An office designated by the President for any incident involving a national security system iii Other agency or offices as required 8 Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the Department 6 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A FISMA requires the Chief Information Officer CIO to designate a senior agency information security official who shall develop and maintain a Department-wide information security program as required by the statute Responsibilities include • Developing and maintaining information security policies procedures and control techniques to address all applicable requirements • Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities • Assisting senior Department officials concerning their responsibilities under the statute • Ensuring that the Department has trained personnel sufficient to assist the Department in complying with the requirements of this subchapter and related policies procedures standards and guidelines and • Ensuring that the Department CIO in coordination with other senior Department officials reports annually to the Department head on the effectiveness of the Department information security program including progress of remedial actions 1 4 17 Personally Identifiable Information Personally Identifiable Information PII is any information that permits the identity of an individual to be directly or indirectly inferred including any information which is linked or linkable to that individual regardless of whether the individual is a U S Citizen lawful permanent resident a visitor to the U S or employee or contractor to the Department 1 4 18 Sensitive Personally Identifiable Information Sensitive PII is PII which if lost compromised or disclosed without authorization could result in substantial harm embarrassment inconvenience or unfairness to an individual Examples of Sensitive PII include Social Security numbers alien number A-number criminal history information and medical information Sensitive PII requires stricter handling guidelines due to the sensitivity of the information 1 4 19 Privacy Sensitive System A Privacy Sensitive System is any system that collects uses disseminates or maintains PII or Sensitive PII 1 4 20 Strong Authentication Strong authentication is a layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information 1 4 21 Two-Factor Authentication Authentication can involve something the user knows e g a password something the user has e g a smart card or something the user “is” e g a fingerprint or voice pattern Single-factor authentication uses only one of the three forms of authentication while two-factor authentication uses any two of the three forms Three-factor authentication uses all three forms 7 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 5 Waivers and Exceptions 1 5 1 Waivers Components may request waivers to or exceptions from any portion of this policy for up to six 6 months any time they are unable to fully comply with policy requirements Requests are made through the Component’s ISSO for the system to the Component’s CISO ISSM and then to the DHS CISO All submitters shall coordinate with the AO prior to submission If a material weakness is reported in an audit report and the control weakness is not scheduled to be remediated within twelve 12 months the Component must submit a waiver request to the DHS CISO If the material weakness is against a financial system the Component Chief Financial Officer CFO must also approve the waiver request before sending to the DHS CISO In all cases waivers shall be requested for an appropriate period based on a reasonable remediation strategy 1 5 2 Exceptions Components may request an exception whenever they are unable to bring a system control weakness into compliance or when it requires a permanent exception to DHS policy Exceptions are generally limited to systems that are unable to comply due to detrimental impact to mission excessive costs and or clearly documented end of platform life for non-essential systems within eighteen 18 months commercial-off-the-shelf COTS products that cannot be configured to support the control requirement This request is made through the Component CISO ISSM to the DHS CISO All submitters shall coordinate with the AO prior to submission The resulting risk also must be approved and accepted by the Authorizing Official AO and by the Component CFO if the system is a financial or mixed financial system 1 5 3 Waiver or Exception Requests The Waivers and Exceptions Request Form located in Attachment B of the DHS 4300A Sensitive Systems Handbook shall be used Component ISSOs audit liaisons and others may develop the waiver or exception request but the System Owner shall submit the request through the Component’s CISO ISSM Waiver requests shall include the operational justification document mission impact risk acceptance risk mitigation measures and a POA M for bringing the system procedures or control weakness into compliance Exception requests shall include the operational justification document mission impact as well as efforts to mitigate the risk based to include descriptions of counter measures or compensating controls currently in place Any waiver or exception requests for CFO Designated Systems must be submitted to and approved by the Component’s CFO prior to the DHS CFO’s submission to the DHS CISO Any waiver or exception requests for Privacy Sensitive Systems must be submitted to and approved by the Component’s Privacy Officer or Senior Privacy Point of Contact PPOC prior to being submitted to the DHS CISO All approved waiver and exception requests must be directed through the Component’s CISO ISSM who will in turn direct it to the DHS CISO 8 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 1 5 3 a Systems without an Authorization to Operate ATO when this policy is issued shall comply with all of its policy statements or obtain appropriate waivers and or exceptions PL-1 1 5 3 b Systems with an ATO when this policy is issued shall comply with all of its policy statements within ninety 90 days or obtain appropriate waivers and or exceptions A new ATO is only required for significant changes PL-1 1 5 3 c Each waiver or exception request shall include the system name and system TrustedAgent FISMA TAF Inventory ID operational justification and risk mitigation CM-3 1 5 3 d Components shall request a waiver whenever they are temporarily unable to comply fully with any portion of this policy CA-2 1 5 3 e All waiver requests shall identify the POA M for bringing the system or program into compliance CA-5 PM-4 1 5 3 f The Component CISO ISSM shall approve all waiver requests prior to submitting them to the DHS CISO CA-6 1 5 3 g Requests submitted without sufficient information shall be returned for clarification prior to making a decision CA-6 1 5 3 h A waiver shall be issued for six 6 months or less The DHS CISO reserves the right to issue waivers for longer than six 6 months in exceptional situations Waivers may be renewed by following the same process as in the initial request CA-2 1 5 3 i The Head of the Component shall approve any waiver request that results in a total waiver time exceeding twelve 12 months before sending it to the DHS CISO The waiver shall also be reported as a material weakness in the Component’s FISMA report 1 5 3 j Components shall request an exception whenever they are permanently unable to comply fully with any portion of this policy CA-2 1 5 3 k All approved waivers shall be reported in the Component’s FISMA report CA-6 1 5 3 l The DHS CFO shall approve all requests for waivers and exceptions for financial systems prior to their submission to the DHS CISO CA-6 1 5 3 m The Component’s Privacy Officer or Senior PPOC shall approve all requests for waivers and exceptions for Privacy Sensitive Systems prior to their submission to the DHS CISO 9 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 1 5 4 U S Citizen Exception Requests Special procedures apply for exception to the requirement that persons accessing DHS systems be U S Citizens Under normal circumstances only U S Citizens are allowed access to DHS systems and networks however at times there is a need to grant access to foreign nationals Access for foreign nationals is normally a long-term commitment and exceptions to appropriate policies are treated separately from standard exceptions and waivers The approval chain for an exception to the U S Citizenship requirement flows through the Component Head the Office of Security and the CIO An electronic form for requesting exceptions to the U S Citizenship requirement is published in Attachment J of the DHS 4300A Sensitive Systems Handbook Policy ID DHS Policy Statements Relevant Controls 1 5 4 a Persons of dual citizenship where one of the citizenships includes U S Citizenship shall be treated as U S Citizens for the purposes of this directive --- 1 5 4 b The System Owner shall submit each request for exception to the U S Citizenship policy to the Component Head The Component Head shall obtain concurrence from the DHS Chief Security Officer CSO and CIO prior to the approval becoming effective PS-3 1 5 4 c Additional compensating controls shall be maintained for foreign nationals based on nations lists maintained by the DHS CSO PS-3 1 6 Information Sharing and Electronic Signature The DHS Enterprise Operations Center EOC exchanges information with Component SOCs Network Operations Centers NOCs the Homeland Secure Data Network HSDN SOC the Intelligence Community and with external organizations in order to facilitate the security and operation of the DHS network This exchange enhances situational awareness and provides a common operating picture to network managers The operating picture is developed from information obtained from “raw” fault configuration management accounting performance and security data This data is monitored collected analyzed processed and reported by the NOCs and SOCs The DHS EOC is responsible for communicating other information such as incident reports notifications vulnerability alerts and operational statuses to the Component SOCs Component CISOs ISSMs or other identified Component points of contact The DHS EOC portal implements role-based user profiles that allow Components to use the website’s incident database capabilities Users assigned to Component groups shall be able to perform actions such as • Entering incident information into the DHS EOC incident database • Generating preformatted incident reports • Initiating queries of the incident database • Viewing FISMA incident reporting numbers 10 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Automating portions of the Information Security Vulnerability Management ISVM program • Automating portions of the vulnerability assessment program Policy ID 1 7 DHS Policy Statements Relevant Controls 1 6 a For DHS purposes electronic signatures are preferred to pen and ink or facsimile signatures in all cases except where pen and ink signatures are required by public law Executive Order or other agency requirements --- 1 6 b Components are encouraged to use electronic signatures whenever possible --- 1 6 c Components shall accept electronic signatures whenever the signature’s digital certificate is current electronically verifiable and issued by a medium or high assurance DHS Certification Authority CA or other medium or high CA under the Federal Bridge Certification Authority FBCA or Common Authority --- 1 6 d DHS and Component systems shall be able to verify PIV credentials issued by other Federal agencies Changes to Policy Procedures and guidance for implementing this policy are outlined in a companion publication DHS 4300A Sensitive Systems Handbook with attachments The handbook serves as a foundation for Components to use in developing and implementing their information security programs For interpretation or clarification of DHS information security policies found in this policy document and of the procedures and guidance found in the DHS 4300A Sensitive Systems Handbook contact the DHS CISO at infosec@dhs gov Changes to this policy and to the handbook may be requested by submitting the form included in DHS 4300A Sensitive Systems Handbook Attachment P – Document Change Requests to the respective ISSM CISO Policy ID DHS Policy Statements Relevant Controls 1 7 a The DHS CISO shall be the authority for interpretation clarification and modification of the DHS Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook inclusive of all appendices and attachments PL-1 1 7 b The DHS CISO shall update the DHS Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook at least annually PL-1 11 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 2 0 ROLES AND RESPONSIBILITIES Security is an inherently Governmental responsibility contractors others working on behalf of DHS and other sources may assist in the performance of security functions but a DHS employee must always be designated as the responsible agent for all security requirements and functions This section outlines the roles and responsibilities for implementing these requirements 2 1 Information Security Program Roles Designated personnel play a major role in the planning and implementation of information security requirements Roles directly responsible for information system security are described in the following subsections 2 1 1 DHS Senior Agency Information Security Officer Policy ID 2 1 1 a DHS Policy Statements Relevant Controls The DHS CISO shall perform the duties and responsibilities of the DHS Senior Agency Information Security Officer SAISO PL-1 PM-2 2 1 2 DHS Chief Information Security Officer The DHS CISO shall implement and manage the DHS Information Security Program to ensure compliance with applicable Federal laws Executive Orders directives policies and regulations The DHS CISO reports directly to the DHS CIO and is the principal advisor for information security matters Policy ID DHS Policy Statements 2 1 2 a The DHS CISO shall implement and manage the DHS-wide Information Security Program 2 1 2 b The DHS CISO will serve as the CIO’s primary liaison with the organization’s authorizing officials information system owners and ISSOs Relevant Controls PL-1 PM-2 --- The DHS CISO Implements and manages the Department-wide Information Security Program and ensures compliance with FISMA OMB and other Federal requirements • Issues Department-wide information security policy guidance and architecture requirements for all DHS systems and networks These policies shall incorporate NIST guidance as well as all applicable OMB memoranda and circulars • Facilitates development of subordinate plans for providing adequate information security for networks facilities and systems or groups of information systems 12 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Serves as the principal Departmental liaison with organizations outside the DHS for matters relating to information security • Reviews and approves the tools techniques and methodologies planned for use in certifying and accrediting DHS systems and for reporting and managing systems-level FISMA data This includes Security Assessment plans Contingency Plans and security risk assessments • Consults with the DHS CSO on matters pertaining to physical security personnel security information security investigations and Sensitive Compartmented Information SCI systems as they relate to information security and infrastructure • Develops and implements procedures for detecting reporting and responding to information security incidents • Ensures preparation and maintenance of plans and procedures to provide continuity of operations for information systems • Ensures that Department personnel contractors and others working on behalf of DHS receive appropriate information security awareness • Chairs the CISO Council This Council is comprised of all Component CISOs and is the Department’s sole coordination body for any issues associated with information security policy management and operations Component ISSMs will be invited to CISO Council meetings as required • Maintains a comprehensive inventory of all GSS and MA in use within the Department o Security management for every GSS shall be under the direct oversight of either the DHS CISO for enterprise systems or a Component CISO ISSM for Component-specific general support systems o MAs must be under the direct control of either a Component CISO or Component ISSM • Maintains a repository for all Information Assurance IA Security Authorization process documentation and modifications • Performs security reviews for all planned information systems acquisitions over $2 5 million and additional selected cases • Provides oversight of all security operations functions within the Department • Maintains classified threat assessment capability in support of security operations • Performs annual program assessments for each of the Components • Performs periodic compliance reviews for selected systems and applications • Publishes monthly compliance scorecards • Delegates specific authorities and responsibilities for maintaining a high degree of compliance to Component CISOs and ISSMs as appropriate • Reports annually to the Secretary on the effectiveness of the Department information security program including progress of remedial actions This report provides the primary basis for the Secretary’s annual FISMA report to both OMB and to the United States Congress 13 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Assists senior Department officials concerning their responsibilities under FISMA • Heads an office with the mission and resources to assist in ensuring Department compliance with information security requirements • Appoints a DHS employee to serve as the Headquarters CISO • Appoints a DHS employee to serve as the Office of Intelligence and Analysis I A CISO • Provide operational direction to the DHS SOC 2 1 3 Component Chief Information Security Officer The Component CISO implements and manages all aspects of the Component Information Security Program to ensure compliance with DHS policy and guidance that implement FISMA other laws and Executive Orders Policy ID DHS Policy Statements Relevant Controls 2 1 3 a Component CISOs shall develop and maintain a Component-wide information security program in accordance with the DHS security program PL-1 PM-2 2 1 3 b All Components shall be accountable to the appropriate CISO Components without a fulltime CISO shall be responsible to the HQ CISO The following Components shall have a fulltime CISO • Customs and Border Protection • Immigration and Customs Enforcement • Transportation Security Administration • United States Secret Service • United States Coast Guard • Federal Emergency Management Agency • United States Citizenship and Immigration Services • Federal Law Enforcement Training Center • Headquarters Department of Homeland Security • Intelligence and Analysis Component CISOs • Oversee the Component information security program • Ensure that the Component CIO is kept apprised of all pertinent matters involving the security of information systems 14 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Ensure that information security-related decisions and information including updates to the 4300 series of information security publications are distributed to the ISSOs and other appropriate persons within their Component • Approve and or validate all Component information system security reporting • Consult with the Component Privacy Officer or PPOC for reporting and handling of privacy incidents • Manage information security resources including oversight and review of security requirements in funding documents • Review and approve the security of hardware and software prior to implementation into the Component SOC • Provide operational direction to the Component SOC • Periodically test the security of implemented systems • Implement and manage a POA M process for remediation by creating a POA M for each known vulnerability • Ensure that ISSOs are appointed for each information system managed at the Component level Review and approve ISSO appointments • Ensure that weekly incident reports are submitted to the DHS EOC • Acknowledge receipt of ISVM messages report compliance with requirements or notify the granting of waivers • Manage Component firewall rule sets • Ensure that Interconnection Security Agreements ISAs are maintained for all connections between systems that do not have the same security policy • Ensure execution of the DHS Logging Strategy detailed in the DHS 4300A Sensitive Systems Handbook • Ensure adherence to the DHS Secure Baseline Configuration Guides DHS 4300A Sensitive Systems Handbook Enclosure 1 • Ensure reporting of vulnerability scanning activities to the DHS EOC as detailed in Attachment O Vulnerability Management Program of DHS 4300A Sensitive Systems Handbook • Develop and maintain a Component-wide information security program in accordance with Department policies and guidance • Implement Department information security policies procedures and control techniques to address all applicable requirements • Ensure training and oversight for personnel with significant responsibilities for information security • Oversee the Security Authorization process for GSSs and MAs in use within the Component o Maintain an independent Component-wide Assessment program to ensure a consistent approach to testing of effectiveness of controls 15 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A o Ensure that an appropriate SOC performs an independent network assessment as part of the assessment process for each application that is accredited o Ensure that enterprise security tools are utilized • Exercise oversight over all Component security operations functions including the Component SOCs Ensure that eternal providers who operate information systems on behalf of the Component meet the same security requirements as the Component with an acceptable level of trust in the external service or else use compensating controls to constrain the nature of information or the process flow accept a greater degree of risk or decline the service and reduce functionality Component CISO qualifications include • Possess professional qualifications including training and experience required to administer the functions described including maintaining a Top Secret Sensitive Compartmented Information TS SCI clearance • Have information security duties as that official’s primary duty • Participate in the DHS CISO Council chaired by the DHS CISO • Head an office with the mission and resources to assist in ensuring Component compliance with this directive and to coordinate develop implement and maintain an organization-wide information security program • Serve as the Component Risk Executive 2 1 4 Component Information Systems Security Manager Components that are not required to have a fulltime CISO shall have a fulltime Information Systems Security Manager ISSM The ISSM is designated in writing by the Component CIO with the concurrence of the HQ CISO Policy ID DHS Policy Statements Relevant Controls 2 1 4 a Component ISSMs shall serve as the principal interface between the HQ CISO Component ISSOs and other security practitioners --- 2 1 4 b The Component ISSM shall work directly with the HQ CISO --- The ISSM plays a critical role in ensuring that the DHS Information Security Program is implemented and maintained throughout the Component Component ISSMs • Oversee the Component information security program • Ensure that the Component CIO and HQ CISO are kept apprised of all pertinent matters involving the security of information systems 16 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Ensure that information security-related decisions and information including updates to the 4300 series of information security publications are distributed to the ISSOs and other appropriate persons within their Component • Validate all Component information system security reporting • Consult with the Component Privacy Officer or PPOC for reporting and handling of privacy incidents • Manage information security resources including oversight and review of security requirements in funding documents • Periodically test the security of implemented systems • Implement and manage a POA M process for remediation by creating a POA M for each known vulnerability • Ensure that ISSOs are appointed for each information system managed at the Component level • Ensure that weekly incident reports are forwarded to the HQ CISO • Acknowledge receipt of Information Security Vulnerability Management ISVM messages report compliance with requirements or notify the granting of waivers • Ensure adherence to the DHS Secure Baseline Configuration Guides DHS 4300A Sensitive Systems Handbook Enclosure 1 • Develop and publish procedures necessary to implement the requirements of DHS information security policy within the appropriate Component • Implement Department information security policies procedures and control techniques to address all applicable requirements • Ensure training and oversight for personnel with significant responsibilities for information security • Oversee the Security Authorization process for MAs in use within the Component o Maintain an independent Component-wide ST E Program to ensure a consistent approach to testing of effectiveness of controls o Ensure that an appropriate SOC performs an independent network assessment as part of the ST E process for each application that is accredited o Ensure that enterprise security tools are utilized 2 1 5 Risk Executive A Risk Executive ensures that risks are managed consistently across the organization In keeping with its organizational structure DHS has two levels of Risk Executives – Departmental and Component The risk executive provides a holistic view of risk beyond that associated with the operation and use of individual information systems Risk Executive inputs are documented and become part of the security authorization decision All DHS Risk Executives 17 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Ensure that managing information system-related security risks is consistent across the organization reflects organizational risk tolerance and is performed as part of an organization-wide process that considers other organizational risks affecting mission business success • Ensure that information security considerations for individual information systems including the specific authorization decisions for those systems are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization • Provide visibility into the decisions of authorizing officials and a holistic view of risk to the organization beyond the risk associated with the operation and use of individual information systems • Facilitate the sharing of security-related and risk-related information among authorizing officials and other senior leaders within the organization in order to help these officials consider all types of risks that may affect mission and business success and the overall interests of the organization at large The DHS Risk Executive develops information security policy establishes the standards for system security risk oversees risk management and monitoring and approves all waivers and exceptions to DHS policy The Component Risk Executives may establish standards for system security risk more stringent than the DHS standard They implement the system security risk management and monitoring program and submit requests for higher-risk deviations from the enterprise standard Policy ID DHS Policy Statements Relevant Controls 2 1 5 a The DHS CIO shall be the DHS Risk Executive The DHS CISO has been designated by the DHS CIO as the Risk Executive PL-1 PM-9 2 1 5 b Each Component CISO shall be the Risk Executive within his or her Component PL-1 PM-9 2 1 5 c The Risk Executive shall perform their duty in accordance with NIST SP 80037 2 1 6 Authorizing Official The Authorizing Official AO formally assumes responsibility for operating an information system at an acceptable level of risk He or she shall be a senior management official and a Federal employee or military member The Authorizing Official will also assign the Security Control Assessor for the system Policy ID 2 1 6 a DHS Policy Statements The DHS CIO shall act as the AO for enterprise information systems or shall designate one in writing 18 v8 0 March 14 2011 Relevant Controls CA-6 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 2 1 6 b The Component CIO shall act as the AO for Component information systems or shall designate one in writing CA-6 2 1 6 c Every system shall have a designated AO An AO may be responsible for more than one system CA-6 2 1 6 d The AO shall review and approve any individual requiring administrator privileges The AO may delegate this duty to the appropriate system owner or Program Manager AC-2 2 1 6 e The AO shall be responsible for acceptance of resulting risk to organizational operations and assets individuals other organizations and the Nation CA-6 2 1 6 f The AO shall periodically review security status to determine if risk remains acceptable CA-6 2 1 6 g The AO shall perform additional duties in accordance with NIST SP 800-37 CA-6 2 1 7 Security Control Assessor The Security Control Assessor is a senior management official who certifies the results of the security assessment A Certifying Official is assigned in writing to each information system by an appropriate Component official typically the Component Head or Component CIO He or she shall be a Federal employee The Security Control Assessor and the team conducting a certification must be impartial that is free from any perceived or actual conflicts of interest with respect to the developmental operational and or management chain of command associated with the information system or to the determination of security control effectiveness For systems with low impact a Security Control Assessor and or certifying team do not need to be independent so long as assessment results are carefully reviewed and analyzed by an independent team of experts to validate their completeness consistency and veracity The AO decides the required level of certifier independence based on the criticality and sensitivity of the information system and the ultimate risk to organizational operations organizational assets and individuals The AO determines if the level of certifier independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make credible risk-based decisions Policy ID DHS Policy Statements Relevant Controls 2 1 7 a The Component CISO shall serve as Security Control Assessor when no other person has been officially designated CA-2 2 1 7 b A Security Control Assessor may be responsible for more than one system CA-2 19 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 2 1 7 c The Security Control Assessor may take the lead for any or all remedial actions CA-7 2 1 7d The Security Control Assessor provides an assessment of the severity of