Certification and Accreditation
Certification and Accreditation The Postal Service Process For Protecting Its Electronic Information Resources
Publication 805-A, May 2015
1
Certification and Accreditation
Certification and Accreditation (C&A) Requirements for Information Resources P h a s e
New & Major Information Resource Modifications
C&A Deliverable
All Other Information Resources
NS & NC
Recertifications
Service Based Contracts
Deliverables
Responsible
Deliverables
Responsible
Deliverables
Responsible
Deliverables
Responsible
Information Resource Characterization
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
2
BIA
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
3
Security Specs
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
3
Security Plan
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
3
Site Security Review
Yes
ISSO & USPIS
If applicable
ISSO & USPIS
Yes
ISSO & USPIS
4
SOPs
If applicable
Project Mgr.
If applicable
Project Mgr.
Yes
Project Mgr.
4
Operation Training Materials
If applicable
Project Mgr.
If applicable
Project Mgr.
Yes
Project Mgr.
4-5
Contingency Plans
Yes
Project Mgr.
If applicable
Project Mgr.
Yes
Project Mgr.
4
NCRB Request
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
2
2
Yes
Project Mgr.
5
ST&E Plan
Yes
Project Mgr.
Yes
Project Mgr.
If applicable
Project Mgr.
Yes
Project Mgr.
6
Security Code Review
Based on Requirements
Project Mgr.
Based on Policy Requirements
Project Mgr.
If applicable
Project Mgr.
Based on Policy Requirements
Project Mgr.
6
ST&E Testing & Report
Yes
Project Mgr.
Yes
Project Mgr.
If applicable
Project Mgr.
Yes
Project Mgr.
6
Vulnerability Scan
Yes
CISO
Yes
CISO
Yes
CISO
Yes for Sensitive
CISO
6
Penetration Test
If applicable
CISO
If applicable
CISO
If applicable
CISO
6
Independent Reviews
If applicable
Project Mgr.
If applicable
Project Mgr.
If applicable
Project Mgr.
6
Risk Assessment
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
6
Risk Mitigation Plan
Yes for High/ Mod Risk
Project Mgr.
Yes for High/ Moderate Risk
Project Mgr.
Yes for High/ Mod Risk
Project Mgr.
Yes for High/ Mod Risk
ISSO
6
Evaluation Report
YES
ISSO
Yes
ISSO
Yes
ISSO
6
Certification Letter
YES
ISSO Mgr.
Yes
Certifier
Yes
Certifier
6
Accreditation Letter
YES
Mgr. CISO
Yes
Accreditor
Yes
Accreditor
6
Risk Acceptance Letter
Yes for vulnerability that will not be mitigated
VP IT and VP Functional Business Area
Yes for vulnerability that will not be mitigated
VP IT and VP Functional Business Area
Yes for vulnerability that will not be mitigated
VP IT and VP Functional Business Area
Yes for vulnerability that will not be mitigated
VP IT and VP Functional Business Area
8
Contingency Test Results
Yes
Business Relationship Management Portfolio Mgr. & Executive Sponsor
Yes
Business Relationship Management Portfolio Mgr. & Executive Sponsor
Yes
Business Relationship Management Portfolio Mgr. & Executive Sponsor
8
Revised C&A Documents
As needed or every 3 years
ISSO & Project Mgr.
As needed or every 2 years; annually for PCI
ISSO & Project Mgr
As needed or every 2 years; annually for PCI
ISSO & Project Mgr.
As needed or every 2 years
ISSO & Project Mgr.
9
Retirement Request
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
9
Retirement Certification
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Yes
Project Mgr.
Publication 805-A, May 2015
Certification and Accreditation
C&A Phases and Major Deliverables
The C&A process consists of several interrelated phases that are conducted concurrently with the development and deployment of new information resources (technical solutions) and the retirement of existing information resources. Each phase in the C&A process corresponds to a phase in the Technical Solutions Life Cycle using either the Waterfall Development or the Agile Scrum Development Methodologies. The objectives of the C&A process are to do the following: ¡¡ Determine sensitivity and criticality of information processed. ¡¡ Define security requirements. ¡¡ Identify and implement security controls and processes. ¡¡ Test security solutions. ¡¡ Evaluate the effectiveness of security controls and processes chosen to protect the information resource, assess threats and vulnerabilities. ¡¡ Obtain management approval for deployment or continued use.
Publication 805-A, May 2015
3
Certification and Accreditation
Certification and Accreditation Activities in Conjunction with the Waterfall Development Methodology Phases Phase 1, Initiate and Plan In this phase: ¡¡ The proposed technical solution is registered or updated in EIR. ¡¡ The project is planned. ¡¡ An ISSO is assigned. ¡¡ The C&A process is initiated. Phase 2, Requirements In this phase, the application characteristics are documented including internal and external dependencies, and a Business Impact Assessment (BIA) is conducted to collect privacy-related information, to ensure compliance with privacy laws and regulations, to define sensitivity and criticality of the technical solution, and to determine information security requirements required to protect the technical solution. Phase 3, Design In this phase: ¡¡ The design for the technical solution is developed and documented in an architecture diagram. ¡¡ Security specifications are defined for contracts and acquisitions to protect the technical solution commensurate with its business value. ¡¡ Information security controls and processes are identified to satisfy the security requirements defined in the BIA and are documented in a security plan. ¡¡ A site security review is requested (if required). Phase 4, Build In the build phase: ¡¡ Information security controls and processes are built (or acquired) and integrated in the information resource. ¡¡ Connectivity requirements are defined. ¡¡ A request is submitted to the Network Connectivity Review Board. ¡¡ Contingency planning is initiated (if required) to address unexpected interruptions to business activities supported by this information resource. Phase 5, Security Integration Testing In the security integration testing phase, a security test plan is developed and contingency plans are completed. Phase 6, Customer Acceptance Testing In the customer acceptance testing phase: ¡¡ A security code review is conducted (if required). ¡¡ Security testing is conducted to ensure the security controls and processes implemented in the build phase are effective. ¡¡ The results of the test are documented in a report. ¡¡ Vulnerability scans are run. ¡¡ Penetration testing is conducted (if applicable).
