Certification and Accreditation

Certification and Accreditation The Postal Service Process For Protecting Its Electronic Information Resources

Publication 805-A, May 2015

1

Certification and Accreditation

Certification and Accreditation (C&A) Requirements for Information Resources P h a s e

New & Major Information Resource Modifications

C&A Deliverable

All Other Information Resources

NS & NC

Recertifications

Service Based Contracts

Deliverables

Responsible

Deliverables

Responsible

Deliverables

Responsible

Deliverables

Responsible

Information Resource Characterization

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

2

BIA

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Security Specs

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Security Plan

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

3

Site Security Review

Yes

ISSO & USPIS

If applicable

ISSO & USPIS

Yes

ISSO & USPIS

4

SOPs

If applicable

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4

Operation Training Materials

If applicable

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4-5

Contingency Plans

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

4

NCRB Request

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

2

2

Yes

Project Mgr.

5

ST&E Plan

Yes

Project Mgr.

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

6

Security Code Review

Based on Requirements

Project Mgr.

Based on Policy Requirements

Project Mgr.

If applicable

Project Mgr.

Based on Policy Requirements

Project Mgr.

6

ST&E Testing & Report

Yes

Project Mgr.

Yes

Project Mgr.

If applicable

Project Mgr.

Yes

Project Mgr.

6

Vulnerability Scan

Yes

CISO

Yes

CISO

Yes

CISO

Yes for Sensitive

CISO

6

Penetration Test

If applicable

CISO

If applicable

CISO

If applicable

CISO

6

Independent Reviews

If applicable

Project Mgr.

If applicable

Project Mgr.

If applicable

Project Mgr.

6

Risk Assessment

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

6

Risk Mitigation Plan

Yes for High/ Mod Risk

Project Mgr.

Yes for High/ Moderate Risk

Project Mgr.

Yes for High/ Mod Risk

Project Mgr.

Yes for High/ Mod Risk

ISSO

6

Evaluation Report

YES

ISSO

Yes

ISSO

Yes

ISSO

6

Certification Letter

YES

ISSO Mgr.

Yes

Certifier

Yes

Certifier

6

Accreditation Letter

YES

Mgr. CISO

Yes

Accreditor

Yes

Accreditor

6

Risk Acceptance Letter

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

Yes for vulnerability that will not be mitigated

VP IT and VP Functional Business Area

8

Contingency Test Results

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

Yes

Business Relationship Management Portfolio Mgr. & Executive Sponsor

8

Revised C&A Documents

As needed or every 3 years

ISSO & Project Mgr.

As needed or every 2 years; annually for PCI

ISSO & Project Mgr

As needed or every 2 years; annually for PCI

ISSO & Project Mgr.

As needed or every 2 years

ISSO & Project Mgr.

9

Retirement Request

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

9

Retirement Certification

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Yes

Project Mgr.

Publication 805-A, May 2015

Certification and Accreditation

C&A Phases and Major Deliverables

The C&A process consists of several interrelated phases that are conducted concurrently with the development and deployment of new information resources (technical solutions) and the retirement of existing information resources. Each phase in the C&A process corresponds to a phase in the Technical Solutions Life Cycle using either the Waterfall Development or the Agile Scrum Development Methodologies. The objectives of the C&A process are to do the following: ¡¡ Determine sensitivity and criticality of information processed. ¡¡ Define security requirements. ¡¡ Identify and implement security controls and processes. ¡¡ Test security solutions. ¡¡ Evaluate the effectiveness of security controls and processes chosen to protect the information resource, assess threats and vulnerabilities. ¡¡ Obtain management approval for deployment or continued use.