weaknesses or deficiencies in the information systems and clarifies they prepare the final security assessment report containing the results and findings from the assessment but not making a risk determination CA-7 2 1 8 Information Systems Security Officer An ISSO performs security actions for an information system There is only one ISSO designated to a system but multiple Alternate ISSOs may be designated to assist the ISSO While the ISSO performs security functions the System Owner is always responsible for information system security See DHS 4300A Sensitive Systems Handbook Attachment C – Information Systems Security Officer ISSO Designation Letter Policy ID DHS Policy Statements Relevant Controls 2 1 8 a An ISSO shall be designated for every information system and serve as the point of contact POC for all security matters related to that system PL-1 2 1 8 b An ISSO shall ensure the implementation and maintenance of security controls in accordance with the Security Plan SP and DHS policies PL-1 2 1 8 c An ISSO may be a DHS employee or a contractor PL-1 2 1 8 d An ISSO may be assigned to more than one system PL-1 2 1 8 e ISSO duties shall not be assigned as collateral duties unless approved by the Component CISO PL-1 2 1 8 f The ISSO shall have a clearance greater than or equal to the highest level of information contained on the system The minimum clearance for an ISSO shall be Secret 2 2 Other Roles Roles related to but not directly responsible for information system security are described in the following subsections 2 2 1 Secretary of Homeland Security The Secretary of Homeland Security is responsible for fulfilling the Department’s mission which includes ensuring that DHS information systems and their data are protected in 20 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A accordance with Congressional and Presidential directives The Secretary’s role with respect to information system security is to allocate adequate resources To that end the Secretary • Ensures that DHS implements its Information Security Program throughout the life cycle of each DHS system • Submits 1 the DHS CIO’s assessment of the adequacy and effectiveness of the Department’s information security procedures practices and FISMA compliance 2 the results of an annual independent information security program evaluation performed by the DHS Office of the Inspector General OIG and 3 the Senior Agency Official for Privacy’s SAOP annual assessment of the Department’s privacy policies procedures and practices to the Director of OMB • Provides information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access use disclosure disruption modification or destruction of information collected or maintained by or on behalf of the Department and on information systems used or operated by the Department or by a contractor or other organization on behalf of the Department • Ensures that an information security program is developed documented and implemented to provide security for all systems networks and data that support the Department’s operations • Ensures that information security processes are integrated with strategic and operational planning processes to secure the Department’s mission • Ensures that senior agency officials within the Department are given the necessary authority to secure the operations and assets under their control • Delegates authority to the CIO to ensure compliance with applicable information security requirements 2 2 2 Under Secretaries and Heads of DHS Components The Under Secretaries and the heads of DHS Components are responsible for oversight of the Component information security program including appointing CIOs Persons filling this role allocate adequate resources to information systems for information system security Policy ID 2 2 2 a DHS Policy Statements The Under Secretaries of Homeland Security and Heads of Components shall ensure that information systems and their data are sufficiently protected Relevant Controls PL-1 Under Secretaries and the Heads of DHS Components • Appoint CIOs • Ensure that an Information Security Program is established and managed in accordance with DHS policy and implementation directives 21 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Ensure that the security of information systems is an integral part of the life cycle management process for all information systems developed and maintained within their Components • Ensure that adequate funding for information security is provided for Component information systems and that adequate funding requirements are included for all information systems budgets • Ensure that information system data are entered into the appropriate DHS Security Management Tools to support DHS information security oversight and FISMA reporting requirements • Ensure that the requirements for an information security performance metrics program are implemented and the resulting data maintained and reported 2 2 3 DHS Chief Information Officer The DHS CIO is the senior agency executive responsible for all DHS information systems and their security as well as for ensuring FISMA compliance Policy ID DHS Policy Statements Relevant Controls 2 2 3 a The DHS CIO shall develop and maintain the DHS Information Security Program PL-1 2 2 3 b The DHS CIO designates the DHS CISO PL-1 The DHS CIO • Oversees the development and maintenance of a Department-wide information security program • Appoints a DHS employee in writing to serve as the DHS CISO • Serves as the AO for DHS enterprise information systems This responsibility may be delegated in writing as appropriate • Participates in developing DHS performance plans including descriptions of the time periods and budget staffing and training resources required to implement the Department-wide security program • Ensures that all information systems acquisition documents including existing contracts include appropriate information security requirements and comply with DHS information security policies • Ensures that DHS security programs integrate fully into the DHS enterprise architecture and capital planning and investment control processes • Ensures that System Owners understand and appropriately address risks including interconnectivity with other programs and systems outside their control • Reviews and evaluates the DHS Information Security Program annually 22 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Ensures that an information security performance metrics program is developed implemented and funded • Reports to the DHS Under Secretary for Management on matters relating to the security of DHS systems • Ensures compliance with applicable information security requirements • Heads an office with the mission and resources to assist in ensuring Component compliance with the DHS Information Security Program • Coordinates and advocates resources for enterprise security solutions • Leads the DHS Contingency Planning program 2 2 4 Component Chief Information Officer The Component CIO is responsible for Component information systems and their security as well as for ensuring FISMA compliance within the Component Policy ID 2 2 4 a DHS Policy Statements Relevant Controls The Component CIO shall develop and maintain the Component Information Security Program PL-1 PM-1 Component CIOs • Establish and oversee their Component information security programs • Ensure that an AO has been appointed for all Component information systems and serve as the AO for any information system where an AO has not been appointed or where a vacancy exists • Ensure that information security concerns are addressed by Component Configuration Control Boards Enterprise Architecture Board EAB and Acquisition Review Board ARB Investment Review Board IRB • Ensure that an accurate information systems inventory is established and maintained • Ensure that all information systems acquisition documents including existing contracts include appropriate information security requirements and comply with DHS information security policies • Ensure that System Owners understand and appropriately address risks including interconnectivity with other programs and systems outside their control • Ensure that an information security performance metrics program is developed implemented and funded • Advise the DHS CIO of any issues regarding infrastructure protection vulnerabilities or issues that may cause public concern or loss of credibility • Ensure that incidents are reported to the DHS EOC within reporting time requirements as defined in Attachment F Incident Response of the DHS Sensitive Systems Handbook 23 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • Work with the DHS CIO and Public Affairs Office in preparation for public release of security incident information The DHS CIO or designated representative has sole responsibility for public release of security incident information • Ensure compliance with DHS information systems security policy • Coordinate and advocate resources for information security enterprise solutions The following Component CIOs shall appoint a CISO and ensure that the CISO has resources to assist with Component compliance with policy CISOs shall be DHS employees • Customs and Border Protection • Immigration and Customs Enforcement • Transportation Security Administration • United States Secret Service • United States Coast Guard • Federal Emergency Management Agency • United States Citizenship and Immigration Services • Federal Law Enforcement Training Center All other Component CIOs • Ensure that Component ISSMs have been appointed and provide the resources and qualified personnel to ensure Component compliance with DHS security policy 2 2 5 DHS Chief Security Officer The DHS Chief Security Officer CSO implements and manages the DHS Security Program for DHS facilities and personnel The CSO is a senior agency official who reports directly to the Deputy Secretary on all matters pertaining to facility and personnel security within the DHS Policy ID DHS Policy Statements Relevant Controls 2 2 5 a DHS information systems that control physical access shall be approved to operate in accordance with this policy document whether they connect to other DHS information systems or not CA-1 2 2 5 b The DHS CSO shall be the AO for all systems automating or supporting physical access controls or shall appoint an AO for each of those systems CA-6 2 2 6 DHS Chief Privacy Officer The DHS Chief Privacy Officer is the head of the DHS Privacy Office and oversees privacy activities throughout DHS including creating and ensuring compliance with privacy policy The DHS Chief Privacy Officer assists the Component Privacy Officers and Privacy Points of Contact PPOC with privacy policy compliance at the Component level 24 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A The DHS Chief Privacy Officer implements and manages the DHS Privacy Program including creating DHS privacy policy and ensuring compliance with privacy policy The DHS Chief Privacy Officer is responsible for DHS privacy policy and its compliance The DHS Chief Privacy Officer assists the Component Privacy Officers and PPOC with policy compliance at the Component level Policy ID 2 2 6 a DHS Policy Statements Relevant Controls The Chief Privacy Officer shall review program and system Privacy Threshold Analyses PTA Privacy Impact Assessments PIA and System of Records Notices SORN providing approval as appropriate PL-1 PL-5 The Chief Privacy Officer as the senior official • Oversees privacy incident management • Responds to suspected or confirmed privacy incidents or incidents involving PII • Coordinates with the DHS CIO DHS CISO the DHS EOC and senior management regarding privacy incidents • Convenes and chairs incident response teams such as the Privacy Incident Response Team PIRT and the Core Management Group CMG • Approves program and system PTAs PIAs and SORNs • Designates Privacy Sensitive Systems based on validated PTAs Privacy Sensitive Systems are those that maintain PII • Provides Department-wide annual and refresher privacy training 2 2 7 DHS Chief Financial Officer The DHS CFO implements and manages the DHS Financial Program including oversight of DHS financial systems The DHS CFO designates financial systems and oversees security control definitions for financial systems Policy ID DHS Policy Statements Relevant Controls 2 2 7 a The DHS CFO shall be the AO for all financial systems managed at the DHS level CA-6 2 2 7 b The Component CFO shall be the AO for all financial systems managed by the Component CA-6 2 2 7 c The DHS CFO shall designate the financial systems that fall under the DHS CFO mandated policy statements CA-6 25 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 2 2 7 d DHS Policy Statements The DHS CFO shall publish a comprehensive list of designated financial systems during the fourth quarter of every fiscal year This list shall be referred to as the CFO Designated Systems List Relevant Controls CA-6 All systems on the CFO Designated Systems List are required to conform with the policies defined in Sections 3 5 1 and 3 15 2 2 8 Program Managers Program Managers ensure compliance with applicable Federal laws and DHS policy directives governing the security operation maintenance and privacy protection of information systems information projects and programs under their control Program Managers are responsible for program-level POA Ms that may impact one or more systems Policy ID DHS Policy Statements Relevant Controls 2 2 8 a Program Managers shall ensure that program POA Ms are prepared and maintained CA-5 PM-4 2 2 8 b Program Managers shall prioritize security weaknesses for mitigation CA-5 2 2 8 c Program Managers shall provide copies of program POA Ms to affected System Owners CA-5 PM-4 2 2 8 d Program Managers shall ensure that POA Ms address the following  known vulnerabilities in the information system  the security categorization of the information system  the specific weaknesses or deficiencies in the information system security controls  the importance of the identified security control weakness or deficiencies  the Component’s proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security controls CA-5 the Component’s rationale for accepting certain weaknesses or deficiencies in the security controls 2 2 9 System Owners System Owners use information technology to help achieve the mission needs within their program area of responsibility They are responsible for the successful operation of the information systems and programs within their program area and are ultimately accountable for their security All systems require a System Owner designated in writing for proper administration of security 26 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 2 2 9 a System Owners shall ensure that each of their systems is deployed and operated in accordance with this policy document PL-1 2 2 9 b System Owners shall ensure that an ISSO is designated in writing for each information system under their purview PL-1 2 2 9 c There shall be only one System Owner designated for each DHS system PL-1 2 2 9 d The Information System Owner shall information security compliance development and maintenance of security plans user security training notifying officials of the need for security authorization and need to resource CA-2 2 2 9 e System Owners shall ensure development of a POA M to address weaknesses and deficiencies in the information system and its environment of operation which remain after Security Authorization CA-2 2 2 10 Common Control Provider The Common Control Provider is an organizational official responsible for the planning development implementation assessment authorization and maintenance of common controls 2 2 10 a The Common Control Provider shall document all common controls and PM-1 submit them to the AO and DHS CISO 2 2 10 b The Common Control Provider ensures that required assessments of common controls are carried out by qualified assessors with the appropriate level of independence PM-1 2 2 10 c The Common Control Provider documents assessment findings in a security assessment report PM-1 2 2 10 d The Common Control Provider ensures that POA Ms are developed for PM-4 all controls having weaknesses or deficiencies 2 2 10 e The Common Control Provider shall make available security plans Security Assessment Reports SARs and POA Ms for common controls to information system owners inheriting those controls after the information is reviewed and approved by a senior official 27 v8 0 March 14 2011 PM-1 PM-4 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 2 2 11 DHS Employees Contractors and Others Working on Behalf of DHS DHS employees contractors and others working on behalf of the DHS or its agencies shall follow the appropriate set s of rules of behavior Policy ID 2 2 11 a DHS Policy Statements DHS users shall follow prescribed rules of behavior 28 v8 0 March 14 2011 Relevant Controls PL-4 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 3 0 MANAGEMENT POLICIES 3 1 Basic Requirements Basic security management principles must be followed in order to ensure the security of DHS information resources These principles are applicable throughout the Department and form the cornerstone of the DHS Information Security Program Component CISOs ISSMs shall submit all security reports concerning DHS systems to the Component senior official or designated representative Component CISOs ISSMs shall interpret and manage DHS security policies and procedures to meet Federal Departmental and Component requirements They shall also answer data queries from the DHS CISO and develop and manage information security guidance and procedures unique to Component requirements ISSOs are the primary points of contact for the information systems assigned to them They develop and maintain Security Plans SP and are responsible for overall system security Policy ID DHS Policy Statements Relevant Controls 3 1 a Every DHS computing resource e g desktops laptops servers portable electronic devices shall be individually accounted for as part of a recognized information system CM-8 3 1 b The Component CIO in cooperation with each Component senior official shall be responsible for ensuring that every DHS computing resource is identified as an information system or as a part of an information system major application or general support system CM-8 3 1 c The System Owner or designee shall develop and maintain an SP for each information system Component AOs shall review and approve SPs PL-2 3 1 d An ISSO shall be designated for every information system and serve as the point of contact POC for all security matters related to that system PL-1 3 1 e Component Information Security Programs shall be structured to support DHS and applicable FISMA OMB and other Federal requirements PL-1 3 1 f Information security reports regarding DHS systems shall be submitted to the Component senior official or designated representative --- 3 1 g Component CISOs ISSMs shall ensure that their information systems comply with the DHS Enterprise Architecture EA Technical Reference model TRM and Security Architecture SA or maintain a waiver approved by the DHS CIO CISO 3 1 h The DHS CISO shall issue Department-wide information security policy guidance and architecture requirements for all DHS systems CM-2 CM-6 Component CISOs shall implement DHS information security policies procedures and control techniques to address all applicable requirements PL-1 3 1 i 29 v8 0 March 14 2011 PL-1 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 1 j 3 2 DHS Policy Statements Component CISOs shall develop and manage information security guidance and procedures unique to Component requirements Relevant Controls PL-1 Capital Planning and Investment Control Information security is a business driver and any risks found through security testing are ultimately business risks Information security personnel should be involved to the maximum extent possible in all aspects of the acquisition process including drafting contracts and procurement documents Directive 102-01 Acquisition Management Directive and MD 4200 1 IT Capital Planning and Investment Control CPIC and Portfolio Management provide additional information on these requirements Policy ID DHS Policy Statements Relevant Controls 3 2 a System Owners shall include information security requirements in their CPIC business cases for the current budget year and for the Future Years Homeland Security Program FYHSP for each DHS system PM-3 PM-11 SA-1 3 2 b System Owners or AOs shall ensure that information security requirements and POA Ms are adequately funded resourced and documented in accordance with current OMB budgetary guidance PM-3 PM-4 SA-2 3 2 c Component IRBs ARBs shall not approve any capital investment in which the information security requirements are not adequately defined and funded PM-3 SA-2 3 2 d The DHS CISO shall perform security reviews for planned information system acquisitions over $2 5 million and additional selected cases SA-1 3 2 e Components shall ensure that information security requirements as described within this policy document are included in the acquisition of all DHS systems and services used to input process store display or transmit sensitive information SA-4 3 2 f Procurement authorities throughout the Department shall ensure that Homeland Security Acquisition Regulation HSAR provisions are fully enforced SA-1 SA-4 3 2 g Procurements for services and products involving facility or system access control shall be in accordance with the DHS guidance regarding HSPD-12 implementation 30 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 3 3 Contractors and Outsourced Operations Policy ID 3 4 DHS Policy Statements Relevant Controls 3 3 a All statements of work and contract vehicles shall identify and document the specific security requirements for information system services and operations required of the contractor SA-4 3 3 b Contractor information system services and operations shall adhere to all applicable DHS information security policies SA-9 3 3 c Requirements shall address how sensitive information is to be handled and protected at contractor sites including any information stored processed or transmitted using contractor information systems Requirements shall also include requirements for personnel background investigations and clearances and facility security SA-9 3 3 d Statements of work and contracts shall include a provision stating that upon the end of the contract the contractor shall return all information and information resources provided during the life of the contract and certify that all DHS information has been purged from any contractor-owned system used to process DHS information SA-4 3 3 e Components shall conduct reviews to ensure that the information security requirements are included within the contract language and are implemented and enforced SA-1 3 3 f Security deficiencies in any outsourced operation shall require creation of a program-level POA M SA-9 PM-4 Performance Measures and Metrics Policy ID DHS Policy Statements Relevant Controls 3 4 a The DHS CISO shall define performance measures to evaluate the effectiveness of the DHS information security program --- 3 4 b Components shall provide OMB FISMA data at least monthly to the DHS Compliance Officer --- 3 4 c The DHS CISO shall report annually to the Secretary on the effectiveness of the DHS information security program including the progress of remedial actions --- 3 4 d Components shall utilize the automated tool directed for use by the DHS CISO for Performance Plan reporting --- 31 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 4 e 3 5 DHS Policy Statements The DHS CISO shall collect OMB FISMA data from Components at least quarterly and provide FISMA reports to OMB Relevant Controls --- Continuity Planning for Critical DHS Assets The Continuity Planning for Critical DHS Assets Program is vital to the success of the DHS Information Security Program The Business Impact Assessment BIA which is part of the Contingency is essential in the identification of critical DHS assets Once critical systems are identified continuity planning shall address the following two complementary but different elements • Continuity of Operations Planning COOP • Contingency Planning CP 3 5 1 Continuity of Operations Planning Policy ID DHS Policy Statements Relevant Controls 3 5 1 a When available a DHS-wide process for continuity planning shall be used in order to ensure continuity of operations under all circumstances CP-2 3 5 1 b Components shall develop test implement and maintain comprehensive Continuity of Operations Plans COOP to ensure the continuity and recovery of essential DHS functionality CP-2 CP-4 3 5 1 c All CISOs ISSMs shall ensure that all COOPs under their purview are tested and exercised annually CP-4 3 5 1 d All CFO Designated Systems requiring high availability shall be identified in COOP plans and exercises CP-1 3 5 1 e All personnel involved in COOP efforts shall be identified and trained in the procedures and logistics of COOP development and implementation AT-3 CP-3 3 5 1 f To ensure that accounts can be created in the absence of the usual account approval authority systems that are part of the Critical DHS Assets Program shall have provisions to allow a Component CISO ISSM or Component CIO to approve new user accounts as part of a COOP scenario AC-2 3 5 1 g Each Component shall compile and maintain a list of mission-critical information systems in support of COOP CM-8 CP-1 3 5 1 h The DHS and Component CISOs ISSMs shall ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems 32 v8 0 March 14 2011 CP-1 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 5 1 i DHS Policy Statements DHS information systems that are part of the DHS Continuity Planning for Critical DHS Assets Program shall be provided requirements for system-level contingency planning by a Component Contingency Planning Program Office or by a DHS Contingency Planning Program Office Relevant Controls --- 3 5 2 Contingency Planning Policy ID DHS Policy Statements Relevant Controls 3 5 2 a The DHS CIO shall provide guidance direction and authority for a standard DHS-wide process for contingency planning for all DHS Components CP-1 3 5 2 b System Owners shall develop and document information system Contingency Plans CPs for their programs manage plan changes and distribute copies of the plan to key contingency personnel Component CIOs shall review and approve Component-level information system CPs CP-1 CP-2 3 5 2 c Components shall ensure implementation of backup policy and procedures for every Component information system CP-9 3 5 2 d The DHS CIO shall ensure that each system has contingency capabilities commensurate with the availability security objective The minimum contingency capabilities for each impact level follow High – System functions and information have a high priority for recovery after a short period of loss Moderate – System functions and information have a moderate priority for recovery after a moderate period of loss Low – System functions and information have a low priority for recovery after prolonged loss CP-1 3 5 2 e CPs shall be developed and maintained by all DHS Components in accordance with the requirements for the FIPS 199 potential impact level for the availability security objective These plans shall be based on three essential phases Activation Notification Recovery and Reconstitution Components shall review the CP for the information system at least annually and revise the plan to address system organizational changes or problems encountered during plan implementation execution or testing CP-1 CP-2 3 5 2 f The DHS CIO shall ensure that CP testing is performed in accordance with the availability security objective The minimum contingency testing for each impact level follows High – System recovery roles responsibilities procedures and logistics in the CP shall be used to recover from a simulated contingency event at the alternate processing site within a year prior to accreditation The system recovery procedures in the CP shall be used to simulate system recovery in a test facility at least annually CP-4 CP-7 33 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls Moderate – The CP shall be tested at least annually by reviewing and coordinating with organizational elements responsible for plans within the CP This is achieved by performing a walk-through tabletop exercise Low – CP contact information shall be verified at least annually 3 5 2 g The DHS CIO shall ensure that contingency training is performed in accordance with the availability security objective The minimum contingency planning for each impact level follows High – All personnel involved in contingency planning efforts shall be identified and trained in their contingency planning and implementation roles responsibilities procedures and logistics This training shall incorporate simulated events Refresher training shall be provided at least annually Moderate – All system personnel involved in contingency planning efforts shall be trained Refresher training shall be provided at least annually Low – There is no training requirement CP-3 3 5 2 h Components shall coordinate as appropriate CP testing and or exercises with COOP related plans for systems with moderate and high availability FIPS-199 categorization CP-4 3 6 System Engineering Life Cycle Directive 102-01 Acquisition Management Directive Appendix B contains the DHS Systems Engineering Life Cycle SELC Policy ID 3 7 DHS Policy Statements Relevant Controls 3 6 a Components shall ensure that system security is integrated into all phases of the Systems Engineering Life Cycle SELC SA-3 3 6 b Components shall ensure that security requirements for sensitive information systems are incorporated into life-cycle documentation SA-3 3 6 c The Program Manager shall review approve and sign all custom-developed code prior to deployment into production environments The Program Manager may delegate this authority to another DHS employee in writing This authority shall not be delegated to contractor personnel RA-5 Configuration Management Configuration management CM relates to managing the configuration of all hardware and software elements within information systems and networks CM within DHS consists of a multilayered structure – policy procedures processes and compliance monitoring Each Component shall utilize appropriate levels of configuration management CM applies to all systems subsystems and components of the DHS infrastructure thereby ensuing implementation and continuing life-cycle maintenance CM begins with baselining of 34 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A requirements documentation and ends with decommissioning of items no longer used for production or support The CM discipline applies to hardware including power systems software firmware documentation test and support equipment and spares A Change Management Process ensures that