4
Publication 805-A, May 2015
Certification and Accreditation
¡¡ The independent reviews for security code reviews, risk assessments, vulnerability scans, penetration testing, or security test validation are conducted (if required). ¡¡ A risk assessment is conducted and a risk mitigation plan is developed. ¡¡ The ISSR and/or project manager completes the C&A deliverables and submits them to the ISSO. ¡¡ The ISSO evaluates the C&A deliverables and prepares an evaluation report highlighting the risks associated with placing the information resource in production, escalates security concerns or forwards the C&A evaluation report and supporting documentation to the certifier for review. ¡¡ The certifier reviews the C&A evaluation report and the supporting C&A documentation, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and C&A supporting documentation to the accreditor. ¡¡ The accreditor reviews the certification letter, risk mitigation plan, and the supporting C&A documentation, and takes one of the following actions: [1] escalates security concerns, or [2] prepares and signs a full accreditation letter and forwards the full accreditation letter to the vice president functional business area (or executive sponsor if this responsibility is delegated) and vice president IT (or Business Relationship Management portfolio manager if this responsibility is delegated), or [3] prepares and signs a conditional accreditation with some requirements that must be met within a certain time frame forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure to Comply Letter to the VP IT and the VP functional business area. ¡¡ If a documented vulnerability associated with the medium or high residual risk will not be mitigated, [1] the VP IT and VP functional business area prepare and sign a Risk Acceptance Letter and forward the letter to the accreditor, or [2] if the VP IT and VP functional business area decide not to sign a Risk Acceptance Letter, the accreditor will issue a Failure To Comply Letter. Phase 7 — Governance Compliance The Governance Compliance phase ensures that all deliverables are stored in the TSLC Artifacts Library and that all artifacts meet USPS IT SOX and IT governance requirements and controls, and have been approved by the Product Owner/Customer. There are no C&A activities or deliverables for this phase. Phase 8, Release and Production All three approvals (i.e., certification, accreditation, and risk acceptance) are required before deploying the information resource. The project manager deploys the information resource into production with the security controls documented in the security plan and tested in the Security Test and Evaluation (ST&E) and with any restrictions documented in the approval letters. Other activities in Phase 8 are: ¡¡ Testing contingency plans. ¡¡ Maintaining security controls and processes.
Publication 805-A, May 2015
5
Certification and Accreditation
¡¡ ¡¡ ¡¡ ¡¡
Periodically testing security controls. Reviewing system and application logs. Updating C&A documentation. Re-initiating the C&A.
Phase 9, Retire The Retirement phase ensures that appropriate archiving and security measures are taken and documented when decommissioning technology solution or components from the Postal Service Technology Infrastructure. Activities include: ¡¡ Retiring the information resource. ¡¡ Disposing of the data. ¡¡ Sanitizing the equipment and media (if required).
C&A Stakeholder Responsibilities VP Functional Business Area ¡¡ Ensures resources are available for completing information security tasks throughout an information resource life cycle. ¡¡ Works jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. The vice presidents of functional business areas may delegate this responsibility to the applicable executive sponsor. If this responsibility is delegated, notice to that effect must be in writing. Executive Sponsor ¡¡ Ensures completion of all security tasks throughout an information resource life cycle. ¡¡ (If the vice president functional business area delegated this responsibility) works jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. VP IT ¡¡ Works jointly with the vice president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risks and approve deployment of the information resource. The vice president of IT may delegate this responsibility to the applicable Business Relationship Management portfolio manager. If this responsibility is delegated, notice to that effect must be in writing.
6
Publication 805-A, May 2015
Certification and Accreditation
Business Relationship Portfolio Manager ¡¡ Serves as a liaison between the executive sponsor and IT providers. ¡¡ (If the vice president IT delegated this responsibility) works jointly with the vice president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and risk mitigation plan and, if acceptable, accept residual risks and approve deployment of the information resource. Information Systems Security Representative or Project Manager ¡¡ Ensures security controls are implemented. ¡¡ Notifies the executive sponsor, Business Relationship portfolio manager and ISSO of any risks that emerge during development or acquisition of the application. ¡¡ Prepares or coordinates C&A documents. Information Systems Security Officer ¡¡ Provides security guidance and expertise throughout the C&A process. ¡¡ Reviews the security testing and evaluates C&A documents. ¡¡ Prepares the C&A evaluation report and submits it to the certifier. Certifier (Program Manager, C&A Process) ¡¡ Reviews the C&A evaluation report and supporting documents. ¡¡ If acceptable, prepares a certification letter and submits it to the accreditor. Accreditor (Chief Information Security Officer) ¡¡ Reviews the certification letter and supporting documents. ¡¡ If acceptable, prepares accreditation letter and recommends deployment.
Where to find additional information and help Information security policies and processes are available on PolicyNet at http://blue.usps.gov/cpim/hbkid.htm and C&A deliverables are incorporated in the eC&A application. Information Security Hotline..................919-501-9350 E-mail comments to:
[email protected].
Publication 805-A, May 2015
7
Certification and Accreditation
Pub 805-A PSN 7610-07-000-8289 May 2015
8
Publication 805-A, May 2015