documentation associated with an approved change to a DHS system is updated to reflect the appropriate baseline including an analysis of any potential security implications The initial configuration must be documented in detail and all subsequent changes must be controlled through a complete and robust CM process Configuration management has security implications in three areas • Ensuring that the configuration of subordinate information system elements are consistent with the Security Authorization Process requirements of the parent system • Ensuring that any subsequent changes including an analysis of any potential security implications are approved • Ensuring that all recommended and approved security patches are properly installed DHS Sensitive Systems Handbook Enclosure 1 includes the DHS Secure Baseline Configuration Guides Policy ID DHS Policy Statements Relevant Controls 3 7 a Components shall develop and maintain a configuration management plan CMP for each information system as part of its SP All DHS systems shall be under the oversight of a Configuration Management responsible officer CM-1 CM-9 3 7 b Components shall establish implement and enforce configuration management controls on all information systems and networks and address significant deficiencies as part of a POA M CA-5 CM-3 PM-4 3 7 c Information security patches shall be installed in accordance with configuration management plans and within the timeframe or direction stated within the Information Security Vulnerability Management ISVM message published by the DHS EOC SI-2 3 7 d System Owners shall document the initial system configuration in detail and control all subsequent changes in accordance with the configuration management process CM-2 CM-3 CM-9 3 7 e Workstations shall be configured in accordance with DHS guidance on the U S Government Configuration Baseline USGCB formerly known as the Federal Desktop Core Configuration FDCC Configuration shall include installation of the DHS Common Policy Object identifier OID Common Policy Framework Root CA certificate and the DHS Principal CA certificate CM-2 CM-6 CM-9 3 7 f Components shall monitor USGCB or DHS-approved USGCB variant compliance using a NIST-validated Security Content Automation Protocol SCAP tool 35 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 8 DHS Policy Statements Relevant Controls 3 7 g The System Owner shall request an exception for information systems that use operating systems or applications that are not hardened or do not follow configuration guidance identified in DHS Sensitive Systems Handbook Enclosure 1 DHS Secure Baseline Configuration Guides Requests shall include a proposed alternative secure configuration CM-2 CM-6 3 7 h Components shall ensure that CM processes under their purview include and consider the results of a security impact analysis when considering proposed changes CM-4 Risk Management Risk management is a process that allows System Owners to balance the operational and economic costs of protective measures to achieve gains in mission capability by protecting the information systems and data that support their organization’s missions Policy ID 3 9 DHS Policy Statements Relevant Controls 3 8 a Components shall establish a risk management program in accordance with NIST SP 800-30 Risk Management Guide for Information Technology Systems and other applicable Federal guidelines RA-1 3 8 b Component CISOs ISSMs shall ensure that a risk assessment is conducted whenever high impact weaknesses are identified or every three 3 years or whenever modifications are made to sensitive information systems or to their physical environments interfaces or user community The risk assessment shall consider the effects of the modifications on the operational risk profile of the information system SPs shall be updated and re-certification conducted if warranted by the results of the risk assessment RA-3 3 8 c Component CISOs ISSMs shall establish an independent Component-wide Security Authorization program to ensure a consistent approach to testing the effectiveness of controls RA-1 3 8 d Risk Executives shall review recommendations for risk determinations and risk acceptability and may recommend changes to the AO and appropriate CIO RA-3 3 8 e Component SOCs shall deploy a Component-wide network scanning program RA-5 3 8 f Special rules apply to CFO Designated Systems See Section 3 15 for additional information Security Authoziation and Security Assessments DHS periodically assesses the selection of security controls to determine their continued effectiveness in providing an appropriate level of protection 36 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A The DHS Security Authorization Process Guide describes detailed processes governing Security Authorization Process and system risk assessment Detailed information for creating and managing POA Ms is published in DHS 4300A Sensitive Systems Handbook Attachment H – Plan of Action and Milestones POA M Process Guide Policy ID DHS Policy Statements Relevant Controls PM-10 RA-2 3 9 a Components shall assign an impact level high moderate low to each security objective confidentiality integrity and availability for each DHS information system Components shall apply NIST SP 800-53 controls as tailored in the DHS 4300A Sensitive Systems Handbook Attachment M specific to the security objective at the determined impact level 3 9 b Components shall implement NIST SP 800-53 security controls using the FIPS Pub 200 Minimum Security Requirements for Federal Information and Information Systems methodology based on the FIPS 199 impact level established for each separate security objective confidentiality integrity availability --- 3 9 c Recommend that Components pursue type Security Authorization Process for information resources that are under the same direct management control have the same function or mission objective operating characteristics security needs and that reside in the same general operating environment or in the case of a distributed system reside in various locations with similar operating environments Type Security Authorization Process shall consist of a master Security Authorization Process package describing the common controls implemented across sites and site-specific controls and unique requirements that have been implemented at the individual sites --- 3 9 d The AO for a system shall be identified in TrustedAgent FISMA The Component CIO shall serve as the AO whenever the System Owner or an appropriate program official has not been named as the AO --- 3 9 e Component CISOs shall ensure that all information systems are formally assessed through a comprehensive evaluation of their management operational and technical security controls CA-2 PM-10 3 9 f The assessment made as part of and in support of the accreditation process shall determine the extent to which a particular design and implementation plan meets the DHS required set of security controls PM-10 3 9 g Component CISOs ISSMs shall ensure that a risk assessment is conducted whenever any modifications are made to sensitive information systems networks or to their physical environments interfaces or user community SPs shall be updated and re-authorized conducted if warranted PM-9 RA-3 37 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 3 9 h Components shall accredit systems at initial operating capability and every three 3 years thereafter or whenever a major change occurs whichever occurs first An ATO of six 6 months or less shall receive an ATO accreditation period waiver from the DHS CISO before submission to the AO for a final accreditation decision CA-6 PM-10 3 9 i AOs may grant an Interim Authorization to Operate IATO for systems that are undergoing development testing or are in a prototype phase of development A system shall be assessed and authorized in an ATO letter prior to passing the Key Decision Point 3 milestone in the SELC IATOs shall not be used for operational systems The AO may grant an IATO for a maximum period of 6 six months and may grant 1 one 6 six month extension Systems under an IATO shall not process sensitive information but may attach to system networks for testing PL-1 PM-10 3 9 j If the system is not fully accredited and has not received a full ATO by the end of the second and final IATO the system shall not be deployed as an operational system PL-1 PM-10 3 9 k As a result of Office of Inspector General OIG auditing experience Components shall request concurrence from the DHS CISO for all accreditations for 6 six months or less 3 9 l The DHS CISO shall specify tools techniques and methodologies used to certify and accredit DHS information systems report and manage FISMA data and document and maintain POA Ms CA-1 PM-4 3 9 m Currently all DHS systems shall be accredited using the automated tools TAF and RMS which have been approved by the DHS CISO CA-1 CA-2 PM-10 3 9 n The DHS CISO shall maintain a repository for all Security Authorization Process documentation and modifications CA-1 3 9 o Component CISOs shall establish processes to ensure consistent Security Authorization Process processing across all Component systems CA-1 PM-10 3 9 p System Owners shall use the POA M process to manage vulnerabilities correct deficiencies in security controls and remediate weaknesses in SPs CA-5 PM-4 3 9 q The AO shall formally assume responsibility for operating an information system at an acceptable level of risk System operation with sensitive information is prohibited without an ATO CA-6 PM-10 3 9 r ATOs shall only be provided for systems that fully comply with policy or have been granted appropriate exceptions or waivers CA-6 PM-10 38 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 3 9 s Artifacts in support of new ATOs shall not be older than 13 months Older artifacts remain valid during the life of a current ATO 3 9 t The DHS CIO may revoke any ATO of any DHS information system CA-6 3 9 u The Component CIO may revoke the ATO of any Component-level information system CA-6 3 9 v Components shall assign a common control provider to share controls between systems e g at hosting centers The authorization package of those common controls must be shared with those operating under them 3 10 --- Information Security Review and Assistance Policy ID DHS Policy Statements Relevant Controls 3 10 a Components shall submit their information security policies to the DHS CISO for review PL-1 3 10 b Components shall establish an information system security review and assistance program within their respective security organization in order to provide System Owners with expert review of programs assist in identifying deficiencies and provide recommendations for bringing systems into compliance CA-7 PL-1 PM-10 3 10 c Components shall conduct their reviews in accordance with FIPS 200 NIST SP 800-53 for specification of security controls NIST SP 800-53A shall be used for assessing the effectiveness of security controls and for quarterly and annual FISMA reporting CA-7 PL-1 3 10 d The DHS CISO shall conduct information security review and assistance visits across the Department in order to monitor the effectiveness of Component security programs CA-2 3 11 Security Working Groups and Forums Working groups and other forums representing various functional areas convene on a regular basis 3 11 1 CISO Council The CISO Council is the management team responsible for developing and implementing the DHS Information Security Program The Council is responsible for implementing a security program that meets DHS mission requirements and reviewing specific topic areas assigned by the DHS CIO or the DHS CISO 39 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A The CISO Council is also responsible for establishing and implementing significant security responsibilities promoting communications between security programs implementing information systems security acquisition requirements and developing security best practices within all enterprise and Component information security programs Policy ID DHS Policy Statements Relevant Controls 3 11 1 a Component CISOs shall actively participate in the CISO Council PL-1 PM-11 3 11 1 b Members shall ensure that the DHS CISO is kept apprised of all pertinent matters involving the security of information systems PL-1 PM-11 3 11 1 c Members shall ensure that security-related decisions and information including updates to the 4300 series of security publications are distributed to the ISSOs and other appropriate persons PL-1 PM-11 Note Periodically the CISO Council shall be convened to include Component ISSMs 3 11 2 DHS Information Security Training Working Group The DHS Information Security Training Working Group is established to promote collaboration on information security training efforts throughout the Department and to share information on Component-developed training activities methods and tools thereby reducing costs and avoiding duplication of effort The Information Security Training Working Group is chaired by the DHS Program Director for Information Security Training Policy ID DHS Policy Statements Relevant Controls 3 11 2 a Components shall appoint a representative to the DHS Information Security Training Working Group --- 3 11 2 b Members shall actively participate in the DHS Information Security Training Working Group --- 3 11 2 c Components shall abide by the security training requirements listed in the Information Security Awareness Training and Education section of this policy --- 3 12 Information Security Policy Violation and Disciplinary Action Individual accountability is a cornerstone of an effective security policy Component Heads are responsible for taking corrective actions whenever security incidents and violations occur and for holding personnel accountable for intentional transgressions Each Component must determine how to best address each individual case 40 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 3 12 a Information security-related violations are addressed in the Standards of Ethical Conduct for Employees of the Executive Branch and DHS employees may be subject to disciplinary action for failure to comply with DHS security policy whether or not the failure results in criminal prosecution PS-8 3 12 b Non-DHS Federal employees contractors or others working on behalf of DHS who fail to comply with Department security policies are subject to having their access to DHS systems and facilities terminated whether or not the failure results in criminal prosecution PS-8 3 12 c Any person who improperly discloses sensitive information is subject to criminal and civil penalties and sanctions PS-8 3 13 Required Reporting FISMA requires that the status of the DHS Information Security Program be reported to the OMB on a recurring basis Policy ID DHS Policy Statements Relevant Controls 3 13 a Components shall collect and submit quarterly and annual information security program status data as required by FISMA CA-2 3 13 b Components shall utilize the automated tool approved for use by the DHS CISO CA-2 3 14 Privacy and Data Security The DHS Privacy Office is responsible for privacy compliance across the Department including assuring that technologies used by the Department sustain and do not erode privacy protections relating to the use of personal and Department information The DHS Chief Privacy Officer has exclusive jurisdiction over the development of policy relating to personally identifiable information PII Questions concerning privacy-related policy should be directed to the Component Privacy Office or PPOC If the Component does not have a Privacy Office or PPOC then please contact the DHS Privacy Office privacy@dhs gov 703-235-0780 or refer to the DHS Chief Privacy Officer web page for additional information 3 14 1 Personally Identifiable Information Various regulations place restrictions on the Government’s collection use maintenance and release of information about individuals Regulations require agencies to protect PII which is any information that permits the identity of an individual to be directly or indirectly inferred including any information which is linked or linkable to that individual regardless of whether or not the individual is a U S citizen lawful permanent resident visitor to the U S or employee or contractor to the Department 41 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Sensitive PII is PII which if lost compromised or disclosed without authorization could result in substantial harm embarrassment inconvenience or unfairness to an individual Examples of Sensitive PII include Social Security numbers alien numbers A-number medical information and criminal history The sensitivity of this data requires that stricter handling guidelines be applied For more information on handling Sensitive PII see Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of Homeland Security Additional PII and Sensitive PII-related policies are included in the following sections of the DHS 4300A Sensitive Systems Handbook • Section 3 9 Security Authorization Process and Security Assessments – For Privacy Sensitive Systems the confidentiality security objective shall be assigned an impact level of at least moderate • Section 4 8 2 Laptop Computers and Other Mobile Computing Devices – All information stored on any laptop computer or other mobile computing device is to be encrypted using mechanisms that comply with Section 5 5 Encryption of this policy • Section 5 2 2 Automatic Session Termination – Sessions on workstations and on laptop computers and other mobile computing devices are to be terminated after twenty 20 minutes of inactivity • Section 5 3 Auditing – DHS defines computer-readable data extracts as data removed from any accredited system where the process is not covered by the SP and computer-readable data extracts are stored on hard drives including desk top and laptop computers floppy disks compact discs CDs digital video disks DVDs USB drives memory cards and any other media that may be read or copied electronically • Section 5 4 1 Remote Access and Dial-in – Remote access of PII must be approved by the AO Strong authentication via virtual private network VPN or equivalent encryption e g https and two-factor authentication is required DHS has an immediate goal that remote access should only be allowed with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access Restrictions are placed on the downloading and remote storage of PII accessed remotely as noted below in the DHS Policy The DHS Privacy Office works with Component Privacy Officers PPOCs Program Managers System Owners and information systems security personnel to ensure that sound privacy practices and controls are integrated into the Department’s operations The DHS Privacy Office implements three types of documents for managing privacy practices and controls for information systems • A PTA provides a high level description of an information system including the information it contains and how it is used The PTA is used to determine and document whether or not a PIA and or SORN are required • A PIA is a publicly released assessment of the privacy impact of an information system and includes an analysis of the PII that is collected stored and shared • A SORN describes the categories of records within a system of records and describes the routine uses of the data and how individuals can gain access to records and correct errors 42 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A To promote privacy compliance within the Department the Office has published official Department guidance regarding the requirements and content for PTAs PIAs and SORNs Privacy Compliance Guidance can be found on the DHS Privacy Office website at www dhs gov privacy 3 14 2 Privacy Threshold Analyses The PTA provides a high-level description of the system including the information it contains and how it is used PTAs are required whenever a new information system is being developed or an existing system is significantly modified System Owners and Program Managers are responsible for writing the PTA as part of the system development lifecycle process The Component Privacy Officer or PPOC reviews the PTA and forwards it to the DHS Privacy Office who determines whether a PIA and or SORN are required PTA artifacts expire after three 3 years DHS MD 0470 2 defines the PTA requirements Policy ID DHS Policy Statements Relevant Controls PL-5 3 14 2 a A PTA shall be conducted as part of new information system development or whenever an existing system is significantly modified PTA artifacts expire after three 3 years and a new PTA must be submitted 3 14 2 b A PTA shall be conducted whenever an information system undergoes security authorization --- 3 14 2 c The DHS Chief Privacy Officer shall evaluate the PTA and determine if it is a Privacy Sensitive System and if the system requires a PIA and SORN PL-5 3 14 2 d Information systems shall not be designated operational until the DHS Privacy Office approves the PTA PL-5 3 14 2 e For Privacy Sensitive Systems the confidentiality security objective shall be assigned an impact level of moderate or higher RA-2 3 14 3 Privacy Impact Assessments A PIA is a publicly released assessment of the privacy impact of an information system and includes an analysis of the PII that is collected stored and shared PIAs are required as determined by the PTA whenever a new information system is being developed or an existing system is significantly modified PIAs are the responsibility of the System Owner and the Program Manager as part of the SELC process OMB Memorandum M-03-22 DHS MD 0470 1 and the Official DHS Privacy Impact Assessment Guidance discuss the requirements for conducting PIAs at DHS 43 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 3 14 3 a PIAs are required as determined by the PTA as part of new information system development or whenever an existing system is significantly modified PL-5 3 14 3 b Information systems that the DHS Privacy Office has determined require a PIA as determined by the PTA shall not be designated operational until the DHS Privacy Office approves the PIA for that system PL-5 3 14 4 System of Records Notices The Privacy Act of 1974 requires a SORN when PII is maintained by a Federal agency in a system of records and the PII is retrieved by a personal identifier A system of records is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number symbol or other identifying particular assigned to the individual” 5 U S C §552a a 5 The SORN describes the categories of records and individuals in the system of record the routine uses of the data how individuals can gain access to records pertaining to them and correct errors The term “system of records” is not synonymous with an information system and can include paper as well as electronic records SORNs can be written to cover the records in a single group of records or a single information system or they can be written to cover multiple groups of records or multiple information systems Information systems that are considered a system of record may not be designated operational until a SORN has been published in the Federal Register for thirty days The Office of Management and Budget specifically Privacy Act Implementation Guidelines and Responsibilities July 9 1975 and Circular A-130 including Appendix I DHS MD 0470 2 and Official DHS Guidance on System of Records and System of Records Notices are the benchmark references when developing SORNs OMB requires each SORN to be reviewed every two 2 years to ensure that it accurately describes the system of records This process is called the Biennial SORN Review Process The DHS Privacy Office works with Components to ensure that SORN reviews are conducted every two 2 years following publication in the Federal Register Policy ID DHS Policy Statements 3 14 4 a A SORN is required when PII is maintained by a Federal agency in a system of records where information about an individual is retrieved by a unique personal identifier 3 14 4 b Information systems containing PII shall not be designated operational until a SORN has been published in the Federal Register for thirty 30 days 3 14 4 c Components shall review and republish SORNs every two 2 years as required by OMB A-130 44 v8 0 March 14 2011 Relevant Controls --- CA-6 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 3 14 5 Protecting Privacy Sensitive Systems OMB M-06-16 Protection of Sensitive Agency Information requires that agencies protect PII that is physically removed from Department locations or is accessed remotely Physical removal includes both removable media as well as media within mobile devices i e laptop hard drive Please refer to the following documents for additional information and policies on protecting PII and Sensitive PII at DHS • Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of Homeland Security • DHS 4300 A Sensitive System Handbook Attachment S Compliance Framework for Privacy Sensitive Systems and • DHS Policy and Procedures for Managing Computer-Readable Extracts Containing Sensitive PII In addition see Section 5 3 for PII auditing requirements and Section 5 4 1 for remote access requirements Policy ID 3 14 5 a DHS Policy Statements PII and Sensitive PII removed from a DHS facility on removable media such as CDs DVDs laptops PDAs shall be encrypted unless the information is being sent to the individual as part of a Privacy Act or Freedom of Information Act FOIA request Relevant Controls MP-5 SC-13 3 14 5 b If PII and Sensitive PII can be physically removed from an information system e g printouts CDs the Security Plan SP shall document the specific procedures training and accountability measures in place to ensure remote use of the data does not bypass the protections provided by the encryption MP-5 3 14 5 c Systems that as part of routine business remove Sensitive PII in the form of a Computer-Readable Extract CRE e g routine system-to-system transmissions of data routine CREs shall address associated risks in the SP MP-5 3 14 5 d Sensitive PII contained within a non-routine or ad hoc CRE e g CREs not included within the boundaries of a source system’s security plan shall not be removed physically or otherwise from a DHS facility without written authorization from the Data Owner responsible for ensuring that the disclosure of the CRE data is lawful and in compliance with this and applicable DHS privacy and security policies --- 3 14 5 e All ad hoc CREs must be documented tracked and validated every ninety 90 days after their creation to ensure that their continued authorized use is still required or that they have been appropriately destroyed or erased --- 45 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 14 5 f DHS Policy Statements Ad hoc CREs shall be destroyed or erased within ninety 90 days unless the information included in the extracts is required beyond that period Permanent erasure of the extracts or the need for continued use of the data shall be documented by the Data Owner and audited periodically by the Component Privacy Officer or PPOC Relevant Controls --- 3 14 6 Privacy Incident Reporting The DHS Privacy Office is responsible for implementing the Department’s privacy incident response program based on requirements outlined in OMB Memorandum 07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information May 22 2007 M07-16 Through close collaboration the DHS Chief Privacy Officer the DHS CIO the DHS CISO the DHS EOC and Components must ensure that all DHS privacy and computer security incidents are identified reported and appropriately responded to in order to mitigate harm to DHS-maintained assets information and personnel Incidents involving or that may involve PII are subject to strict reporting standards and timelines Policy ID DHS Policy Statements Relevant Controls 3 14 6 a Any Component discovering a suspected or confirmed privacy incident shall coordinate with the Component Privacy Officer or PPOC and Component CISO ISSM to evaluate and subsequently report the incident to the DHS EOC immediately upon discovery The DHS EOC will then transmit the report to the US-CERT within one 1 hour IR-4 3 14 6 b The Component Privacy Officer or PPOC in cooperation with the Component CISO ISSM shall jointly evaluate the incident but the Component CISO ISSM is responsible for reporting the incident to the Component SOC Computer Security Incident Response Capability CSIRC or directly to the DHS EOC CSIRC if the Component does not have its own SOC CSIRC IR-4 3 14 6 c For Components without Privacy Officers or PPOCs the Component CISO ISSM shall report all types of privacy incidents whether or not they involve information resources This unitary reporting process shall remain in effect until each Component has a Privacy Officer or PPOC who can fulfill the reporting duties IR-6 3 14 6 d DHS personnel shall also report suspected or confirmed privacy incidents or incidents involving PII to their Program Manager immediately upon discovery detection regardless of the manner in which it might have occurred IR-6 3 14 6 e Components shall follow the DHS Privacy Incident Handling Guide 46 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 3 14 7 E-Authentication Identity verification or authentication e-authentication is needed to ensure that online Government services are secure and that individual privacy is protected Each DHS system must be evaluated to determine whether e-authentication requirements apply Only federated identity providers approved through the Federal CIO Council’s Identity Credentialing and Access Management’s ICAM Trust Framework Provider Adoption Process TFPAP should be used Components should see www IDmanagement gov for details regarding the Federal Identity Credentialing and Access Management FICAM initiative E-authentication guidance is provided in the following • OMB M-0404 E-Authentication Guidance for Federal Agencies • NIST SP 800-63 Electronic Authentication Guideline Policy ID DHS Policy Statements Relevant Controls 3 14 7 a For systems that allow online transactions Components shall determine whether e-authentication requirements apply IA-2 3 14 7 b Components shall determine the appropriate assurance level for eauthentication by following the steps described in OMB M-04-04 EAuthentication Guidance for Federal Agencies IA-2 3 14 7 c Components shall implement the technical requirements described in NIST SP 800-63 Electronic Authentication Guideline at the appropriate assurance level for those systems with e-authentication requirements IA-2 3 14 7 d Components shall ensure that each SP reflects the e-authentication status of the respective system IA-2 PL-2 3 14 7 e Programs considering the use of e-authentication are required to conduct a PTA to initiate the review of privacy risks and how they will be mitigated PL-5 3 14 7 f Existing physical and logical access control systems shall be upgraded to use PIV credentials in accordance with NIST and DHS guidelines 3 14 7 g All new systems under development shall be enabled to use PIV credentials in accordance with NIST and DHS guidelines prior to being made operational 3 15 DHS CFO Designated Systems DHS CFO Designated Systems are systems that require additional management accountability to ensure effective internal control exists over financial reporting The DHS CFO publishes the approved list of CFO Designated Systems annually This section provides additional requirements for these systems based on OMB Circular A-123 Management’s Responsibility for Internal Control A-123 Appendix A The requirements contained in OMB Circular A-123 have been mapped to the NIST SP 800-53 controls and documented in DHS 4300A Attachment R These requirements are in addition to the other security requirements established in this document and other CFO developed financial system Line of Business requirements Wherever 47 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A there is a conflict between this and other sections of this policy regarding requirements for CFO Designated Systems this section takes precedence These additional requirements provide a strengthened assessment process and form the basis for management’s assurance on the internal control over financial reporting The strengthened process requires management to document the design and test the operating effectiveness of controls for CFO Designated Systems The system owner is responsible for ensuring that all requirements including security requirements are implemented on DHS systems Component CISOs ISSMs must coordinate with their CFO organization to ensure that these requirements are implemented Policy ID DHS Policy Statements Relevant Controls 3 15 a System owners are responsible for ensuring that security assessments of key security controls i e Security Assessment and Security Assessment Report SAR for CFO Designated Systems are completed annually in TAF This includes updating the ST E SAR annually CA-2 CA-7 3 15 b The DHS CFO shall designate the systems that must comply with additional internal controls and the Office of the CFO shall review and publish this list annually CA-2 3 15 c Component CISOs ISSMs shall ensure that vulnerability assessments and verification of critical patch installations are conducted on all CFO Designated Systems Vulnerability assessment shall be performed at least annually RA-5 3 15 d All CFO Designated Systems shall be assigned a minimum impact level of “moderate” for confidentiality integrity and availability If warranted by a risk based assessment the integrity objective shall be elevated to “high ” RA-2 3 15 e All Component security accreditations for CFO Designated Systems shall be approved and signed by the Component CFO CA-6 3 15 f System Owners shall ensure that Contingency plans are created for all CFO Designated Systems requiring moderate availability and Disaster Recovery plans are created for all CFO Designated Systems requiring high availability and that each plan is tested annually CP-2 CP-4 3 15 g Component CISOs ISSMs shall ensure that weekly incident response tracking is performed for all of their respective CFO Designated Systems IR-5 3 15 h Component CISOs ISSMs shall ensure that incidents related to their respective CFO Designated Systems are reported to the Component CFO IR-4 IR-6 3 15 i The SP shall be updated for CFO Designated Systems at least annually Key controls prescribed in Attachment R Compliance Framework for CFO Designated Systems shall be identified in the SP PL-2 48 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls CA-5 CA-7 3 15 j Component CISOs ISSMs must request a waiver or exception from the DHS CISO if a key control weakness is identified for a CFO Designated System and not remediated within twelve 12 months 3 15 k Component CFOs shall ensure that a fulltime dedicated ISSO is assigned to each CFO Designated System CFO Designated System ISSOs may be assigned to more than one CFO Designated System 3 15 l CFO Designated System ATOs shall be rescinded if Components fail to comply with testing and reporting requirements established within this policy CA-1 CA-6 3 15 m Component CFOs shall work with their Component CISOs ISSMs to approve any major system changes to CFO Designated Systems identified in the DHS inventory CA-1 CM-8 3 16 --- Social Media Social Media hosts are public content sharing Web sites that allow individual users to upload view and share content such as video clips press releases opinions and other information The DHS Office of Public Affairs OPA will publish Terms of Service TOS and guidelines for posting to these sites In some cases the Department will develop its own and in other cases will endorse those of other Federal agencies such as the General Services Administration GSA or Office of Personnel Management OPM Due to the high threat of malware Social Media host sites have been blocked at the TIC Policy ID DHS Policy Statements Relevant Controls 3 16 a Only OPA designated content managers Department level and Component level may post content and only those individuals designated by OPA for this purpose shall be granted access on a continuing basis SA-6 3 16 b Posted content shall be in keeping with the Department’s Terms of Service TOS and guidelines for a given social media host e g YouTube Twitter This condition is also met if the Department endorses another appropriate Federal agency’s guidance or TOS e g GSA OPM Under no circumstances shall sensitive information be posted to social media sites --- 3 16 c Content shall not be posted to any social media site for which the Department has not approved and published final posting guidelines and TOS SA-6 3 16 d Content managers shall review and understand the appropriate Departmentlevel TOS for the appropriate social media host 49 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 3 16 e DHS Policy Statements Relevant Controls --- Content managers shall make a risk decision prior to posting any information and shall recognize that social medial hosts are not DHS information systems and therefore subject only to the DHS TOS and not to DHS policy Once released information is no longer under DHS control There are a number of security technologies that are especially important to consider when dealing with social media issues These include • Trusted Internet Connections TIC – Section 5 4 4 • Host Configuration and Hardening – Section 4 8 4 • Enterprise Operations Center EOC and Network Operations Center NOC – Section 4 9 • Two-Factor Authentication – Section 5 4 1 • Domain Name System Security Extensions DNSSEC Capabilities – Section 5 4 3 • Trust Zones – Section 5 4 3 • Signed Code – Section 5 4 5 • Patching and Anti-Virus – Section 5 6 3 17 Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 HIPAA addresses the privacy of individuals’ health information by establishing a Federal privacy standard for health information and how it can be used and disclosed HIPAA prohibits the use or disclosure of Protected Health Information PHI electronic and otherwise for any purpose other than treatment payment or health care operations without the authorization of the individual or as part of an exception within HIPAA Because of the diverse mission of DHS it may be necessary for some Components to collect PHI as part of a larger mission requirement e g detainee processing disaster relief This section applies to all Components and personnel who collect process or store PHI refer to NIST SP 800-66 for further information Policy ID DHS Policy Statements Relevant Controls 3 17 a For those Components whose systems collect process or store Protected Health Information PHI they shall ensure that the stored information is appropriately protected in compliance with HIPAA and that access or disclosure is limited to the minimum required --- 3 17 b Covered Components shall work with the DHS Privacy Office Component Privacy Office or PPOC to ensure that privacy and disclosure policies comply with HIPAA requirements --- 50 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 3 17 c Covered Components shall ensure that employees with access to DHS systems that collect process or store PHI are trained on HIPAA requirements --- 3 17 d Covered Components shall establish administrative processes that can --- respond to complaints requests for corrections of health information and track disclosures of PHI 3 17 e When collecting PHI Components shall issue a privacy notice to individuals concerning the use and disclosure of their PHI 51 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 0 OPERATIONAL POLICIES 4 1 Personnel DHS systems face threats from a myriad of sources The intentional and unintentional actions of system users can potentially harm or disrupt DHS systems and facilities and could result in the destruction or modification of the data being processed denial of service and unauthorized disclosure of data It is thus highly important that stringent safeguards be taken to reduce the risk associated with these types of threats 4 1 1 Citizenship Personnel Screening and Position Categorization Policy ID DHS Policy Statements Relevant Controls 4 1 1 a Components shall designate the position sensitivity level for all Government and contractor positions that use develop operate or maintain information systems and shall determine risk levels for each contractor position Position sensitivity levels shall be reviewed annually and revised as appropriate PS-2 PS-3 PS-7 4 1 1 b Components shall ensure the incumbents of these positions have favorably adjudicated background investigations commensurate with the defined position sensitivity levels PS-2 PS-3 PS-7 4 1 1 c Components shall ensure that no Federal employee is granted access to DHS systems without having a favorably adjudicated Minimum Background Investigation MBI as defined in DHS Instruction 121-01-007 Personnel Suitability and Security Program Active duty United States Coast Guard and other personnel subject to the Uniform Code of Military Justice shall be exempted from this requirement PS-3 4 1 1 d Components shall ensure that no contractor personnel shall be granted access to DHS systems without having a favorably adjudicated Background Investigation BI as defined in DHS Instruction 121-01-007 Suitability Screening Requirements for Contractor Employees and the Department of Homeland Security Acquisition Regulation HSAR PS-3 4 1 1 e Components shall ensure that only U S Citizens are granted access to DHS systems and networks Exceptions to the U S Citizenship requirement may be granted by the Component Head or designee with the concurrence of the Office of Security and the DHS CIO in accordance with Section 1 5 4 U S Citizen Exception Requests of this policy PS-3 52 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 1 2 Rules of Behavior Policy ID DHS Policy Statements Relevant Controls 4 1 2 a Components shall ensure that rules of behavior contain acknowledgement that the user has no expectation of privacy a “Consent to Monitor” provision and that disciplinary actions may result from violations PL-4 4 1 2 b Components shall ensure that DHS users are trained regarding rules of behavior and that each user signs a copy prior to being granted user accounts or access to information systems or data AT-1 AT-2 PL-4 4 1 3 Access to Sensitive Information Policy ID 4 1 3 a DHS Policy Statements System Owners shall ensure that users of the information systems supporting their programs have a valid requirement to access these systems Relevant Controls AC-2 4 1 4 Separation of Duties Separation of duties is intended to prevent a single individual from being able to disrupt or corrupt a critical security process Policy ID DHS Policy Statements Relevant Controls 4 1 4 a Components shall divide and separate duties and responsibilities of critical information system functions among different individuals to minimize the possibility that any one individual would have the necessary authority or system access to be able to engage in fraudulent or criminal activity AC-2 4 1 4 b All individuals requiring administrator privileges shall be reviewed and approved by the appropriate AO The AO may delegate this duty to the appropriate system owner or Program Manager AC-2 4 1 4 c Individuals requiring administrator privileges shall be assigned administrator accounts separate from their normal user accounts AC-6 4 1 4 d Administrator accounts shall be used only for performing required administrator duties Individuals shall use their regular user accounts to perform all other functions not directly tied to administrator duties checking email accessing the Internet AC-6 53 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 1 5 Information Security Awareness Training and Education Policy ID DHS Policy Statements Relevant Controls 4 1 5 a Components shall establish an information security training program for users of DHS information systems AT-1 4 1 5 b DHS personnel contractors or others working on behalf of DHS accessing DHS systems shall receive initial training and annual refresher training in security awareness and accepted security practices Personnel shall complete security awareness within twenty-four 24 hours of being granted a user account If the user fails to comply user access shall be suspended AT-1 AT-4 4 1 5 c DHS personnel contractors or others working on behalf of DHS with significant security responsibilities e g ISSOs system administrators shall receive initial specialized training and annual refresher training thereafter specific to their security responsibilities AT-3 4 1 5 d Components shall maintain training records to include name and position type of training received and costs of training AT-4 4 1 5 e User accounts and access privileges including access to email shall be disabled for those DHS employees who have not received annual refresher training unless a waiver is granted by the Component CISO ISSM AT-1 4 1 5 f Components shall prepare and submit an annual security awareness training plan as specified by the DHS Information Security Training Program Office AT-1 4 1 5 g Components shall prepare and submit information security awareness reports with content frequency format and distribution as specified by the DHS CISO AT-1 4 1 5 h Components shall provide evidence of training by submitting copies of training schedules training rosters and training reports upon request of the DHS Information Security Training Program Office AT-4 4 1 5 i The DHS CISO shall review Component information security awareness programs annually AT-1 4 1 6 Separation From Duty Policy ID 4 1 6 a DHS Policy Statements Components shall implement procedures to ensure that system accesses are revoked for DHS employees contractors or others working on behalf of DHS who leave the Component are reassigned to other duties or no longer require access 54 v8 0 March 14 2011 Relevant Controls AC-2 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 1 6 b Components shall establish procedures to ensure that all DHS information system-related property and assets are recovered from the departing individual and that sensitive information stored on any media is transferred to an authorized individual PS-4 4 1 6 c Accounts for personnel on extended absences shall be temporarily suspended AC-2 4 1 6 d System Owners shall review information system accounts supporting their programs at least annually AC-2 4 2 Physical Security 4 2 1 General Physical Access Policy ID DHS Policy Statements Relevant Controls 4 2 1 a Access to DHS buildings rooms work areas spaces and structures housing information systems equipment and data shall be limited to authorized personnel PE-2 4 2 1 b Controls for deterring detecting restricting and regulating access to sensitive areas shall be in place and shall be sufficient to safeguard against possible loss theft destruction damage hazardous conditions fire malicious actions and natural disasters PE-3 4 2 1 c Controls shall be based on the level of classification and risk determined in accordance with Departmental security policy as reflected in this and other relevant documents PE-1 PM-9 4 2 1 d Visitors shall sign in upon entering DHS facilities that house information systems equipment and data be escorted during their stay and sign out upon leaving Non-DHS contractor or vendor access shall be limited to those work areas requiring their presence Visitor logs shall be maintained and available for review for one 1 year PE-7 4 2 1 e These requirements shall extend to DHS assets located at non-DHS facilities or non-DHS assets and equipment hosting DHS data --- 55 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 2 2 Sensitive Facility Policy ID 4 2 2 a 4 3 DHS Policy Statements Facilities processing transmitting or storing sensitive information shall incorporate physical protection measures based on the level of risk The risk shall be determined in accordance with Departmental security policy as reflected in this and other relevant documents Relevant Controls PE-1 PM-9 Media Controls 4 3 1 Media Protection Policy ID DHS Policy Statements Relevant Controls 4 3 1 a Components shall ensure that all media containing sensitive information including hard copy media backup media and removable media such as USB drives are stored in a secure location e g a locked office room desk bookcase file cabinet locked tape device or other storage prohibiting access by unauthorized persons when not in use MP-2 MP-4 PE-1 4 3 1 b Components shall ensure that all offsite backup media are protected as per guidance in this section CP-6 4 3 1 c DHS personnel contractors and others working on behalf of DHS are prohibited from using any non-Government issued removable media USB drives in particular or connecting them to DHS equipment or networks or to store DHS sensitive information MP-2 4 3 1 d Systems requiring encryption shall comply with Section 5 5 1 Encryption of this policy DHS-owned USB drives shall use encryption IA-7 SC-13 4 3 1 e DHS-owned removable media shall not be connected to any non-DHS information system unless the AO has determined the acceptable level of risk based on compensating controls published acceptable use guidance and the guidance has been approved by the respective CISO ISSM The respective CISO is the CISO with that system in his or her inventory AC-20 MP-2 PM-9 4 3 1 f DHS-owned USB removable media shall not be connected to any non-DHS information system AC-20 MP-2 4 3 1 g Components shall follow established procedures to ensure that paper and electronic outputs from systems containing sensitive information are protected MP-1 4 3 1 h Users shall ensure proper protection of printed output Printing of sensitive documents shall occur only when a trusted person is attending the printer SI-12 56 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 4 3 1 i DHS Policy Statements Components shall follow the procedures established by DHS MD 11042 1 Safeguarding Sensitive But Unclassified For Official Use Only Information for the transportation or mailing of sensitive media Relevant Controls MP-5 4 3 2 Media Marking and Transport Policy ID DHS Policy Statements Relevant Controls 4 3 2 a Media determined by the information owner to contain sensitive information shall be appropriately marked in accordance with DHS MD 11042 1 Safeguarding Sensitive But Unclassified For Official Use Only Information MP-3 4 3 2 b Components shall control the transport of information system media containing sensitive data outside of controlled areas and restrict the pickup receipt transfer and delivery to authorized personnel MP-5 4 3 3 Media Sanitization and Disposal Policy ID DHS Policy Statements Relevant Controls 4 3 3 a Components shall ensure that any information systems storage medium containing sensitive information is sanitized using approved sanitization methods before it is disposed of reused recycled or returned to the owner or manufacturer MP-6 4 3 3 b Components shall maintain records of the sanitization and disposition of information systems storage media MP-6 4 3 3 c Components shall periodically test degaussing equipment to verify that the equipment is functioning properly MP-6 4 3 4 Production Input Output Controls Policy ID DHS Policy Statements Relevant Controls 4 3 4 a Components shall follow established procedures to ensure that sensitive information cannot be accessed or stolen by unauthorized individuals SI-12 4 3 4 b These procedures shall address not only the paper and electronic outputs from systems but also the transportation or mailing of sensitive media SI-12 57 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 4 Voice Communications Security 4 4 1 Private Branch Exchange Policy ID 4 4 1 a DHS Policy Statements Components shall provide adequate physical and information security for all DHS-owned Private Branch Exchanges PBX Refer to NIST SP 800-24 PBX Vulnerability Analysis for guidance on detecting and fixing vulnerabilities in PBX systems Relevant Controls CM-2 4 4 2 Telephone Communications Policy ID 4 4 2 a DHS Policy Statements Components shall develop guidance for discussing sensitive information over the telephone Guidance shall be approved by a senior Component official and is subject to review and approval by the DHS CISO Under no circumstances shall classified national security information be discussed over unsecured telephones Relevant Controls PL-4 4 4 3 Voice Mail Policy ID DHS Policy Statements Relevant Controls 4 4 3 a Sensitive information shall not be communicated over nor stored in voice mail PL-4 4 5 Data Communications 4 5 1 Telecommunications Protection Techniques Policy ID 4 5 1 a DHS Policy Statements Components shall carefully select the telecommunications protection techniques that meet their information security needs in the most costeffective manner consistent with Departmental and Component information system security policies Approved protected network services PNS may be used as cost-effective alternatives to the use of encryption for sensitive information requiring telecommunications protection 58 v8 0 March 14 2011 Relevant Controls CM-2 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 5 2 Facsimiles Policy ID DHS Policy Statements Relevant Controls 4 5 2 a Components shall implement and enforce technical controls for fax technology and systems including fax machines servers gateways software and protocols that transmit and receive sensitive information SC-1 SC-7 SC-8 SC-9 4 5 2 b Components shall configure fax servers to ensure that incoming lines cannot be used to access the network or any data on the fax server AC-4 4 5 3 Video Teleconferencing Policy ID DHS Policy Statements Relevant Controls 4 5 3 a Components shall implement controls to ensure that only authorized individuals are able to participate in each videoconference AC-3 PE-3 4 5 3 b Components shall ensure that appropriate transmission protections commensurate with the highest sensitivity of information to be discussed are in place throughout any video teleconference SC-8 SC-9 4 5 3 c Video teleconferencing equipment and software shall be disabled when not in use AC-3 PE-3 4 5 4 Voice Over Data Networks Voice over Internet Protocol VoIP and similar technologies move voice over digital networks These technologies use protocols originally designed for data networking Such technologies include Voice over Frame Relay Voice over Asynchronous Transfer Mode and Voice over Digital Subscriber Line refer to NIST SP 800-58 for further information Policy ID DHS Policy Statements Relevant Controls 4 5 4 a Prior to implementing voice over data network technology Components shall conduct rigorous risk assessments and security testing and provide a business justification for their use Any systems that employ this technology shall be accredited for this purpose with residual risks clearly identified SC-19 PM-9 4 5 4 b Voice over data network implementations shall have sufficient redundancy to ensure network outages do not result in the loss of both voice and data communications SC-19 4 5 4 c Components shall ensure appropriate identification and authentication controls audit logging and integrity controls are implemented on every element of their voice over data networks SC-19 59 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 4 5 4 d 4 6 DHS Policy Statements Relevant Controls Components shall ensure that physical access to voice over data network elements is restricted to authorized personnel SC-19 Wireless Network Communications Wireless network communications technologies include the following • Wireless systems e g wireless local area networks WLAN wireless wide area networks WWAN wireless personal area networks WPAN peer-to-peer wireless networks information systems that leverage commercial wireless services Wireless systems include the transmission medium stationary integrated devices firmware supporting services and protocols • Wireless portable electronic devices PED capable of storing processing or transmitting sensitive information e g personal digital assistants PDA smart telephones two-way pagers handheld radios cellular telephones personal communications services PCS devices multifunctional wireless devices portable audio video recording devices with wireless capability scanning devices messaging devices • Wireless tactical systems including mission-critical communication systems and devices e g include Land Mobile Radio LMR subscriber devices and infrastructure equipment remote sensors technical investigative communications systems • Radio Frequency Identification RFID Policy ID DHS Policy Statements Relevant Controls 4 6 a Wireless network communications technologies are prohibited from use within DHS unless the appropriate AO specifically approves a technology and application AC-18 4 6 b Components using Public Key Infrastructure PKI -based encryption on wireless systems wireless PEDs and wireless tactical systems shall implement and maintain a key management plan approved by the DHS PKI Policy Authority IA-5 SC-12 4 6 1 Wireless Systems Wireless system policy and procedures are described more completely in Attachment Q1 Wireless Systems to the DHS 4300A Sensitive Systems Handbook 60 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 6 1 a Annual information security assessments shall be conducted on all approved wireless systems Wireless information security assessments shall enumerate vulnerabilities risk statements risk levels and corrective actions CA-2 PM-9 4 6 1 b A POA M shall be developed to address wireless information security vulnerabilities These plans shall prioritize corrective actions and implementation milestones in accordance with defined risk levels CA-5 PM-4 PM-9 4 6 1 c Components shall identify countermeasures to denial-of-service attacks and complete a risk based evaluation prior to approving the use of a wireless PED AC-19 PM-9 SC-5 4 6 1 d SPs shall adopt a defense-in-depth strategy that integrates firewalls screening routers wireless intrusion detection systems antivirus software encryption strong authentication and cryptographic key management to ensure information security solutions and secure connections to external interfaces are consistently enforced SI-3 4 6 1 e Legacy wireless systems that are not compliant with DHS information security policy shall implement a migration plan to outline the provisions procedures and restrictions for transitioning these systems to DHS-compliant security architectures Operation of these noncompliant systems requires an approved waiver or exception to policy from the DHS CISO CA-5 4 6 1 f Component CISOs shall review all system applications for wireless usage maintain an inventory of systems and provide that inventory to the DHS CISO annually AC-18 PM-5 4 6 1 g Component CISOs shall i establish usage restrictions and implementation guidance for wireless technologies and ii authorize monitor and control wireless access to DHS information systems AC-18 4 6 2 Wireless Portable Electronic Devices Wireless PEDs include PDAs smart telephones two-way pagers handheld radios cellular telephones PCS devices multifunctional wireless devices portable audio video recording devices with wireless capability scanning devices messaging devices and any other wireless clients capable of storing processing or transmitting sensitive information Wireless PED policy and procedures are described more completely in Attachment Q2 Wireless Portable Electronic Devices to the DHS 4300A Sensitive Systems Handbook 61 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 6 2 a The use of wireless PEDs and accessory devices in areas where sensitive or classified information is discussed maintained or distributed is prohibited unless specifically authorized by the AO in writing AC-19 PL-4 4 6 2 b Wireless PEDs shall not be tethered or otherwise physically or wirelessly connected to the DHS-wired core network without written consent from the AO AC-18 AC-19 4 6 2 c Wireless PEDs shall not be used to store process or transmit combinations personal identification numbers PIN or sensitive information in unencrypted formats AC-19 IA-5 IA-7 4 6 2 d Wireless PEDs such as BlackBerry devices and smart phones shall implement strong authentication data encryption and transmission encryption technologies Portable electronic devices such as BlackBerry devices and smart phones shall be password-protected with a security timeout period established For BlackBerry devices the security timeout shall be set to ten 10 minutes AC-19 IA-7 SC-8 SC-9 SC-13 4 6 2 e SPs shall promulgate the provisions procedures and restrictions for using wireless PEDs to download mobile code in an approved manner SC-18 4 6 2 f Wireless PEDs shall be operated only when current DHS TRM-approved versions of antivirus software and software patches are installed SI-3 4 6 2 g Cost-effective countermeasures to denial-of-service attacks shall be identified and established prior to a wireless PED being approved for use SC-5 4 6 2 h Components shall maintain a current inventory of all approved wireless PEDs in operation PM-5 4 6 2 i Wireless PEDs shall be cleared of all information before being reused by another individual office or Component within DHS or before they are surplused wireless PEDs that are being disposed of recycled or returned to the owner or manufacturer shall first be sanitized using approved procedures MP-6 4 6 2 j Legacy wireless PEDs that are not compliant with DHS information security policy shall implement a migration plan that outlines the provisions procedures and restrictions for transitioning these wireless PEDs to DHScompliant security architectures Operation of these noncompliant systems requires an approved waiver or exception from the DHS CISO CA-5 4 6 2 k Components shall ensure that personally owned PEDs and Government-owned PEDs not authorized to process classified information are not permitted in conference rooms or secure facilities where classified information is discussed 62 v8 0 March 14 2011 SC-7 CA-6 AC-19 PE-18 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 6 2 l The AO shall approve the use of Government-owned PEDs to process store or transmit sensitive information CA-6 4 6 2 m The use of add-on devices such as cameras and recorders is not authorized unless approved by the AO Functions that can record or transmit sensitive information via video Infrared IR or Radio Frequency RF shall be disabled in areas where sensitive information is discussed AC-19 CM-7 PE-18 SC-7 4 6 2 1 Cellular Phones Policy ID 4 6 2 1 a 4 6 2 2 DHS Policy Statements Components shall develop guidance for discussing sensitive information on cellular phones Guidance shall be approved by a senior Component official and is subject to review by the DHS CISO Under no circumstances shall classified information be discussed on cellular phones 4 6 2 3 PL-4 Pagers Policy ID 4 6 2 2 a Relevant Controls DHS Policy Statements Pagers shall not be used to transmit sensitive information Relevant Controls PL-4 Multifunctional Wireless Devices Wireless devices have evolved to be multifunctional cell phones pagers and radios can surf the Internet retrieve email take and transmit pictures Most of these functions do not have sufficient security Policy ID DHS Policy Statements Relevant Controls 4 6 2 3 a Functions that cannot be encrypted using approved cryptographic modules shall not be used to process store or transmit sensitive information AC-19 SC-8 SC-9 SC-12 4 6 2 3 b Functions that transmit or receive video IR or radio frequency RF signals shall be disabled in areas where sensitive information is discussed AC-19 PE-18 4 6 2 3 c Short Message Service SMS and Multimedia Messaging Service MMS shall not be used to process store or transmit sensitive information and shall be disabled whenever possible 63 v8 0 March 14 2011 --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 6 3 Wireless Tactical Systems Wireless tactical systems include LMR subscriber devices infrastructure equipment remote sensors and technical investigative communications systems Because they are often deployed under circumstances in which officer safety and mission success are at stake wireless tactical systems require even greater security measures To ensure secure tactical communications Components must implement strong identification authentication and encryption protocols designed specifically for each wireless tactical system Wireless tactical system policy and procedures are described more completely in Attachment Q3 Wireless Tactical Systems to the DHS 4300A Sensitive Systems Handbook Policy ID DHS Policy Statements Relevant Controls 4 6 3 a AOs shall be immediately notified when any security features are disabled in response to time-sensitive mission-critical incidents CM-3 4 6 3 b Wireless tactical systems shall implement strong identification authentication and encryption IA-2 IA-7 SC-8 SC-9 4 6 3 c Cost-effective countermeasures to denial-of-service attacks shall be identified and established prior to a wireless tactical system being approved for use SC-5 4 6 3 d Components shall maintain a current inventory of all approved wireless tactical systems in operation PM-5 4 6 3 e Legacy tactical wireless systems that are not compliant with DHS information security policy shall implement a migration plan to outline the provisions procedures and restrictions for transitioning these systems to DHS-compliant security architectures Operation of these noncompliant systems requires an approved waiver or exception from the DHS CISO as appropriate --- 4 6 3 f The security configuration of LMR subscriber units shall be validated via overthe-air-rekeying OTAR or hard rekey using a crypto-period no longer than 180 days SC-12 4 6 3 g All LMR systems shall comply with Project 25 P25 EIA TIA-102 security standards where applicable CM-2 4 6 4 Radio Frequency Identification Radio Frequency Identification RFID enables wireless identification of objects over significant distances Because of the computing limitations of RFID tags it often is not feasible to implement many of the security mechanisms such as cryptography and strong authentication that are commonly supported on personal workstations servers and network infrastructure devices RFID security controls can support Departmental and Component privacy objectives mitigate risks to business processes and prevent the disclosure of sensitive data 64 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A RFID policy and procedures are described more completely in Attachment Q4 Sensitive RFID Systems to the DHS 4300A Sensitive Systems Handbook Policy ID DHS Policy Statements Relevant Controls 4 6 4 a Components implementing RFID systems shall assess hazards of electromagnetic radiation to fuel ordinance and personnel before deployment of the RFID technology PE-18 4 6 4 b Components shall limit data stored on RFID tags to the greatest extent possible recording information beyond an identifier only when required for the application mission When data beyond an identifier is stored on a tag the tag’s memory shall be protected by access control AC-6 PL-5 4 6 4 c Components shall develop a contingency plan such as the use of a fallback identification technology to implement in case of an RFID security breach or system failure --- 4 6 4 d Components shall identify and implement appropriate operational and technical controls to limit unauthorized tracking or targeting of RFID-tagged items when these items are expected to travel outside the Component’s physical perimeter AC-14 4 6 4 e When the RFID system is connected to a DHS data network Components shall implement network security controls to segregate RFID network elements such as RFID readers middleware and databases from other non-RFID network hosts CM-6 4 6 4 f Components implementing RFID technology shall determine whether or not tag cloning is a significant business risk If such a significant risk exists then tag transactions shall be cryptographically authenticated IA-7 PM-9 RA-3 4 7 Overseas Communications Policy ID 4 7 a DHS Policy Statements Where required or appropriate all communications outside of the United States and its territories shall be in accordance with the Department of State Foreign Affairs Manual FAM 12 FAM 600 Information Security Technology 65 v8 0 March 14 2011 Relevant Controls --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 8 Equipment 4 8 1 Workstations Policy ID DHS Policy Statements Relevant Controls AC-11 CM-6 4 8 1 a Components shall configure workstations to either log off or activate a password-protected lock or password-protected screensaver within fifteen 15 minutes of user inactivity 4 8 1 b Components shall ensure that workstations are protected from theft PE-3 4 8 1 c Users shall either log off or lock their workstations when unattended --- 4 8 2 Laptop Computers and Other Mobile Computing Devices Policy ID DHS Policy Statements Relevant Controls 4 8 2 a Information stored on any laptop computer or other mobile computing device that may be used in a residence or on travel shall use encryption in accordance with Section 5 5 1 Encryption for data at rest and in motion Passwords tokens and Smart Cards shall not be stored on or with the laptop or other mobile computing device AC-19 IA-2 SC-12 4 8 2 b Laptop computers shall be powered down when not in use due to volatile memory vulnerabilities AC-19 PL-4 4 8 2 c Laptop computers and other mobile computing devices in offices shall be secured when unattended via a locking cable locked office or locked cabinet or desk AC-19 PE-3 PL-4 4 8 2 d Users shall obtain the written approval of the office director before taking a laptop computer or other mobile computing device outside of the United States or its territories AC-19 PL-4 4 8 3 Personally Owned Equipment and Software Policy ID DHS Policy Statements Relevant Controls 4 8 3 a Personally owned equipment and software shall not be used to process access or store sensitive information without the written prior approval of the AO SA-6 4 8 3 b Equipment that is not owned or leased by the Federal Government or operated by a contractor on behalf of the Federal Government shall not be connected to DHS equipment or networks without the written prior approval of the Component CISO ISSM SA-9 66 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 4 8 3 c DHS Policy Statements Any device that has been obtained through civil or criminal asset forfeiture shall not be used as part of a DHS information system nor used to process DHS data Relevant Controls AC-20 4 8 4 Hardware and Software Policy ID DHS Policy Statements Relevant Controls 4 8 4 a Components shall ensure that DHS information systems follow the hardening guides for operating systems and the configuration guides for applications promulgated by the DHS CISO DHS Sensitive Systems Handbook Enclosure 1 includes the DHS Secure Baseline Configuration Guides CM-2 CM-6 4 8 4 b Components shall limit access to system software and hardware to authorized personnel AC-3 CM-5 4 8 4 c Components shall test authorize and approve all new and revised software and hardware prior to implementation in accordance with their Configuration Management Plan CM-2 CM-3 4 8 4 d Components shall manage systems to reduce vulnerabilities through vulnerability testing and management promptly installing patches and eliminating or disabling unnecessary services CM-3 RA-5 4 8 4 e Components shall ensure that maintenance ports are disabled during normal system operation and enabled only during approved maintenance activities MA-1 4 8 4 f System libraries shall be managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code SI-7 4 8 4 g Components shall develop maintenance policy and procedures MA-1 4 8 4 h If cleared maintenance personnel are not available a trusted DHS employee with sufficient technical knowledge to detect and prevent unauthorized modification to the information system or its network shall monitor and escort the maintenance personnel during maintenance activities This situation shall only occur in exceptional cases Components shall take all possible steps to ensure that trusted maintenance personnel are available MA-5 4 8 4 i Maintenance using a different user’s identity may be performed only when the user is present The user shall log in and observe the maintenance actions at all times Users shall not share their authentication information with maintenance personnel MA-5 67 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 8 5 Personal Use of Government Office Equipment and DHS Systems Computers Policy ID DHS Policy Statements Relevant Controls 4 8 5 a DHS employees may use Government office equipment and DHS systems computers for authorized purposes only “Authorized use” includes limited personal use as described in DHS MD 4600 1 Personal Use of Government Office Equipment and DHS MD 4900 Individual Use and Operation of DHS Information Systems Computers --- 4 8 5 b Limited personal use of DHS email and Internet services is authorized for DHS employees as long as this use does not interfere with official duties inhibit the security of information and information systems or cause degradation of network services Specifically prohibited activities include streaming of audio or video social networking peer-to-peer networking software or music sharing piracy online gaming webmail Instant Messaging IM hacking and the viewing of pornography or other offensive content DHS users shall comply with the provisions of DHS MD 4500 1 DHS E-mail Usage and DHS MD 4400 1 DHS Web and Information Systems --- 4 8 5 c Anyone granted user account access to any DHS information system including DHS employees contractors and others working on behalf of DHS shall have no expectations of privacy associated with its use By completing the authentication process the user acknowledges his or her consent to monitoring AC-8 4 8 5 d The use of Government office equipment and DHS systems computers constitutes consent to monitoring and auditing of the equipment systems at all times Monitoring includes the tracking of internal transactions and external transactions such as Internet access It also includes auditing of stored data on local and network storage devices as well as removable media AC-8 4 8 5 e DHS users are required to sign rules of behavior prior to being granted system accounts or access to DHS systems or data The rules of behavior shall contain a “Consent to Monitor” provision and an acknowledgement that the user has no expectation of privacy PL-4 4 8 5 f Contractors others working on behalf of DHS or other non-DHS employees are not authorized to use Government office equipment or information systems computers for personal use unless limited personal use is specifically permitted by the contract or memorandum of agreement When so authorized the limited personal use policies of this section and the provisions of DHS MD 4600 1 DHS MD 4900 DHS MD 4400 1 and DHS MD 4500 1 shall apply --- 4 8 6 Wireless Settings for Peripheral Equipment Peripheral equipment printers scanners fax machines often includes capabilities intended to allow wireless access to these devices Although convenient wireless access comes with additional risks In general wireless access is not allowed on DHS networks 68 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 8 6 a Components shall ensure that wireless capabilities for peripheral equipment are disabled This applies all to peripherals connected to any DHS network or to systems processing or hosting DHS sensitive data CM-7 4 8 6 b In cases where valid mission requirements or equipment limitations prevent disabling wireless capabilities Components shall comply with all requirements outlined in Section 4 6 Wireless Communication and obtain a waiver or exception in accordance with this policy CM-7 4 9 Department Information Security Operations The DHS EOC is the central coordinating and reporting authority for all Sensitive and National Security computer security incidents throughout the Department The HSDN SOC shall report incidents to the DHS EOC through appropriate channels to protect data classification The HSDN SOC is subordinate to the DHS EOC acting as the central coordinating and reporting authority for all SECRET computer security incidents throughout the Department Policy ID DHS Policy Statements Relevant Controls 4 9 a It is the policy of DHS that employees contractors or others working on behalf of DHS have no privacy expectations associated with the use of any DHS network system or application This policy is further extended to anyone who is granted account access to any network system or application in use in the Department By completing the account log in process the account owner acknowledges their consent to monitoring 4 9 b Component SOCs and the HSDN SOC shall be operationally subordinate to the DHS EOC The DHS EOC shall provide operational oversight and guidance IR-1 4 9 c The DHS EOC or Component SOCs shall lead the coordination and administration of Department and Component policy enforcement points such as firewalls SC-7 4 9 d The DHS EOC shall implement the Department logging strategy coordinated with Component SOCs to enable endpoint visibility and Departmental situational awareness --- 4 9 e All SOCs shall have the capability to process intelligence information at the collateral level or above The DHS EOC and Component SOCs shall have the ability to process SECRET level information continuously and shall have the capability to receive TS SCI information IR-4 4 9 f SOCs shall ensure that personnel are appropriately cleared to access Joint Worldwide Intelligence Communications System JWICS SOC managers are free to determine the number and type of personnel to be cleared but at least IR-4 69 v8 0 March 14 2011 AC-8 PL-4 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls one cleared person shall be available per shift This person may be on call A Government officer shall be available continuously for incident response and management 4 9 g All Department SOCs shall establish and maintain a forensic capability as outlined in the DHS Enterprise Operations Concept of Operations EOC CONOPS IR-7 4 9 h Department information security operations shall provide a vulnerability management capability DHS EOC provides Information Security Vulnerability Management ISVM messages and vulnerability assessment capabilities Component SOCs shall develop a robust vulnerability management capability to compliment the DHS EOC SI-5 4 9 i Component CISOs shall ensure that the DHS CISO is kept apprised of all pertinent matters involving the security of information systems and that security-related decisions and information are distributed to the ISSOs and other appropriate persons SI-5 4 9 j Component SOCs shall report operationally to the respective Component CISO Each CISO shall exercise oversight over their Components’ information security operations functions including the Component SOCs IR-1 4 9 k The DHS EOC shall report operationally to the DHS CISO 4 10 Security Incidents and Incident Response and Reporting Policy ID DHS Policy Statements Relevant Controls 4 10 a Components shall establish and maintain a continuous incident response capability IR-1 4 10 b Components shall report significant incidents to the DHS EOC by calling 703 921-6505 as soon as possible but not later than one 1 hour from validation” e g a security event being confirmed as a security incident Other means such as the EOC ONLINE portal https eoconline dhs gov are acceptable but the Component shall positively verify that the notification is received and acknowledged by the DHS EOC IR-6 4 10 c Significant HSDN incidents shall be documented with a preliminary report that shall be provided to the HSDN Government Watch Officer or DHS EOC within one hour An initial detailed report shall be provided to the DHS EOC as soon as possible but not later than one hour from validation” via secure communications Subsequent updates and status reports shall be provided to the DHS EOC every twenty-four 24 hours via HSDN SOC ONLINE until incident resolution or when new information is discovered Significant IR-6 70 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls incidents are reported individually on a per incident basis and shall not be reported in the monthly summary report Additional guidance is located in DHS 4300A Attachment F Incident Response and Reporting Section 3 0 4 10 d Components shall report minor incidents on systems in the weekly incident report SBU systems may report via the DHS EOC portal https eoconline dhs gov Components with no portal access shall report minor incidents via email to dhs soc@dhs gov HSDN incidents or incidents involving SECRET information shall be documented in a summary report via the HSDN DHS EOC portal IR-6 4 10 e DHS personnel shall follow DHS CISO procedures for detecting reporting and responding to information security incidents in accordance with the DHS EOC CONOPS Reports shall be classified at the highest classification level of the information contained in the document Unsanitized reports shall be marked and handled appropriately IR-1 4 10 f If a DHS Component has no incidents to report for a given week a weekly “No Incidents” report shall be sent to the EOC IR-6 4 10 g The DHS EOC shall report incidents to US-CERT in accordance with the DHS EOC CONOPS Components shall not send incident reports directly to US-CERT IR-6 4 10 h The DHS EOC shall receive classified spillage incident reports and support the DHS CSO for containment and cleanup All classified spillages are significant incidents IR-6 4 10 i The DHS EOC shall maintain information security “playbooks ” that is checklists that implement procedures and provide guidance on how to respond rapidly to developing incidents IR-1 4 10 j The DHS EOC shall respond to detected faults attacks events or incidents and communicate incident reports to external organizations that may be affected IR-1 4 10 k Components shall maintain a full SOC and CSIRC capability or outsource this capability to the DHS EOC The DHS EOC shall provide SOC and CSIRC services to Components in accordance with formal agreements Information regarding incident response capability is available in Attachment F of the DHS 4300A Sensitive Systems Handbook IR-7 4 10 l Components shall develop and publish internal computer security incident response plans and incident handling procedures and provide copies to the DHS CSIRC These procedures shall include a detailed CM process for modification of security device configurations IR-1 71 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 4 10 m Component Heads shall take corrective actions when security incidents and violations occur and shall hold personnel accountable for intentional transgressions IR-1 4 10 n The DHS EOC shall monitor and report incident investigation and incident remediation activities to the DHS CIO and CISO in accordance with the DHS EOC CONOPS until the incident is closed IR-5 4 10 o The DHS CISO shall determine the frequency and content of security incident reports IR-6 4 10 p The Component CSIRC shall report incidents only to the DHS EOC and to no other external agency or organization IR-6 4 10 q The DHS CISO shall publish Incident Response Testing and Exercise scenarios as required IR-1 4 10 r The Component CISO for each Component providing an incident response capability shall ensure Incident Response Testing and Exercises are conducted annually in coordination with the DHS CISO IR-3 4 10 1 Law Enforcement Incident Response The DHS EOC shall notify the DHS Chief Internal Security and Investigations Division Office of Security CISID-OIS whenever an incident requires law enforcement involvement Law enforcement shall coordinate with the DHS EOC the CISID-OIS the Component and other appropriate parties whenever a crime is committed or suspected Policy ID DHS Policy Statements Relevant Controls 4 10 1 a Components shall coordinate all external law enforcement involvements through the DHS EOC and obtain guidance from the DHS EOC before contacting local law enforcement Exceptions are only made during emergencies where there is risk to life limb or destruction of property In cases of emergency notification the Component shall notify the DHS EOC as soon as possible by the most expedient means available IR-6 4 10 1 b Security Incidents may include law enforcement LE or counter intelligence CI elements such as maintaining a chain of custody All incidents containing a LE CI aspect shall be coordinated with the DHS CSO through the DHS EOC IR-6 72 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 11 Documentation Policy ID DHS Policy Statements Relevant Controls 4 11 a Components shall ensure that information systems and networks are appropriately documented in such a way as to allow others to understand system operation and configuration CM-8 4 11 b System Owners shall update system documentation annually or whenever system changes occur Such changes include • A vulnerability scan of the information system • New threat information • Weaknesses or deficiencies discovered in currently deployed security controls after an information system breach • A redefinition of mission priorities or business objectives resulting in a change to the security category of the information system and CM-3 CM-8 SA-5 A change in the information system e g adding new hardware software or firmware establishing new connections or the system’s environment of operation 4 11 c Documentation shall be kept on hand and be accessible to authorized personnel including auditors at all times CM-3 4 11 d System documentation may be categorized as Sensitive if deemed appropriate by the Component CISO ISSM This category shall not be used as a means to restrict access to auditors or other authorized personnel CM-3 4 12 Information and Data Backup Policy ID DHS Policy Statements Relevant Controls 4 12 a The policies in this document including Security Authorization Process requirements apply to any devices that process or host DHS data --- 4 12 b Component CISOs ISSMs shall determine whether or not automated process devices shall be included as part of an information system’s Security Authorization Process requirements --- 4 12 c This policy directive and the DHS 4300A Sensitive Systems Handbook apply to all DHS employees contractors detailees others working on behalf of DHS and users of DHS information systems that collect generate process store display transmit or receive DHS data This includes prototypes telecommunications systems and all systems in all phases of the System Engineering Life Cycle --- 73 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 4 13 Converging Technologies Advances in technology have resulted in the availability of devices that offer multiple functions Many devices such as multifunctional desktop computers copiers facsimile machines and heating ventilation and air conditioning HVAC systems may contain sensitive data and may also be connected to data communications networks Policy ID DHS Policy Statements Relevant Controls 4 13 a The policies in this document apply to any networked devices that contain information technology including copiers facsimile machines and alarm control systems --- 4 13 b Components shall ensure that network printers and facsimile machines are updated to the latest version of their firmware software at least annually CM-2 4 13 c Components shall ensure that network printers copiers and facsimile machines shall be configured for least required functionality CM-7 4 13 d Components shall ensure that each network printer copier and facsimile machine is within the system definition of a DHS information system that has a current ATO CM-8 4 13 e Components shall ensure that remote maintenance of network printers copiers and facsimile machines is conducted only from within DHS networks If maintenance planning does not include performing remote maintenance Components shall ensure that remote maintenance capabilities are disabled MA-4 4 13 f Components shall ensure that network printers copiers and facsimile machines are configured to restrict administrator access to authorized individuals or groups MA-5 4 13 g Components shall ensure that maintenance or disposal of network printers copiers or facsimile machines approved for sensitive reproduction is performed only while escorted by a properly cleared person with knowledge to detect any inappropriate action MA-5 4 13 h Components shall ensure that memory and hard drives do not leave the facility they are to be replaced and the old part destroyed as sensitive media MP-6 4 13 i Components shall locate network printers copiers and facsimile machines approved to process sensitive information in areas where access can be controlled when paper output is being created PE-18 4 13 j Any multifunction device connected to a DHS network or other information system containing sensitive data shall have the inbound dial in capabilities disabled AC-17 74 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 5 0 TECHNICAL POLICIES The design of information systems that process store or transmit sensitive information shall include the automated security features discussed in this section Security safeguards shall be in place to ensure that each person having access to sensitive information systems is individually accountable for his or her actions while utilizing the system 5 1 Identification and Authentication Policy ID DHS Policy Statements Relevant Controls 5 1 a Components shall ensure that user access is controlled and limited based on positive user identification and authentication mechanisms that support the minimum requirements of access control least privilege and system integrity IA-1 IA-2 5 1 b For information systems requiring authentication controls Components shall ensure that the information system is configured to require that each user be authenticated before information system access occurs IA-1 IA-2 5 1 c For systems with low impact for the confidentiality security objective Components shall disable user identifiers after ninety 90 days of inactivity for systems with moderate and high impacts for the confidentiality security objective Components shall disable user identifiers after forty-five 45 days of inactivity IA-4 5 1 d DHS users shall not share identification or authentication materials of any kind nor shall any DHS user allow any other person to operate any DHS system by employing the user’s identity IA-5 5 1 e All user authentication materials shall be treated as sensitive material and shall carry a classification as high as the most sensitive data to which that user is granted access using that authenticator IA-7 5 1 f Components shall implement strong authentication on servers for system administrators and personnel with significant security responsibilities within six 6 months of the Component’s implementation of Homeland Security Presidential Directive HSPD HSPD-12 IA-2 5 1 1 Passwords The least expensive method for authenticating users is a password system in which authentication is performed each time a password is used More sophisticated authentication techniques such as Smart Cards and biological recognition systems e g retina scanner handprint voice recognition shall be cost-justified through the risk assessment process 75 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 1 1 a In those systems where user identity is authenticated by password the system ISSO shall determine and enforce appropriate measures to ensure that strong passwords are used IA-5 5 1 1 b The ISSO shall determine and enforce the appropriate frequency for changing passwords in accordance with appropriate guidance documentation if published In the absence of specific guidance documentation passwords shall not remain in effect longer than ninety 90 days IA-5 5 1 1 c DHS users shall not share personal passwords IA-5 5 1 1 d Use of group passwords is limited to situations dictated by operational necessity or critical for mission accomplishment Use of a group User ID and password shall be approved by the appropriate AO IA-4 5 1 1 e Components shall prohibit passwords from being embedded in scripts or source code IA-5 5 1 1 f Components shall ensure that all passwords are stored in encrypted form IA-5 The use of a personal password by more than one individual is prohibited throughout the DHS However it is recognized that in certain circumstances such as the operation of crisis management or operations centers watch team and other duty personnel may require the use of group User IDs and passwords 5 2 Access Control Policy ID DHS Policy Statements Relevant Controls 5 2 a Components shall implement access control policy and procedures that provide protection from unauthorized alteration loss unavailability or disclosure of information AC-1 5 2 b Access control shall follow the principles of least privilege and separation of duties and shall require users to use unique identifiers Social Security Numbers shall not be used as login IDs AC-2 IA-1 5 2 c Users shall not provide their passwords to anyone including system administrators IA-5 5 2 d Emergency and temporary access authorization shall be strictly controlled and shall be approved by the Component CISO ISSM or his her designee prior to being granted AC-2 76 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 2 e System Owners shall ensure that users are assigned unique account identifiers AC-2 IA-4 5 2 f DHS systems with a FIPS 199 confidentiality categorization of high shall limit the number of concurrent sessions for any user to one 1 AC-10 5 2 1 Automatic Account Lockout Components shall configure each information system to lock a user’s account for a specified period following a specified number of consecutive failed logon attempts Users shall be locked from their account for a period of twenty 20 minutes after three consecutive failed logon attempts during a twenty-four 24 hour time period All failed logon attempts must be recorded in an audit log and periodically reviewed Policy ID DHS Policy Statements Relevant Controls 5 2 1 a Components shall configure accounts to automatically lock a user’s account after three consecutive failed logon attempts during a twenty-four 24 hour time period AC-7 5 2 1 b The automatic lockout period for accounts locked due to failed login attempts shall be set for twenty 20 minutes AC-7 5 2 1 c Components shall establish a process for manually unlocking accounts prior to the expiration of the twenty 20 minute period after sufficient user identification is established This may be accomplished through the help desk AC-7 5 2 2 Automatic Session Termination A session refers to a connection between a terminal device workstation laptop PED and a networked application or system This does not include a direct connection to a DHS network such as authenticating from a device that is directly connected to a DHS network A session also refers to accessing an application or system through the DHS network such as a database or networked application When a session is locked the user may resume activity by reauthenticating When a session is terminated the user is disconnected and all unsaved work is lost Policy ID 5 2 2 a DHS Policy Statements Components shall configure networked applications or systems to automatically lock any user session in accordance with the appropriate configuration guide In the absence of configuration guidance the session shall lock following twenty 20 minutes of inactivity 77 v8 0 March 14 2011 Relevant Controls AC-11 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 2 2 b Locked sessions shall remain locked until the user re-authenticates AC-11 5 2 2 c Sessions shall automatically be terminated after sixty 60 minutes of inactivity SC-10 5 2 3 Warning Banner The DHS CISO stipulates that a warning banner statement be displayed on all DHS systems during logon The most current language can be found on the DHS CISO web page Please note that the current warning banner was developed specifically for use on DHS workstations Due to differing function purpose and situation as well as length requirements warning banners for other environments such as routers switches and public-facing websites will be developed and included in a future version of the DHS 4300A Sensitive Systems Handbook The use of the warning banner serves as a reminder to all users that the computers they are accessing are Government computers Policy ID DHS Policy Statements Relevant Controls 5 2 3 a Systems internal to the DHS network shall display a warning banner stipulated by the DHS CISO AC-8 5 2 3 b Systems accessible to the public shall provide both a security and privacy statement at every entry point AC-8 78 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 5 3 Auditing Policy ID 5 3 a 5 4 DHS Policy Statements Audit records shall be sufficient in detail to facilitate the reconstruction of events if compromise or malfunction occurs or is suspected Audit records shall be reviewed as specified in the SP The audit record shall contain at least the following information - Identity of each user and device accessing or attempting to access the system - Time and date of the access and the logoff - Activities that might modify bypass or negate information security safeguards - Security-relevant actions associated with processing - All activities performed using an administrator’s identity Relevant Controls AU-3 5 3 b Audit records for financial systems or for systems hosting or processing PII shall be reviewed each month Unusual activity or unexplained access attempts shall be reported to the System Owner and Component CISO ISSM AU-6 5 3 c Components shall ensure that their audit records and audit logs are protected from unauthorized modification access or destruction AU-9 5 3 d Components shall ensure that audit logs are recorded and retained in accordance with the Component’s Record Schedule or the DHS Records Schedule At a minimum audit trail records shall be maintained online for at least ninety 90 days Audit trail records shall be preserved for a period of seven 7 years as part of managing records for each system to allow audit information to be placed online for analysis with reasonable ease AU-11 5 3 e Components shall evaluate the system risks associated with extracts of PII from databases If the risk is determined to be sufficiently high a procedure shall be developed for logging computer-readable data extracts If logging these extracts is not possible this determination shall be documented and compensating controls identified in the SP AU-1 AU-2 AU-3 PM-9 5 3 f Component SOCs shall implement both general and threat-specific logging AU-1 Network and Communications Security 5 4 1 Remote Access and Dial-In Remote access technology allows trusted employees to access DHS networks by dialing in via modem or accessing the DHS network via the Internet This allows mobile employees to stay in touch with the home office while traveling away from their normal work locations However there are significant security risks associated with remote access and dial-in capabilities Proper procedures can help mitigate these risks 79 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 4 1 a Data communication connections via modems shall be limited and shall be tightly controlled as such connections can be used to circumvent security controls intended to protect DHS networks Data communication connections are not allowed unless they have been authorized by the Component CISO ISSM Approved remote access to DHS networks shall only be accomplished through equipment specifically approved for that purpose Tethering through wireless PEDs is prohibited unless approved by the appropriate AO AC-4 AC-17 AU-2 SC-7 SC-8 SC-9 5 4 1 b Components shall centrally manage all remote access and dial-in connections to their systems and shall ensure that remote access and approved dial-in capabilities provide strong authentication two-factor authentication audit capabilities and protection for sensitive information throughout transmission DHS has an immediate goal that remote access shall only be allowed with twofactor authentication where one of the factors is provided by a device separate from the computer gaining access Any two-factor authentication shall be based on Department-controlled certificates or hardware tokens issued directly to each authorized user Remote access solutions shall comply with the encryption requirements of FIPS 140-2 Security Requirements for Cryptographic Modules See Privacy Controls Section Section 3 14 for additional requirements involving remote access of PII AC-4 AC-17 AU-2 SC-7 SC-8 SC-9 5 4 1 c Remote access of PII shall comply with all DHS requirements for sensitive systems including strong authentication Strong authentication shall be accomplished via virtual private network VPN or equivalent encryption and two-factor authentication The Risk Assessment and SP shall document any remote access of PII and the remote access shall be approved by the AO prior to implementation AC-4 AC-17 AU-2 SC-7 SC-8 SC-9 5 4 1 d Remote access of PII shall not permit the download and remote storage of information unless the requirements for the use of removable media with sensitive information have been addressed All downloads shall follow the concept of least privilege and shall be documented with the SP --- 5 4 2 Network Security Monitoring Security Monitoring Detection and Analysis are key functions and are critical to maintaining the security of DHS information systems Monitoring and analysis is limited to observing network activity for anomalies malicious activities and threat profiles Content analysis is not within the scope of network monitoring 80 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 4 2 a Components shall provide continuous monitoring of their networks for security events or outsource this requirement to the DHS EOC Monitoring includes interception and disclosure as required for the rendition of service or to protect the Department’s or Component’s rights or property Service observing or random monitoring shall not be used except for mechanical or service quality control checks As per the Electronic Communications Privacy Act In this instance “rights” refers to ownership or entitlements or property or information as in intellectual property SI-4 5 4 2 b The DHS EOC shall administer and monitor DHS intrusion detection system IDS sensors and security devices SI-4 5 4 2 c Component SOCs shall administer and monitor Component IDS sensors and security devices SI-4 5 4 3 Network Connectivity A system interconnection is the direct connection of two or more information systems for the purpose of sharing data and other information resources This applies to systems that pass data between each other via a direct system-to-system interface without human intervention Any physical connection that allows other systems to share data pass thru also constitutes an interconnection even if the two systems connected do not share data between them It does not include instances of a user logging on to add or retrieve data nor users accessing web-enabled applications through a browser Policy ID DHS Policy Statements Relevant Controls 5 4 3 a Components shall ensure that appropriate identification and authentication controls audit logging and access controls are implemented on every network element AC-1 AC-2 AU-1 AU-2 IA-1 IA-2 5 4 3 b Interconnections between DHS and non-DHS systems shall be established only through controlled interfaces and via approved service providers The controlled interfaces shall be accredited at the highest security level of information on the network Connections with other Federal agencies shall be documented based on interagency agreements memoranda of understanding service level agreements or interconnection security agreements CA-3 5 4 3 c Components shall document all interconnections to the DHS OneNet with an ISA signed by the OneNet AO and by each applicable AO Additional information regarding ISAs is published in Attachment N Preparation of Interconnection Security Agreements to the DHS 4300A Sensitive Systems CA-3 81 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls Handbook 5 4 3 d ISAs shall be reissued every three 3 years or whenever any significant changes have been made to any of the interconnected systems CA-3 5 4 3 e ISAs shall be reviewed and updated as needed as a part of the annual FISMA self-assessment CA-3 5 4 3 f Components may complete a master ISA which includes all transitioning systems as part of their initial OneNet transition After transition each additional system or GSS shall be required to have a separate ISA Interconnections between DHS Components not including DHS OneNet shall require an ISA whenever there is a difference in the security categorizations for confidentiality integrity and availability between the systems or when the systems do not share the same security policies In this context ‘security policies’ refers to the set of rules that controls a system’s working environment and not to DHS information security policy ISAs shall be signed by each applicable AO --- 5 4 3 g Components shall document interconnections between their own and external Non-DHS networks with an ISA for each connection CA-3 5 4 3 h The DHS CIO shall approve all interconnections between DHS enterpriselevel information systems and non-DHS information systems The DHS CIO shall ensure that connections with other Federal Government Agencies are properly documented A single ISA may be used for multiple connections provided that the security accreditation is the same for all connections covered by that ISA CA-3 5 4 3 i The Department and Components shall implement Trust Zones through Policy Enforcement Points PEP as defined in the DHS Security Architecture SC-7 5 4 3 j DHS OneNet shall provide secure Name Address resolution service Domain Name System Security Extensions DNSSEC has been designated as the DHS service solution SC-20 SC-21 SC-22 5 4 3 k All DHS systems connected to OneNet and operating at moderate or high level shall utilize secure Name Address resolution service provided by DHS OneNet SC-20 SC-21 SC-22 5 4 3 l The appropriate CCB shall ensure that documentation associated with an approved change to an information system is updated to reflect the appropriate baseline DHS systems that interface with OneNet shall also be subject to the OneNet CCB CM-3 82 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements 5 4 3 m Interconnections between two accredited DHS systems do not require an ISA if the interface characteristics security requirements nature of information communicated and monitoring procedures for verifying enforcement of security requirements are accounted for in the SPs or are described in another formal document such as a Service Level Agreement SLA or contract and the risks have been assessed and accepted by all involved AOs 5 4 3 n Granting the ability to log into one DHS system through another DHS system such as through OneNet trust does not require an ISA when the requirements from Section 5 4 3 m are met Relevant Controls CA-3 --- 5 4 4 Firewalls and Policy Enforcement Points Policy Enforcement Points PEP separate Trust Zones as defined in the DHS Security Architecture Boundary protection between DHS and external networks is implemented by firewalls at the TICs and other approved direct system inter-connections DHS TICs are provided by OneNet and monitored by the DHS EOC Component SOCs may protect DHS-internal boundaries across Trust Zones Policy ID DHS Policy Statements Relevant Controls 5 4 4 a Components shall restrict physical access to firewalls and PEP to authorized personnel AC-4 SC-7 5 4 4 b Components shall implement identification and strong authentication for administration of the firewalls and PEPs AC-4 SC-7 5 4 4 c Components shall encrypt remote maintenance paths to the firewalls and PEPs MA-4 SC-7 5 4 4 d Components shall conduct quarterly firewall and PEP testing to ensure that the most recent policy changes have been implemented and that all applied policies and controls are operating as intended SC-7 5 4 4 e Component SOCs shall ensure that reports on information security operations status and incident reporting are provided to the DHS CISO as required IR-6 5 4 4 f All Department and Component firewalls and PEPs shall be administered in coordination with DHS security operation capabilities through the DHS EOC or Component SOCs SC-7 5 4 4 g All DHS PEPs shall provide protection against denial-of-service attacks SC-5 83 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 4 4 h Components shall determine protocols and services permitted through their Component-level PEPs Components may restrict traffic sources and destinations at their Component-level PEPs SC-7 5 4 4 i The DHS CISO shall establish policy to block or allow traffic sources and destinations at the DHS TIC PEPs The DHS CISO policy shall prevent traffic as directed by the DHS CIO SC-7 5 4 4 j The DHS EOC shall oversee all enterprise PEPs --- 5 4 5 Internet Security Policy ID DHS Policy Statements Relevant Controls 5 4 5 a Any direct connection of OneNet DHS networks or DHS mission systems to the Internet or to extranets shall occur through DHS TIC PEPs The PSTN shall not be connected to OneNet at any time SC-7 5 4 5 b Firewalls and PEPs shall be configured to prohibit any protocol or service that is not explicitly permitted CM-7 SC-7 SC-8 SC-9 5 4 5 c Components shall ensure that all executable code including mobile code e g ActiveX JavaScript is reviewed and approved by the Program Manager prior to the code being allowed to execute within the DHS environment Note When the technology becomes available and code can be vetted for security the policy will be “Ensure that all approved code including mobile code e g ActiveX JavaScript is digitally signed by the designated DHS authority and that only signed code is allowed to execute on DHS systems ” SC-18 5 4 5 d Telnet shall not be used to connect to any DHS computer A connection protocol such as Secure Shell SSH that employs secure authentication two factor encrypted key exchange and is approved by the Component shall be used instead CM-7 SC-7 SC-8 SC-9 5 4 5 e File Transfer Protocol FTP shall not be used to connect to or from any DHS computer A connection protocol that employs secure authentication two factor encrypted key exchange and is approved by the Component shall be used instead CM-7 SC-7 SC-8 SC-9 5 4 5 f Remote Desktop connections such as Microsoft’s Remote Desktop Protocol RDP shall not be used to connect to or from any DHS computer without the use of an authentication method that employs secure authentication twofactor encrypted key exchange AC-17 IA-2 84 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 5 4 5 g DHS Policy Statements In order to ensure the security and availability of DHS information and information systems the DHS CIO or DHS CISO may direct that specific Internet websites or categories be blocked at the DHS TICs on advice from US-CERT the DHS EOC or other reputable sources Relevant Controls --- 5 4 6 Email Security The DHS email gateway Steward provides email monitoring for spam and virus activity at the gateway DHS EOC personnel shall be trained to respond to incidents pertaining to email security and shall assist the email Steward as necessary Components shall provide appropriate security for their email systems Policy ID DHS Policy Statements Relevant Controls 5 4 6 a Components shall correctly secure install and configure the underlying email operating system --- 5 4 6 b Components shall correctly secure install and configure mail server software --- 5 4 6 c Components shall secure and filter email content --- 5 4 6 d Components shall deploy appropriate network protection mechanisms such as --- - Firewalls - Routers - Switches - Intrusion detection systems 5 4 6 e Components shall secure mail clients --- 5 4 6 f Components shall conduct mail server administration in a secure manner This includes --- - Performing regular backups - Performing periodic security testing - Updating and patching software - Reviewing audit logs at least weekly 5 4 6 g The DHS email gateway Steward shall provide email monitoring for malware activity at the gateway SI-3 5 4 6 h The DHS email gateway Steward shall provide email monitoring for spam at the gateway SI-8 85 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 4 6 i Auto-forwarding or redirecting of DHS email to address outside of the gov or mil domain is prohibited and shall not be used Users may manually forward individual messages after determining that the risk or consequences are low --- 5 4 6 j All DHS email systems are required to use the common naming convention with distinguishing identifiers for military officers contractors foreign nationals and U S Government personnel from other Departments and agencies --- Note Due to the significant risk associated with HTML email DHS is considering following the lead of the Department of Defense DoD and moving to text based email 5 4 7 Personal Email Accounts Policy ID DHS Policy Statements Relevant Controls 5 4 7 a The use of Internet webmail Gmail Yahoo AOL or other personal email accounts is not authorized over DHS furnished equipment or network connections --- 5 4 7 b When sending email to an address outside of the gov or mil domain users shall ensure that any sensitive information particularly PII is attached as an encrypted file --- 5 4 8 Testing and Vulnerability Management The DHS EOC takes a proactive approach to vulnerability management including detecting vulnerabilities through testing reporting through ISVM messages and conducting Vulnerability Assessments VA Vulnerability management is a combination of detection assessment and mitigation of weaknesses within a system Vulnerabilities may be identified from a number of sources including reviews of previous risk assessments audit reports vulnerability lists security advisories and system security testing such as automated vulnerability scanning or security assessments Core elements of vulnerability management include continuous monitoring and mitigating the discovered vulnerabilities based on a risk management strategy This strategy accounts for vulnerability severity threats and assets at risk Policy ID 5 4 8 a DHS Policy Statements Components shall conduct vulnerability assessments and or testing to identify security vulnerabilities on information systems containing sensitive information annually or whenever significant changes are made to the information systems This shall include scanning for unauthorized wireless 86 v8 0 March 14 2011 Relevant Controls --- DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls devices Evidence that annual assessments have been conducted shall be included in SARs and with annual security control assessments 5 4 8 b Component CISOs ISSMs shall approve and manage all activities relating to requests for Vulnerability Assessment Team VAT assistance in support of incidents internal and external assessments and on-going SLC support --- 5 4 8 c Component CISOs ISSMs or their designated representatives shall acknowledge receipt of ISVM messages SI-5 5 4 8 d Components shall report compliance with the ISVM message within the specified timeframe Components unable to meet the designated compliance timeframe shall submit documentation of a waiver request via the DHS EOC Online Portal https eoconline dhs gov SI-5 5 4 8 e When vulnerability assessment responsibilities encompass more than one Component Component CISOs ISSMs shall coordinate with the relevant Component SOC and the DHS EOC RA-3 5 4 8 f The DHS EOC shall be notified before any ISVM scans are run RA-5 5 4 8 g System Owners shall report the security alert and advisory status of the information system to the AO Component CISO ISSM and DHS CISO upon request and on a periodic basis SI-5 5 4 9 Peer-to-Peer Technology Policy ID 5 4 9 a 5 5 DHS Policy Statements Peer to peer software technology is prohibited on any DHS information system Relevant Controls CM-7 SA-6 Cryptography Cryptography is a branch of mathematics that deals with the transformation of data Transformation converts ordinary text plaintext into coded form ciphertext by encryption and ciphertext into plaintext by decryption 5 5 1 Encryption Encryption is the process of changing plaintext into ciphertext for the purpose of security or privacy 87 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 5 5 1 a DHS Policy Statements Systems requiring encryption shall comply with the following methods Products using FIPS 197 Advanced Encryption Standard AES algorithms with at least 256 bit encryption that has been validated under FIPS 140-2 National Security Agency NSA Type 2 or Type 1 encryption Note The use of triple Data Encryption Standard 3DES and FIPS 140-1 is no longer permitted Relevant Controls IA-7 SC-13 5 5 1 b Components shall develop and maintain encryption plans for sensitive information systems IA-7 SC-13 5 5 1 c Components shall use only cryptographic modules that are FIPS 197 AES256 compliant and have received FIPS 140-2 validation at the level appropriate to their use IA-7 SC-13 5 5 2 Public Key Infrastructure A PKI is an architected set of systems and services that provide a foundation for enabling the use of public key cryptography This is necessary in order to implement strong security services and to allow the use of digital signatures The principal components of a PKI are the public key certificates registration authorities RA certification authorities CA directory certificate revocation lists CRL and a governing certificate policy CP Policy ID DHS Policy Statements Relevant Controls 5 5 2 a The DHS CISO shall be the DHS PKI Policy Authority PKI PA to provide PKI policy oversight A detailed description of DHS PKI PA roles and responsibilities are provided in the DHS PKI Policy SC-17 5 5 2 b The DHS CISO shall represent DHS on the Federal PKI Policy Authority FPKI PA SC-17 5 5 2 c The DHS PKI PA shall appoint a PKI Management Authority PKI MA to provide management and operational oversight of the DHS PKI A detailed description of DHS PKI MA roles and responsibilities are provided in the DHS PKI Policy SC-17 5 5 2 d The DHS PKI shall be governed by the U S Common Policy Framework certificate policy approved by the FPKI PA and the DHS PKI Policy approved by the DHS PKI PA SC-17 5 5 2 e DHS shall have a single DHS Principal CA that is subordinate to the U S Common Policy Root CA The DHS Principal CA shall be operated for DHS by the Department of Treasury DoT under the Federal Shared Service Provider SSP program SC-17 88 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 5 2 f All additional CAs within DHS must be subordinate to the DHS Principal CA The requirements and process for becoming a subordinate CA to the DHS Principal CA shall be specified in the DHS PKI Policy SC-17 5 5 2 g Components that implement a CA shall ensure that the CA is subordinate to the DHS Principal CA SC-13 5 5 2 h All DHS CAs shall have a trust path resolving to the U S Common Policy Root CA The U S Common Policy Root CA is cross-certified with the Federal Bridge CA at the high medium hardware and medium assurance levels SC-17 5 5 2 i The DHS Principal CA shall operate under an X 509 Certification Practices Statement CPS The CPS shall comply with the U S Common Policy Framework DoT as the SSP for DHS approves the CPS for the DHS Principal CA SC-17 5 5 2 j All DHS CAs subordinate to the DHS Principal CA shall operate under an X 509 CPS The CPS shall comply with the U S Common Policy Framework and the DHS PKI Policy The DHS PKI PA must approve the CPS SC-17 5 5 2 k The DHS PKI PA shall ensure that the CPS for each subordinate DHS CA complies with the U S Common Policy Framework and DHS PKI Policy prior to approval SC-17 5 5 2 l The DHS PKI MA shall ensure that every subordinate DHS CA operates in compliance with its approved CPS SC-17 5 5 2 m All DHS CAs shall undergo regular PKI compliance audits as required by the U S Common Policy Framework and the DHS PKI Policy The DHS PKI PA shall approve the auditor The audit findings report and POA Ms to address deficiencies found shall be provided to the DHS PKI PA and DHS PKI MA SC-17 5 5 2 n All DHS CAs shall archive records as required by the U S Common Policy Framework and their CPS SC-17 5 5 2 o All operational PKI facilities shall be established in accordance with U S Common Policy Framework physical security requirements based on the CA’s assurance level and its intended use Location protection of the CA shall be determined by its level of assurance Measures taken to ensure the continuity of PKI operations shall at least provide the same level of availability of PKI Services as the individual and composite availability requirements of the systems and data protected by the certificates SC-17 89 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls 5 5 2 p The DHS Principal CA and DHS subordinate CAs shall only issue certificates to internal DHS entities e g employees contractors roles groups applications code signers and devices External entities who require certificates to securely interact with DHS shall acquire certificates from a nonDHS PKI that is cross-certified with the FBCA at medium assurance or above SC-17 5 5 2 q Only the DHS Principal CA shall issue certificates to DHS employees contractors roles code signers and other human entities including certificates for DHS HSPD-12 Personal Identify Verification PIV Cards The DHS Principal CA may also issue all other types of certificates allowed under the U S Common Policy to internal DHS entities SC-17 5 5 2 r DHS Subordinate CAs shall only issue certificates to internal non-human entities Any additional restrictions on the types of certificates that may be issued by a specific subordinate DHS CA shall be determined during the subordination process and approved by the DHS PKI PA SC-17 5 5 2 s The use by DHS of any non-DHS service provider for CA or PKI services is prohibited unless approved by the DHS CISO SC-13 5 5 2 t Only certificates that are issued by the DHS Principal CA or a subordinate DHS CA under the U S Common Policy Framework at medium assurance or above shall be used to protect sensitive DHS data or to authenticate to operational systems containing sensitive data Certificates issued by DHS CAs that are not established as subordinate to the DHS Principal CA certificates issued by test pilot third party self-signed or other CAs shall not be used to protect sensitive data or to authenticate to DHS operational systems containing sensitive data SC-17 5 5 3 Public Key Private Key A public key certificate is used to obtain subscribers’ public keys in a trusted manner Once obtained the public key is then used • To encrypt data for that subscriber so that only that subscriber can decrypt it • To verify that digitally signed data was signed by that subscriber thereby authenticating the identity of the signing subscriber and the integrity of the signed data Policy ID DHS Policy Statements Relevant Controls 5 5 3 a Separate public private key pairs must be used for encryption and digital signature by human subscribers organization subscribers application subscribers and code-signing subscribers SC-12 5 5 3 b Separate public private key pairs must be used for encryption and digital signature by device subscribers whenever supported by the protocols native to SC-12 90 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements Relevant Controls the type of device 5 5 3 c A human sponsor shall represent each application role code-signing and device subscriber when it applies for one or more certificates from a DHS CA SC-12 5 5 3 d An authorized DHS employee shall sponsor DHS contractors and other affiliates when they apply for one or more certificates from a DHS CA SC-12 5 5 3 e A mechanism shall be provided for each DHS CA to enable PKI registrars to determine the eligibility of each proposed human role application code signer or device to receive one or more certificates SC-12 5 5 3 f A mechanism shall be provided for each DHS CA to enable PKI registrars to determine and verify the identity of the authorized human sponsor for each DHS contractor affiliate role application code signer or device SC-12 5 5 3 g Human subscribers shall not share private keys and shall be responsible for their security and use If a human subscriber discloses or shares his or her private key the subscriber shall be accountable for all transactions signed with the subscriber’s private key 5 5 3 h Sponsors for non-human subscribers role application code-signing or device shall be responsible for the security of and use of the subscriber’s private keys Every sponsor shall read understand and sign a “DHS PKI Device Sponsor Agreement” as a pre-condition for sponsoring non-human subscribers SC-17 5 5 3 i Subscriber private keys shall not be used by more than one entity with the following exception Multiple devices in a high availability configuration may use a single Secure Socket Layer SSL Subject Alternative Name SAN certificate and thus use the same key pair SC-12 5 5 3 j Every human subscriber shall read understand and sign a “DHS PKI Human Subscriber Agreement” as a pre-condition for receiving certificates from a DHS CA These signed agreements shall be maintained by the DHS PKI MA SC-17 5 6 --- Malware Protection Policy ID DHS Policy Statements Relevant Controls 5 6 a Component CISOs ISSMs shall establish and enforce Component-level malware protection control policies SI-3 5 6 b Components shall implement a defense-in-depth strategy that SI-3 - Installs antivirus software on desktops and servers 91 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID 5 6 c 5 7 DHS Policy Statements - Configures antivirus software on desktops and servers to check all files downloads and email - Installs updates to antivirus software and signature files on desktops and servers in a timely and expeditious manner without requiring the end user to specifically request the update - Installs security patches to desktops and servers in a timely and expeditious manner System Owners shall develop and enforce procedures to ensure proper malware scanning of media prior to installation of primary hard drives software with associated files and other purchased products Relevant Controls AC-20 SI-3 Product Assurance Policy ID DHS Policy Statements Relevant Controls 5 7 a Information Assurance IA shall be considered a requirement for all systems used to input process store display or transmit sensitive or national security information IA shall be achieved through the acquisition and appropriate implementation of evaluated or validated COTS IA and IA-enabled IT products These products shall provide for the availability of systems The products also shall ensure the integrity and confidentiality of information and the authentication and nonrepudiation of parties in electronic transactions --- 5 7 b Strong preference shall be given to the acquisition of COTS IA and IAenabled IT products to be used on systems entering processing storing displaying or transmitting sensitive information that have been evaluated and validated as appropriate in accordance with the following --- - The NIST FIPS validation program - The NSA NIST National Information Assurance Partnership NIAP Evaluation and Validation Program - The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Agreement 5 7 c The evaluation and validation of COTS IA and IA-enabled products shall be conducted by accredited commercial laboratories or by NIST --- 5 7 d Components shall use only cryptographic modules that meet the requirements set forth in Section 5 5 Cryptography --- 5 7 e Transaction-based systems e g database management systems transaction processing systems shall implement transaction rollback and transaction --- 92 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Policy ID DHS Policy Statements journaling or technical equivalents 93 v8 0 March 14 2011 Relevant Controls DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A 6 0 DOCUMENT CHANGE REQUESTS Changes to DHS Sensitive Systems Policy Directive 4300A and to the DHS 4300A Sensitive Systems Handbook may be requested in accordance with Section 1 7 Changes to Policy 7 0 QUESTIONS AND COMMENTS For clarification of DHS information security policies or procedures contact the DHS Director for Information Systems Security Policy at INFOSEC@dhs gov 94 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A APPENDIX A ACRONYMS AC Access Control AES Advanced Encryption Standards AO Authorizing Official ARB Acquisition Review Board AT Awareness and Training ATO Authority to Operate AU Audit and Accountability BI Background Investigation BIA Business Impact Assessment BLSR Baseline Security Requirements CA Certificate Authority Certification Accreditation and Security Assessments CCB Change Control Board CFO Chief Financial Officer CI Counter-Intelligence C-I-A Confidentiality Integrity and Availability CIO Chief Information Officer CISID Chief Internal Security and Investigations Division CISO Chief Information Security Officer CM Configuration Management CMG Core Management Group CMP Configuration Management Plan CO Certifying Official CONOPS Concept of Operations COOP Continuity of Operations Plan Continuity of Operations Planning COTS Commercial off the Shelf CP Contingency Plan Contingency Planning Certificate Policy 95 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A CPIC Capital Planning and Investment Control CPS Certificate Practices Statement CRE Computer-Readable Extract CRL Certificate Revocation List CSIRC Computer Security Incident Response Center CSO Chief Security Officer CUI Control Unclassified Information DES Digital Encryption Standards DHS Department of Homeland Security DNSSEC Domain Name System Security Extensions DoD Department of Defense DoS Department of State DoT Department of Treasury EA Enterprise Architecture EAB Enterprise Architecture Board EO Executive Order EOC Enterprise Operations Center FBCA Federal Bridge Certification Authority FDCC Federal Desktop Core Configuration FICAM Federal Identity Credentialing and Access Management FIPS Federal Information Processing Standard FISMA Federal Information Security Management Act FOUO For Official Use Only FPKI PA Federal PKI Policy Authority FTP File Transfer Protocol FYHSP Future Years Homeland Security Program GSA General Services Administration GSS General Support System HIPAA Health Insurance Portability and Accountability Act HSAR Homeland Security Acquisition Regulations 96 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A HSDN Homeland Secure Data Network HSPD Homeland Security Presidential Directive HVAC Heating Ventilation and Air Conditioning IA Identification and Authentication Information Assurance IATO Interim Authority to Operate ICAM Identity Credentialing and Access Management IDS Intrusion Detection System IR Incident Response Infrared IRB Investment Review Board ISA Interconnection Security Agreement ISO Information Security Office ISSO Information System Security Officer ISVM Information System Vulnerability Management JWICS Joint Worldwide Intelligence Communications System IT Information Technology LAN Local Area Network LE Law Enforcement LMR Land Mobile Radio MA Maintenance Major Application MBI Minimum Background Investigation MD Management Directive MMS Multimedia Messaging Service MP Media Protection NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NOC Network Operations Center NSA National Security Agency OCIO Office of the Chief Information Officer 97 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A OID Object identifier OIG Office of Inspector General OIS Office of Information Security OMB Office of Management and Budget OPA Office of Public Affairs OPM Office of Personnel Management OTAR Over-The-Air-Rekeying PA Policy Authority PBX Private Branch Exchange PCS Personal Communications Services PDA Personal Digital Assistant PE Physical and Environmental Protection PED Portable Electronic Device PEP Policy Enforcement Point PHI Protected Health Information PIRT Privacy Incident Response Team PIA Privacy Impact Assessment PII Personally Identifiable Information PIN Personal Identity Number PIV Personal Identity Verification PKI Public Key Infrastructure PKI PA PKI Policy Authority PKI PM PKI Management Authority PL Planning PM Program Manager Program Management PNS Protected Network Services POA M Plan of Action and Milestones POC Point of Contact PPOC Privacy Point of Contact PS Personnel Security 98 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A PSTN Public Switched Telephone Network PTA Privacy Threshold Analysis RA Risk Assessment Registration Authority RDP Remote Desktop Protocol RF Radio Frequency RFID Radio Frequency Identification RMS Risk Management System SA Security Architecture System and Services Acquisition SAN Subject Alternative Name SAR Security Assessment Report SAISO Senior Agency Information Security Officer SAOP Senior Agency Official for Privacy SC System and Communications Protection SCI Sensitive Compartmented Information SELC Systems Engineering Life Cycle SI System and Information Integrity SLA Service Level Agreement SMS Short Message Service SOC Security Operations Center SOP Standard Operating Procedure SORN System of Records Notice SP Special Publication Security Plan SSH Secure Shell SSL Secure Socket Layer SSP Shared Service Provider TAF TrustedAgent FISMA TFPAP Trust Framework Provider Adoption Process TIC Trusted Internet Connections 99 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A TOS Terms of Service TRM Technical Reference Model TS Top Secret US-CERT United States Computer Emergency Readiness Team VA Vulnerability Assessment VAT Vulnerability Assessment Team USGBC U S Government Configuration Baseline VoIP Voice over Internet Protocol VPN Virtual Private Network WLAN Wireless Local Area Network WPAN Wireless Personal Area Network WWAN Wireless Wide Area Network 100 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A APPENDIX B GLOSSARY The following definitions apply to the policies and procedures outlined in this document Other definitions may be found in NIST IR 7298 Glossary of Key Information Security Terms and the National Information Assurance IA Glossary Acceptable Risk Mission organizational or program-level risk deemed tolerable by the RE after adequate security has been provided Accreditation Package The documents submitted to the AO for the Accreditation Decision An Accreditation Package consists of Accreditation Decision Letter Security Plan - criteria provided on when the plan should be updated Security Assessment Report - updated on an ongoing basis whenever changes are made to either the security controls in the information system or the common controls inherited by those systems Plan of Action and Milestones Adequate Security Security commensurate with the risk and the magnitude of harm resulting from the loss misuse or unauthorized access to or modification of information OMB Circular A-130 Appendix III Annual Assessment DHS activity for meeting the annual FISMA self-assessment requirement Authorizing Official AO An official within a Federal Government agency who can grant approval for a system to operate Cellular phone A mobile device used for voice communication irrespective of the communications technology employed Certification Certifying Agent A contractor that performs certification tasks as designated by the CO Certifying Authority CA Obsolete term see Security Control Assessor Security Control Assessor A senior management official who certifies the results of the security assessment He or she must be a Federal Government employee Chief Information Officer CIO The executive within a Federal Government agency responsible for its information systems 101 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Compensating Control An internal control intended to reduce the risk of an existing or potential control weakness Component A DHS Component is any of the entities within DHS including all DHS offices and independent agencies Computer Security Incident Response Center DHS organization that responds to computer security incidents Designated Approval Authority DAA Obsolete term see Authorizing Official AO Information System Any information technology that is 1 owned leased or operated by any DHS Component 2 operated by a contractor on behalf of DHS or 3 operated by another Federal state or local Government agency on behalf of DHS Information systems include general support systems and major applications Enterprise Operations Center EOC The DHS organization that coordinates security operations for the DHS Enterprise Exception Acceptance to permanently operate a system that does not comply with policy For Official Use Only The marking instruction or caveat “For Official Use Only” will be used to identify sensitive but unclassifed information within the DHS community that is not otherwise specifically described and governed by statute or regulation General Support System GSS An interconnected set of information resources under the same direct management control and sharing common functionality A GSS normally includes hardware software information applications communications data and users Information Security Vulnerability Management ISVM DHS system that provides notification of newly discovered vulnerabilities and tracks the status of vulnerability resolution Information System Security Officer ISSO Someone who implements and or monitors security for a particular system Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition storage manipulation management movement control display switching interchange transmission or reception of data or information 102 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Major Application MA An automated information system AIS that “requires special attention to security due to the risk and magnitude of harm resulting from the loss misuse or unauthorized access to or modification of the information in the application” in accordance with OMB Circular A-130 An MA is a discrete application whereas a GSS may support multiple applications Management Controls The security controls for an information system that focus on the management of risk and the management of information system security Operational Controls The security controls for an information system that are primarily implemented and executed by people as opposed to systems Operational Risk The risk contained in a system under operational status It is the risk that an AO accepts when granting an ATO Personally Identifiable Information PII Any information that permits the identity of an individual to be directly or indirectly inferred including any other information that is linked or linkable to an individual regardless of whether the individual is a U S Citizen legal permanent resident or a visitor to the U S Pilot A test system in the production environment that may contain operational data and may be used to support DHS operations typically in a limited way Policy Statement A high-level rule for guiding actions intended to achieve security objectives Policy Enforcement Point PEP A firewall or similar device that can be used to restrict information flow Portable Electronic Device PED A device that has a battery and is meant to process information without being plugged into an electric socket it is often handheld but can be a laptop computer Privacy Sensitive System Any system that collects uses disseminates or maintains PII or sensitive PII Production Operational as in “production system” or “production environment ” Prototype A test system in a test environment that must not contain operational data and must not be used to support DHS operations Remote Access Access to a DHS information system by a user or an information system communicating through an external non-DHS-controlled network e g the Internet Residual Risk The risk remaining after security controls have been applied 103 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Risk Executive RE An individual who ensures that risks are managed consistently across the organization An RE can be at the Departmental or Component level Security Control A particular safeguard or countermeasure to protect the confidentiality integrity and availability of a system and its information Security Incident An occurrence that actually or potentially jeopardizes the confidentiality integrity or availability of an information system or the information the system processes stores or transmits or that constitutes a violation or imminent threat of violation of security policies security procedures or acceptable use policies Security Operations Center SOC The DHS Component organization that coordinates security operations within its Component Security Requirement A formal statement of action or process applied to an information system and its environment in order to provide protection and attain security objectives Security requirements for any given system are contained in its Security Plan Senior Agency Information Security Official SAISO The point of contact within a Federal Government agency responsible for its information system security Sensitive But Unclassified Obsolete designation see Sensitive Information Sensitive Information Information not otherwise categorized by statute or regulation that if disclosed could have an adverse impact on the welfare or privacy of individuals or on the welfare or conduct of Federal Government programs or other programs or operations essential to the national interest Sensitive Personally Identifiable Information Sensitive PII PII that requires stricter handling guidelines because of the nature of the data and the increased risk to an individual if compromised and if lost compromised or disclosed without authorization could result in substantial harm embarrassment inconvenience or unfairness to an individual Examples of sensitive PII include Social Security numbers or alien number A-number Significant Incident A computer security-related incident that represents a meaningful threat to the DHS mission and requires immediate leadership notification Spam E-mails containing unwanted commercial solicitation fraudulent schemes and possibly malicious logic Strong Authentication Layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information System A discrete set of information system assets contained within the accreditation boundary 104 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A System Owner Technical Controls The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware software or firmware elements of the system Two-Factor Authentication Authentication can involve something the user knows e g a password something the user has e g a smart card or something the user “is” e g a fingerprint or voice pattern Single-factor authentication uses only one of the three forms of authentication while two-factor authentication uses any two of the three forms Three-factor authentication uses all three forms Unclassified Information Information that has not been determined to be classified pursuant to Executive Order 13526 as amended USB Device A device that can be connected to a computer by its USB plug USB Drive A memory device small enough to fit into a pocket and that connects to a computer by its USB plug Vulnerability Scanning An automated scan for potential security vulnerabilities Waiver Acceptance to temporarily operate a system that does not comply with policy while working towards compliance 105 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A APPENDIX C REFERENCES The DHS information security program and organization are based upon public laws executive orders national policy external guidance and internal DHS guidance Public Laws and U S Code • Privacy Act of 1974 As Amended 5 United States Code U S C 552a Public Law 93579 Washington DC July 14 1987 • Public Law 107-347 E-Government Act of 2002 including Title III Federal Information Security Management Act FISMA • Public Law 104-106 Clinger-Cohen Act of 1996 formerly Information Technology Management Reform Act ITMRA • 5 Code of Federal Regulations CFR §2635 Office of Government Ethics Standards of Ethical Conduct for Employees of the Executive Branch • Public Law 100-235 Computer Security Act of 1987 as amended • Public Law 93-579 Freedom of Information Act of 2002 as amended Executive Orders • Executive Order 13526 Classified National Security Information December 29 2009 • Homeland Security Presidential Directive 12 Policy for a Common Identification Standard for Federal Employees and Contractors August 27 2004 Office of Management and Budget Directives • Office of Management and Budget OMB Circular A-130 Management of Federal Information Resources • OMB Bulletin 06-03 Audit Requirements for Federal Financial Statements • OMB Memorandum M-04-04 E-Authentication Guidance for Federal Agencies December 16 2003 • OMB Memorandum M-06-15 Safeguarding Personally Identifiable Information May 22 2006 • OMB Memorandum M-06-16 Protection of Sensitive Agency Information June 23 2006 • OMB Memorandum M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information May 22 2007 • OMB Memorandum M-09-02 Information Technology Management Structure and Governance Framework October 21 2008 • OMB Memorandum 10-15 FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management April 21 2010 106 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A • OMB Memorandum 10-28 Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security DHS July 6 2010 • OMB Memorandum 11-06 WikiLeaks - Mishandling of Classified Information November 28 2010 Other External Guidance • Intelligence Community Directive Number 508 Intelligence Community Information Technology Systems Security Risk Management Certification and Accreditation September 15 2008 • National Institute of Standards and Technology NIST Federal Information Processing Standards FIPS including o NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems o NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems • NIST Information Technology Security Special Publications SP 800 series including o NIST SP 800-16 Rev 1 Information Technology Security Training Requirements A Role- and Performance-Based Model Draft o NIST SP 800-34 Rev 1 Contingency Planning Guide for Information Technology Systems o NIST SP 800-37 Rev 1 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach o NIST SP 800-39 Integrated Enterprise-Wide Risk Management Organization Mission and Information System View Draft o NIST SP 800-50 Building an Information Technology Security Awareness and Training Program o NIST SP 800-52 Guidelines for the Selection and Use of Transport Layer Security TLS Implementations o NIST SP 800-53 Rev 3 Recommended Security Controls for Federal Information Systems and Organizations o NIST SP 800-53A Rev 1 Guide for Assessing the Security Controls in Federal Information Systems o NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories 2 Volumes - Volume 1 Guide Volume 2 Appendices o NIST SP 800-63 Rev 1 Electronic Authentication Guideline Draft o NIST SP 800- 65 Rev 1 Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process CPIC Draft 107 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A o NIST SP 800-88 Guidelines for Media Sanitization o NIST SP 800-92 Guide to Computer Security Log Management o NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems IDPS o NIST SP 800-95 Guide to Secure Web Services o NIST SP 800-100 Information Security Handbook A Guide for Manager o NIST SP 800-115 Technical Guide to Information Security Testing and Assessment o NIST SP 800-118 Guide to Enterprise Password Management Draft o NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information PII o NIST SP 800-123 Guide to General Server Security o NIST SP 800-124 Guidelines on Cell Phone and PDA Security o NIST SP 800-128 Guide for Security Configuration Management of Information Systems Draft o NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations Draft • NIST IR 7298 Glossary of Key Information Security Terms • CNSS Instruction No 4009 National Information Assurance Glossary • CNSS Instruction No 1001 National Instruction on Classified Information Spillage Internal Guidance • Department of Homeland Security Acquisition Regulation HSAR • DHS Management Directives MD especially o MD 140-01 Information Technology Systems Security o MD 11042 1 Safeguarding Sensitive but Unclassified For Official Use Only Information o MD 102-01 Acquisition Management o MD 1030 Corrective Action Plans o MD 4400 1 DHS Web and Information Systems o MD 4500 1 DHS Email Usage o MD 4600 1 Personal Use of Government Office Equipment o MD 4900 Individual Use and Operation of DHS Information Systems Computers o MD 11055 Suitability Screening Requirements for Contractor Employees 108 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A APPENDIX D Version DOCUMENT CHANGE HISTORY Date Description 0 1 December 13 2002 Draft Baseline Release 0 2 December 30 2002 Revised Draft 0 5 January 27 2003 Day One Interim Policy 1 0 June 1 2003 Department Policy 1 1 December 3 2003 Updated Department Policy 2 0 March 31 2004 Content Update 2 1 July 26 2004 Content Update 2 2 February 28 2005 Content Update 2 3 March 7 2005 Content Update 3 0 March 31 2005 Includes updates to PKI Wireless Communications and Media Sanitization now Media Reuse and Disposition sections 3 1 July 29 2005 New policies 3 1b e f 3 1g 4 1 5b 4 8 4a Modified policies 3 7b c 3 9b g 3 10a 4 3 1b 4 8 2a 4 8 5e 5 1 1b 5 2 2a 5 3a c 5 4 1a 5 4 5d 5 4 8c 5 5 1a 5 7d Policies relating to media disposal incorporated into policies within Media Reuse and Disposition section Deleted policy regarding use of automated DHS tool for conducting vulnerability assessments 3 2 October 1 2005 Modified policies 3 8b 4 8 1a 5 2 1a b 5 2 2a and 5 4 3c combined with modifications policies 4 1e and 4 1f modified Section 1 5 3 3 December 30 2005 New policies policies 3 9a–d 3 11 1b 4 3 1a 4 6c 5 4 3d e Modified policies policies 3 9i j 4 3 2a 4 6a b 4 6 1e 4 6 2j 4 6 2 1a 4 6 3e 5 4 3c 5 5 2k Modified sections 2 5 2 7 2 9 2 11 3 9 5 5 2 4 0 June 1 2006 New policies 3 5 3 c g 4 6 2 3 c 5 1 c 5 2 c 5 4 1 a Modified policies 3 5 1 c 3 5 3 d–f 3 7 a b 3 9 a b d 4 1 4 b c 4 2 1 a 4 3 1 a 4 6 c 4 6 1 a 4 6 2 f 4 10 3 a 5 2 1 b 5 3 a b 5 4 1 b 5 4 3 c 5 4 5 d Modified section Section 2 9 4 1 September 8 2006 New policies 3 14 1 a–c 3 14 3 a–c 4 10 1 c 5 3 d e 5 4 1 c–e Modified policies 3 9 b 4 6 2 d 4 8 2 a–c 4 10 1 b 5 1 c 5 3 c 5 4 1 b New sections 3 14 3 14 1 3 14 3 Modified sections 2 9 4 8 2 4 2 September 29 2006 New policies 4 6 4 a–f Modified policies 4 3 3 a–c New section 4 6 4 5 0 March 1 2007 New policies 4 1 5 h Modified policies 3 10 c 4 1 1 d 4 1 5 a b f g 4 6 2 d 4 6 3 f 5 2 c 5 4 8 a 5 6 b New sections 4 1 1 Modified 109 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description sections 1 2 1 4 2 1 4 3 2 9 3 12 4 1 and subsections 4 6 1–4 6 4 4 9 5 2 1 Renumbered sections 4 1 2–4 1 6 4 9 4 10 4 11 4 12 5 1 April 18 2007 Update based on SOC CONOPS Final Version 1 4 1 April 6 2007 Adds DHS Chief Financial Officer – Designated Financial Systems Updates the term Sensitive But Unclassified to For Official Use Only 5 2 June 1 2007 Updates Sections 2 7 2 9 2 12 3 3 3 5 1 3 5 3 3 6 3 8 3 9 3 10 3 14 3 15 4 1 5 4 1 6 4 10 4 12 5 1 1 5 2 5 3 5 4 1 5 4 3 5 4 4 5 4 8 5 5 1 5 7 5 3 August 3 2007 Revised policy in Sections 3 5 1 and 5 5 1 and removed Section 3 5 2 Removed Sections 3 11 2 and 3 11 4 5 4 October 1 2007 Content update incorporation of change requests 5 5 September 30 2007 Section 1 0 1 1 – Added text regarding policy implementation and DHS security compliance tool updates 1 2 – Removed two references from list deleted various from citation of standards Section 2 0 2 0 – Insert the following after the first sentence in the second paragraph “Security is an inherently governmental responsibility Contractors and other sources may assist in the performance of security functions but a government individual must always be designated as the responsible agent for all security requirements and functions ” 2 3 – Removed parentheses from in writing Section 3 0 3 9 – Inserted new policy element “l” regarding CISO concurrence for accreditation 3 15 – Added text regarding Component CFOs and ISSMs Section 4 0 4 1 1 – Capitalized “Background ” and added BI 4 3 1 – Two new elements were added to the policy table 4 7 – Inserted where required or appropriate before the sentence 4 8 3 – Title changed to “Personally Owned Equipment and Software not owned by or contracted for by the Government ” 4 8 6 – Included new section regarding wireless settings for peripheral equipment Section 5 0 5 1c – Changed inactive accounts to “disable user identifiers after forty-five 45 days of inactivity ” 5 1 1 – First sentence of the second paragraph was rewritten to prohibit use of personal passwords by multiple individuals 5 2 2 – Title changed to “Automatic Session Termination ” 6 0 May 14 2008 Global change “Shoulds” changed to “shalls” throughout the document Replaced certain instances of “will” with “shall” throughout document to indicate compliance is required Various changes were made throughout the document to ensure that the 4300A Policy and Handbook align with the 4300B Policy and Handbook “ISSM” changed to “CISO ISSM” throughout the document CPO changed to Chief Privacy Officer throughout the document “IT Security Program” changed to “Information Security Program” 110 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description throughout the document ” “System Development Life Cycle” changed to “System Life Cycle” and “SDLC” changed to “SLC” throughout the document Title Page Title page of 4300A Policy - Language on the Title Page was reworded “This is the implementation of DHS Management Directive 4300 1 ” Section 1 0 1 1 – Updated to clarify 90 day period in which to implement new policy elements 1 2 – Added OMB NIST and CNSS references 1 4 – Added reference and link to Privacy Incident Handling Guidance and the Privacy Compliance documentation 1 4 2 – Added definition of National Intelligence Information 1 4 3 – Inserted definition of National Security Information to align with 4300B Policy 1 4 8 1 – Definition of General Support System was updated 1 4 8 2 – Definition of Major Application was updated 1 4 10 – Section was renamed “Trust Zone ” 1 4 16 – Inserted new definition for FISMA 1 5 – Language was updated to increase clarity for financial system owners for waivers and exceptions Section 2 0 2 3 – Added a new responsibility for DHS CIO 2 4 – Added a new responsibility for Component CIOs 2 5 - Chief Information Security Officer CISO renamed DHS Chief Information Security Officer CISO Updated to include privacy-related responsibilities 2 6 – Added a new section in Roles and Responsibilities called “Component CISO ” 2 7 – Updated Component ISSM Role and Responsibilities 2 8 – Changed name of the section from Office of the Chief Privacy Officer CPO to The Chief Privacy Officer Updated to include privacy-related responsibilities 2 9 – Added a new role for DHS CSO 2 10 – Updated to include privacy-related responsibilities 2 11 - Added privacy-related responsibilities 2 12 – Added a new section “OneNet Steward ” 2 13 – Added a new section “DHS Security Operations Center DHS SOC and Computer Security Incident Response Center CSIRC ” 111 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description 2 14 – Added a new section “Homeland Secure Data Network HSDN Security Operations Center SOC ” 2 16 – Added a new section “Component-level SOC ” 2 18 – Updated to include privacy-related responsibilities 2 19 – Last sentence of first paragraph has been updated to say “ISSO Duties shall not be assigned as a collateral duty Any collateral duties shall not interfere with their ISSO duties ” 2 20 – Updated to include privacy-related responsibilities Section 3 0 3 9 – Added C A information for unclassified collateral classified and SCI systems Also prior to DHS Policy table included sentence regarding C A 3 9 b – Language updated to clarify that a minimum impact level of moderate is required for confidentiality for CFO designated financial systems 3 9 h – New guidance is provided to clarify short term ATO authority 3 11 1 – Added new section discussing the CISO Board 3 11 3 – Removed DHS Wireless Security Working Group 3 14 1 – Added new text defining PII and sensitive PII At the end of bullet #4 added definition of computer-readable data extracts Updated 3 14 1 a and 3 14 1 b based on input from the Privacy Office Added sentence “DHS has an immediate goal that remote access should only be allowed with twofactor authentication where one of the factors is provided by a device separate from the computer gaining access 3 14 2 - Added new section called Privacy Threshold Analyses 3 14 3 - Updated Privacy Impact Assessment Responsibilities table 3 14 4 - Added new section called System of Record Notices Section 4 0 4 1 5 c – Updated to address training requirements 4 1 5 g – Deleted “Training plans shall include awareness of internal threats and basic IT security practices ” 4 1 5 h now 4 1 5 g – Updated to include the following sentence “Components shall account for Contingency Plan Training and Incident Response Training conducted for Moderate and High IT Systems ” 4 3 1 d – FIPS 140-2 compliance language was updated 4 8 1 a and 4 8 1 c – Language has been updated to provide clarification of timeout values 4 8 2 a – FIPS 140-2 compliance language was updated 4 8 2 b – Added a new policy element regarding powering down laptops when not in use 4 9 – Section was renamed “Department Information Security Operations ” 4 9 4 9 1 4 9 2 – Updated policy elements to support Department security 112 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description operations capabilities based on the SOC CONOPS 4 9 2 b – Updated to say “Components shall obtain guidance from the DHS SOC before contacting local law enforcement except where there is risk to life limb or destruction of property ” 4 12 a – Added policy element to align with Handbook Section 5 0 5 2 1 a 5 2 1 b and 5 2 1 c – Language has been updated to provide clarification of timeout values 5 2 2 Introductory language 5 2 2 a 5 2 2 b and 5 2 2 c – Language and policy updated to clarify the meaning of a session termination 5 3 f - Updated to clarify responsibilities of the System Owner regarding computer-readable data extracts 5 4 1 d – Added sentence “DHS has an immediate goal that remote access should only be allowed with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access ” 5 4 3 a through i – New guidance is provided regarding the preparation of ISAs for interconnections to the DHS OneNetwork 5 4 3 g – Replaced “interconnect service agreements” with “interconnection security agreements ” 5 4 4 f - New guidance is provided regarding internal firewalls 5 4 5 f – New guidance is provided regarding the use of the RDP protocol 5 4 6 – Added text “NOTE Due to many attacks that are HTML-based please note that DHS will be following the lead of the DoD and moving to text based email ” 5 4 8 a – Language updated to reflect that annual vulnerability assessments should be conducted 5 4 8 f – Policy updated to clarify automated system scanning 5 5 1 c – Updated element to specify usage of cryptographic modules that “are FIPS 197 compliant and have received FIPS 140-2 validation ” 5 5 2 f – Policy updated to clarify hosting of DHS Root CA 6 1 September 23 2008 Global Changes Replaced all instances of “CISO ISSM” with “Component CISO ISSM ” Replaced all DHS-related instances of “agency agency-wide” with “Department Department-wide ” Replaced all instances of “24x7” with “continuous” or “continuously ” as appropriate Replaced all instances of “IT security” with “information security ” Various minor editorial and grammatical changes were made throughout the document Section 1 0 1 2 – Added reference to E-Government Act of 2002 January 7 2003 113 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description 1 4 – Replaced “National InfoSec Glossary” with “National Information Assurance IA Glossary ” 1 4 5 – Replaced third sentence with “System vulnerability information about a financial system shall be considered Sensitive Financial Information ” 1 5 2 – Added text regarding acceptance of resulting risk by the Component CFO for financial systems 1 5 3 – Corrected the title and location of Attachment B Added text regarding PTA requirements Section 2 0 2 1 – Updated to clarify Secretary of Homeland Security responsibilities 2 2 – Updated to clarify Undersecretaries and Heads of DHS Components responsibilities 2 3 – Updated to clarify DHS CIO responsibilities 2 4 – Updated to clarify Component CIO responsibilities 2 5 – Updated to clarify DHS CISO responsibilities 2 6 – Updated to clarify Component CISO responsibilities 2 8 – Moved “The Chief Privacy Officer” section to 2 9 2 11 – Updated to clarify Program Managers’ responsibilities 2 14 – Updated to clarify HSDN SOC responsibilities Updated HSDN SOC unclassified email address 2 19 – Updated to clarify ISSO responsibilities and the assignment of ISSO duties as a collateral duty 2 20 – Updated to clarify System Owners’ responsibilities 2 23 2 – Updated to clarify DHS CIO responsibilities for financial systems Section 3 0 3 1 e – Replaced “FISMA and OMB requirements” with “FISMA OMB and other Federal requirements ” 3 1 h – Replaced “maintain a waiver” with “maintain a waiver or exception ” 3 14 1 – Included text regarding the type of encryption needed for laptops 3 14 3 – Included text stating that the PTA determines whether a PIA is conducted 3 14 4 – Moved first sentence of second paragraph to be the first sentence of the first paragraph Included “that are a system of record” after “IT Systems” in the second sentence of the first paragraph Section 4 0 4 3 1 a – Included “locked tape device” in media protection 4 3 1 d – Updated to clarify that AES 256-bit encryption is mandatory 4 8 2 a – Updated to clarify that AES 256-bit encryption is mandatory 114 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description 4 8 3 c – Included new policy element regarding use of seized IT equipment 4 8 4 f – Included new policy element regarding management and maintenance of system libraries 4 8 5 b – Policy updated to clarify limited personal use of DHS email and Internet resources 4 9 – First paragraph updated to clarify DHS SOC and HSDN SOC responsibilities 4 9 b – Updated to specify that the HSDN SOC is subordinate to the DHS SOC 4 9 1 – First two paragraphs updated to clarify relationship between the DHS SOC and the HSDN SOC 4 9 1 a – Removed the words “Component SOC ” 4 9 1 b – Updated to clarify means of communication for reporting significant incidents 4 9 1 c – Updated to clarify the length of time by which significant HSDN incidents must be reported 4 9 1 d – Updated to clarify reporting for HSDN incidents Section 5 0 5 2 d – Replaced “Component CISO ISSM” with “Component CISO ISSM or his her designee ” 5 2 1 – Changed “48 hour time period” to “24 hour time period ” 5 4 5 g – Included new policy element regarding blocking of specific Internet websites or categories 5 4 7 – Updated the policy element to prohibit use of webmail and other personal email accounts 5 5 1 c – Updated to clarify that AES 256-bit encryption is mandatory 5 7 d – Included new policy element regarding use of cryptographic modules in order to align with 4300A Handbook 5 7 e – Included new policy element regarding rollback and journaling for transaction-based systems 6 1 1 7 0 October 31 2008 5 2 3 – Included new language and a link to the DHS computer login warning banner text on DHS Online July 31 2009 General Updates Added section and reference numbers to policy elements Added NIST 800-53 reference controls to policy elements Added hyperlinks to most DHS references Introduced new terminology Senior Agency Information Security Officer Risk Executive and Authorizing Official AO – replaces DAA as per NIST 800-37 and 800-53 Added Appendix A – Acronyms 115 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description Added Appendix B – Glossary Added Appendix C – References list has been updated and moved to Appendix C these are detailed references an abbreviated list is still found at the beginning of the document Added Appendix D – Change History This was moved from the front of the document Specific Updates Section 1 1 – Information Security Program Policy – Added the statement “Policy elements are designed to be broad in scope Specific implementation information can often be found in specific National Institute for Standards and Technology NIST publications such as NIST Special Publication SP 800-53 Recommended Security Controls for Federal Systems ” Section 1 4 17-19 – Privacy – Added definitions for PII SPII and Privacy Sensitive Systems Section 1 5 – Exceptions and Waivers – Updated this section clarified policy elements and consolidated all exceptions and waivers requirements Section 1 5 4 – U S Citizen Exception Requests – Updated section to include policy elements 1 5 4 a – Persons of dual citizenship where one of the citizenships includes U S Citizenship shall be treated as U S Citizens for the purposes of this directive 1 5 4 b – Additional compensating controls shall be maintained for foreign nationals based on nations lists maintained by the DHS CSO Section 1 6 – Information Sharing and Communication Strategy – Added policy element 1 6 a - For DHS purposes electronic signatures are preferred to pen and ink or facsimile signatures in all cases except where pen ink signatures are required by public law Executive Order or other agency requirements Section 1 7 – Changes to Policy – Updated entire section Section 2 0 – Roles and Responsibilities – Reformats entire section Places emphasis on DHS CISO and Component-level Information Security Roles Secretary and senior management roles are moved to the end of the section Some specific areas to note include Section 2 1 1 – DHS Senior Agency Information Security Officer – Introduces this term and assigns duties to DHS CISO Section 2 1 2 – Chief Information Security Officer – Adds the following responsibilities - Appoint a DHS employee to serve as the Headquarters CISO - Appoint a DHS employee to serve as the National Security Systems NSS CISO Section 2 1 3 – Component Chief Information Security Officer – Adds policy element 116 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description 2 1 3 b - All Components shall be responsible to the appropriate CISO Components without a fulltime CISO shall be responsible to the HQ CISO Adds 4 additional CISOs to the list of Component CISOs Federal Law Enforcement Training Center Office of the Inspector General Headquarters Department of Homeland Security The DHS CISO shall also appoint an NSS CISO Section 2 1 4 – Component Information Systems Security Manager – Component CISO now works directly with the HQ CISO rather than with the DHS CISO Section 2 1 5 – Risk Executive – Introduces this term as per NIST Assigns responsibilities to CISOs already performing these functions Section 2 1 6 – Authorizing Official – Introduces this term as per NIST Replaces the term Designated Approval Authority DAA Section 2 2 10 – DHS Employees Contractors and Vendors – Adds the requirement for vendors to follow DHS Information Security Policy Section 3 2 – Capital Planning and Investment Control – Adds policy element 3 2 f – Procurement authorities throughout DHS shall ensure that Homeland Security Acquisition Regulation HSAR provisions are fully enforced Section 3 3 – Contractors and Outsourced Operations – Adds policy element 3 3 g – Procurement authorities throughout DHS shall ensure that Homeland Security Acquisition Regulation HSAR provisions are fully enforced Section 3 5 2 – Contingency Planning – Updates and expands entire section Section 3 7 – Configuration Management – Adds policy elements Section 3 7 f – If the information system uses operating systems or applications that do not have hardening or do not follow configuration guidance from the DHS CISO the System Owner shall request an exception including a proposed alternative secure configuration Section 3 7 g – Components shall ensure that CM processes under their purview include and consider the results of a security impact analysis when considering proposed changes Section 3 9 – Certification Accreditation and Security Assessments – Updates entire section Section 3 11 1 – CISO Council – Updates the term from CISO Board Section 3 14-3 14 6 – Privacy Sections – Updates all sections pertaining to privacy and privacy information adds section 3 14 5 – Protecting Privacy Sensitive Systems Section 3 14 7 – E-Authentication – Renumbers this section from 3 14 6 due to adding of privacy section 3 14 5 117 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description Section 3 15 – DHS Chief Financial Officer Designated Systems – Section renamed from DHS Chief Financial Officer Designated Financial Systems Section 3 16 – Social Media – Added Social Media section to provide guidelines and address the Federal Government’s including DHS use of social media sites You Tube Twitter Section 4 1 2 – Rules of Behavior – Added policy element 4 1 2 b – Components shall ensure that DHS users are trained regarding rules of behavior and that each user signs a copy prior to being granted user accounts or access to information systems or data Section 4 1 5 – IT Security Awareness Training and Education – Updates entire section Section 4 1 6 – Separation from Duty – Updates policy element to require that all assets and data are recovered from departing individuals 4 1 6 b – Components shall establish procedures to ensure that all DHS information system-related property and assets are recovered from the departing individual and that sensitive information stored on any media is transferred to an authorized individual Adds policy elements 4 1 6 c - Accounts for personnel on extended absences shall be temporarily suspended 4 1 6 d – System Owners shall review information system accounts supporting their programs at least annually Section 4 3 2 – Media Marking and Transport – Adds “Transport” to section title and adds policy element 4 3 2 b – Components shall control the transport of information system media containing sensitive data outside of controlled areas and restrict the pickup receipt transfer and delivery to authorized personnel Section 4 6 – Wireless Network Communications – Updated section title from “Wireless Communication” and specifies “network communication” technologies in policy rather than the more general “Wireless ” Removes references to the defunct “WMO ” Section 4 6 1 – Wireless Systems – Adds policy elements 4 6 1 f – Component CISOs shall review all system applications for wireless usage maintain an inventory of systems and provide that inventory to the DHS CISO at least annually 4 6 1 g – Component CISOs shall i establish usage restrictions and implementation guidance for wireless technologies and ii authorize monitor and control wireless access to DHS information systems 4 9 1 – Security Incidents and Incident Response and Reporting – Adds requirement for Components to maintain full SOC and CSIRC capability May outsource to DHS SOC Adds policy elements 4 9 1 k – Components shall maintain a full SOC and CSIRC capability or outsource this capability to the DHS SOC The DHS SOC shall provide 118 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description SOC and CSIRC services to Components in accordance with formal agreements Information regarding incident response capability is available in Attachment F of the DHS 4300A Sensitive Systems Handbook 4 9 1 q – The DHS CISO shall publish Incident Response Testing and Exercise scenarios as required 4 9 1 r – The Component CISO for each Component providing an incident response capability shall ensure Incident Response Testing and Exercises are conducted annually in coordination with the DHS CISO Section 5 1 – Identification and Authentication – Adds requirement for strong authentication following HSPD-12 implementation 5 1 f – Components shall implement strong authentication on servers for system administrators and significant security personnel within six 6 months of the Component’s implementation of HSPD-12 Section 5 4 1 – Remote Access and Dial-In – Updates section and adds policy element 5 4 1 f – The Public Switched Telephone Network PSTN shall not be connected to OneNet at any time 5 4 3 – Network Connectivity – Requires DHS CIO approval for all network connections outside of DHS Also specifies requirement for CCB 5 4 3 g – The DHS CIO shall approve all interconnections between DHS information systems and non-DHS information systems Components shall document interconnections with an ISA for each connection The DHS CIO shall ensure that connections with other Federal Government Agencies are properly documented A single ISA may be used for multiple connections provided that the security accreditation is the same for all connections covered by that ISA 5 4 3 l - The appropriate CCB shall ensure that documentation associated with an approved change to an information system is updated to reflect the appropriate baseline DHS systems that interface with OneNet shall also be subject to the OneNet CCB Section 5 4 4 – Firewalls and Policy Enforcement Points – Updates language to include Policy Enforcement Points Adds policy elements 5 4 4 i – The DHS CISO shall establish policy to block or allow traffic sources and destinations at the DHS TIC PEPs The DHS CISO policy will prevent traffic as directed by the DHS CIO 5 4 j – The DHS SOC shall oversee all enterprise PEPs Section 5 4 5 – Internet Security – Prohibits Public Switched Telephone Network PSTN connection to OneNet 5 4 5 a – Any direct connection of OneNet DHS networks or DHS mission systems to the Internet or to extranets shall occur through DHS Trusted Internet Connection TIC PEPSs The PSTN shall not be connected to OneNet at any time Section 5 5 3 – Public Key Private Key – Assigns responsibility for nonhuman use of PKI to sponsors 5 5 3 g – Sponsors for non-human subscribers organization application 119 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description code-signing or device shall be responsible for the security of and use of the subscriber’s private keys Every sponsor shall read understand and sign a “DHS PKI Subscriber Agreement for Sponsors” as a pre-condition for receiving certificates from a DHS CA for the non-human subscriber Section 5 4 6 – Email Security – Prohibits auto-forwarding of DHS email to other than gov or mil addresses 5 4 6 i - Auto-forwarding or redirecting of DHS email to address outside of the gov or mil domain is prohibited and shall not be used Users may manually forward individual messages after determining that the risk or consequences are low Section 5 4 7 – Personal Email Accounts – Requires use of encryption when sending sensitive information to email addresses other than gov or mil addresses 5 4 7 b - When sending email to an address outside of the gov or mil domain users shall ensure that any sensitive information particularly privacy data is attached as an encrypted file Section 5 6 – Malware Protection – Updates term from “Virus ” 7 1 September 30 2009 General Updates Standardized the term “IT system” to “information system” Standardized the term “DHS IT system” to “DHS information system” Updated the term “DHS Security Operations Center” to “DHS Enterprise Operations Center” and added definition in glossary Replaced “must” with “shall” in all policy statements Replaced “vendors” with “others working on behalf of DHS” Specific Updates Section 1 4 20 – Strong Authentication – Added definition for Strong Authentication Section 1 4 21 – Two-Factor Authentication – Added definition for TwoFactor Authentication Section 2 2 4 – Component Chief Information Officer – Alleviated confusion regarding Component CIO responsibilities Section 2 2 5 – Chief Security Office – Removed erroneous CSO responsibilities which belong to Component CIOs Section 2 2 7 – DHS Chief Financial Officer – Updated policy elements to clarify applicable policies Section 3 1 – Basic Requirements 3 1 d 3 1 g-j – Updated policy elements to CISO ISSM ISSO responsibilities Section 3 7 f – Clarified Operating system exception requirements Section 3 9 l-m – Clarified requirements regarding TAF RMS Section 3 15 – CFO Designated Systems – Major revisions to this section Section 4 6 2 and 5 4 1 a – Prohibits tethering to DHS devices 120 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description Section 5 4 3 g-h – Clarifies interconnection and ISA approval Section 5 5 – Cryptography – Removed unnecessary elements from introductions and updated entire section with input from DHS PKI Steward 7 2 May 17 2010 General Updates No general updates with this revision Specific updates are listed below Specific Updates Section 1 4 8 – Added FISMA language transmits stores or processes data or information to definition of DHS System Section 1 5 3 k – Removed requirement for Component Head to make recommendation regarding waivers removed requirement to report exceptions on FISMA report Section 2 1 6 – Adds requirement for AO to be a Federal employee Section 2 1 7 – Clarifies that CO is a senior management official stipulates that CO must be a Federal employee Section 2 2 5 – Updated CSO role Section 3 2 – Added intro to CPIC section and link to CPIC Guide Section 3 5 2 h – Added requirement to coordinate CP and COOP testing moderate and high FIPS categorizations Section 3 15 a – Added requirement for CFO Designated Systems security assessments for key controls be tracked in TAF and adds requirement for tracking ST E and SAR annually Section 3 15 c – Remaps control from RA-4 to RA-5 Section 3 15 h – Adds mapping to IR-6 Section 3 15 i – Remaps control from PL-3 to PL-2 Section 3 17 – Added requirement to protect HIPAA information Section 4 1 l a – Added requirement for annual reviews of position sensitivity levels Section 4 1 1 c – Exempts active duty USCG and other personnel subject to UCMJ from background check requirements Section 4 1 4 c-d – Adds additional separation of duties requirements and restricts the use of administrator accounts Section 5 2 f – Limits the number of concurrent connections for FIPS-199 high systems Section 5 4 2 a – Limits network monitoring as per the Electronic Communications Act Section 5 4 3 – Added introduction to clarify ISA requirements Section 5 4 3 f – Clarifies the term “security policy” in context Section 5 4 3 m – Clarifies that both AOs must accept risk for interconnected systems that do not require ISAs Section 5 4 3 m-n – Adds stipulations to ISA requirements 121 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description Section 5 5 – Updates language in entire section Section 5 5 3 j – Assigns the DHS PKI MA responsibility for maintaining Human Subscriber agreements 7 2 1 August 9 2010 General Updates No general updates with this revision Specific updates are listed below Specific Updates Section 1 1 – Removes reference to 4300C Section 1 4 1 3 – Updates Executive Order reference from 12958 to 13526 Section 1 4 17 – Updates the PII section Section 1 4 18 – Updates SPII section Section 1 5 3 – Adds requirement for Privacy Officer PPOC approval for exceptions and waivers pertaining to Privacy Designated Systems Section 1 6 b c – Requires installation and use of digital signatures and certificates Section 2 1 6 d – Allows delegation of AO duty to review and approve administrators Section 2 2 6 – Updates DHS Chief Privacy Officer description Section 3 7 e – Adds requirement to include DHS certificate as part of FDCC Section 3 14 – Updates Privacy and Data Security section Section 3 14 1 – Updates PII section Section 3 14 2 – Updates PTA section Section 3 14 2 e – Updates impact level requirements for Privacy Sensitive Systems Section 3 14 3 – Updates PIA section Section 3 1 4 4 – Updates SORN section Section 3 14 4 a – Exempts SORN requirements Section 3 14 5 – Updates Privacy Sensitive Systems protection requirements Section 3 14 6 a – Updates privacy incident reporting requirements Section 3 14 7 – Updates privacy requirements for e-Auth Section 3 14 7 e – Adds PIA requirements for eAuth Section 4 1 1 e – Expands U S citizenship requirement for access to all DHS systems and networks Section 4 1 4 b – Allows delegation of AO duty to review and approve administrators Section 4 6 2 3 c – Clarifies prohibited use of SMS Section 4 8 4 h – Updates the term “trusted” to “cleared” maintenance 122 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description personnel Section 4 12 i – Updates escort requirements for maintenance or disposal Section 4 12 j – Requires disabling of dial up on multifunction devices Section 5 4 3 – Clarifies definition of Network Connectivity Section 5 4 3 m n – Clarifies requirement for ISA Section 5 4 6 j – Requires DHS email systems to use a common naming convention Section 5 5 3 g – Prohibits sharing of personal private keys 7 2 1 1 January 19 2011 General Updates No general updates with this revision Specific updates are listed below Specific Updates 8 0 March 14 2011 Section 4 8 1 a – Changes requirement for screensaver activation from five 5 to fifteen 15 minutes of inactivity General Updates Update date and version number Replace “certification and accreditation” and “C A” with “security authorization process” Replace “Certifying Official” with “Security Control Assessor” Replace “ST E Plan” with “security assessment plan” Replace “system security plan” with “security plan” and “SSP” with “SP” Specific Updates Section 1 4 8 1 Change definition to specify that a GSS has only one ISSO Section 1 4 8 2 Change definition to specify that an MA has only one ISSO Section 1 5 1 Include language requiring waiver submissions to be coordinated with the AO Section 1 5 2 Include language requiring waiver submissions to be coordinated with the AO Section 1 5 3 Clarify language regarding submission of waivers and exceptions for CFO designated systems Section 1 6 d Added new policy element “DHS and Component systems shall be able to verify PIV credentials issued by other Federal agencies ” Section 2 1 2 Add DHS CISO role as primary liaison to Component officials and to perform periodic compliance reviews for selected systems Section 2 13 Update Component CISO duties and add to implement POA M process and ensure that eternal providers who operate information systems meet the same security requirements as the Component Section 2 1 4 Update list of Component ISSM duties and create a POA M 123 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description for each known vulnerability Section 2 1 5 Add significantly expanded Risk Executive duties Section 2 1 6 Add significantly expanded Authorizing Official duties Section 2 2 8 Add Program Manager responsibility for POA M content Section 2 2 9 Add expanded System Owner duties Section 2 2 11 Renumber 2 2 10 as 2 2 11 Section 2 2 10 Add a new 2 2 10 to introduce and describe duties of Common Control Provider Section 3 2 g Added new policy element “Procurements for services and products involving facility or system access control shall be in accordance with the DHS guidance regarding HSPD-12 implementation ” Section 3 5 2 c Updated language to clarify requirements for backup policy and procedures Section 3 5 2 f Updated language to require table-top exercises for testing the CP for moderate availability systems Section 3 7 f Added new policy element “Components shall monitor USGCB or DHS-approved USGCB variant compliance using a NISTvalidated Security Content Automation Protocol SCAP tool ” Section 3 9 Add requirement for Components to designate a Common Control Provider Section 3 10 b Policy element language was updated to clarify the function of information system security review and assistance programs Section 3 14 Language updated for readability Section 3 14 c Added new policy element “Components shall review and republish SORNs every two 2 years as required by OMB A-130 ” Section 3 14 7 f Added new policy element “Existing physical and logical access control systems shall be upgraded to use PIV credentials in accordance with NIST and DHS guidelines ” Section 3 14 7 g Added new policy element “All new systems under development shall be enabled to use PIV credentials in accordance with NIST and DHS guidelines prior to being made operational ” Section 3 17 Added reference to NIST SP 800-66 for more information on HIPAA Section 4 1 4 d Language updated to clarify usage of administrator accounts Section 4 1 5 f Language updated to clarify requirements for security awareness training plan Section 4 3 1 b Language updated to clarify protection of offsite backup media Section 4 5 4 Added reference to NIST SP 800-58 for more information on VoIP 124 v8 0 March 14 2011 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version Date Description Section 4 9 j Language updated to require that Component SOCs report operationally to the respective Component CISO Section 4 9 k New policy element added “The DHS EOC shall report operationally to the DHS CISO ” Section 4 10 Revise list of annual system documentation updates Section 4 12 c Policy element replaced with new one stating that the policy applies “to all DHS employees contractors detailees others working on behalf of DHS and users of DHS information systems that collect generate process store display transmit or receive DHS data ” Section 5 4 1 e Policy element removed Section 5 4 1 f Policy element removed Appendix A Include new acronyms Appendix B Revise definition of Accreditation Package to reflect new list of documentation Appendix C Update references 125 v8 0 March 14 2011