Publication 805-A, May 2015

3

Certification and Accreditation

Certification and Accreditation Activities in Conjunction with the Waterfall Development Methodology Phases Phase 1, Initiate and Plan In this phase: ¡¡ The proposed technical solution is registered or updated in EIR. ¡¡ The project is planned. ¡¡ An ISSO is assigned. ¡¡ The C&A process is initiated. Phase 2, Requirements In this phase, the application characteristics are documented including internal and external dependencies, and a Business Impact Assessment (BIA) is conducted to collect privacy-related information, to ensure compliance with privacy laws and regulations, to define sensitivity and criticality of the technical solution, and to determine information security requirements required to protect the technical solution. Phase 3, Design In this phase: ¡¡ The design for the technical solution is developed and documented in an architecture diagram. ¡¡ Security specifications are defined for contracts and acquisitions to protect the technical solution commensurate with its business value. ¡¡ Information security controls and processes are identified to satisfy the security requirements defined in the BIA and are documented in a security plan. ¡¡ A site security review is requested (if required). Phase 4, Build In the build phase: ¡¡ Information security controls and processes are built (or acquired) and integrated in the information resource. ¡¡ Connectivity requirements are defined. ¡¡ A request is submitted to the Network Connectivity Review Board. ¡¡ Contingency planning is initiated (if required) to address unexpected interruptions to business activities supported by this information resource. Phase 5, Security Integration Testing In the security integration testing phase, a security test plan is developed and contingency plans are completed. Phase 6, Customer Acceptance Testing In the customer acceptance testing phase: ¡¡ A security code review is conducted (if required). ¡¡ Security testing is conducted to ensure the security controls and processes implemented in the build phase are effective. ¡¡ The results of the test are documented in a report. ¡¡ Vulnerability scans are run. ¡¡ Penetration testing is conducted (if applicable).

4

Publication 805-A, May 2015

Certification and Accreditation

¡¡ The independent reviews for security code reviews, risk assessments, vulnerability scans, penetration testing, or security test validation are conducted (if required). ¡¡ A risk assessment is conducted and a risk mitigation plan is developed. ¡¡ The ISSR and/or project manager completes the C&A deliverables and submits them to the ISSO. ¡¡ The ISSO evaluates the C&A deliverables and prepares an evaluation report highlighting the risks associated with placing the information resource in production, escalates security concerns or forwards the C&A evaluation report and supporting documentation to the certifier for review. ¡¡ The certifier reviews the C&A evaluation report and the supporting C&A documentation, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and C&A supporting documentation to the accreditor. ¡¡ The accreditor reviews the certification letter, risk mitigation plan, and the supporting C&A documentation, and takes one of the following actions: [1] escalates security concerns, or [2] prepares and signs a full accreditation letter and forwards the full accreditation letter to the vice president functional business area (or executive sponsor if this responsibility is delegated) and vice president IT (or Business Relationship Management portfolio manager if this responsibility is delegated), or [3] prepares and signs a conditional accreditation with some requirements that must be met within a certain time frame forwards the Conditional Accreditation Letter to the VP IT and the VP functional business area. If the requirements are not met in the indicated time frame, the accreditor will issue a Failure to Comply Letter to the VP IT and the VP functional business area. ¡¡ If a documented vulnerability associated with the medium or high residual risk will not be mitigated, [1] the VP IT and VP functional business area prepare and sign a Risk Acceptance Letter and forward the letter to the accreditor, or [2] if the VP IT and VP functional business area decide not to sign a Risk Acceptance Letter, the accreditor will issue a Failure To Comply Letter. Phase 7 — Governance Compliance The Governance Compliance phase ensures that all deliverables are stored in the TSLC Artifacts Library and that all artifacts meet USPS IT SOX and IT governance requirements and controls, and have been approved by the Product Owner/Customer. There are no C&A activities or deliverables for this phase. Phase 8, Release and Production All three approvals (i.e., certification, accreditation, and risk acceptance) are required before deploying the information resource. The project manager deploys the information resource into production with the security controls documented in the security plan and tested in the Security Test and Evaluation (ST&E) and with any restrictions documented in the approval letters. Other activities in Phase 8 are: ¡¡ Testing contingency plans. ¡¡ Maintaining security controls and processes.

Publication 805-A, May 2015

5

Certification and Accreditation

¡¡ ¡¡ ¡¡ ¡¡

Periodically testing security controls. Reviewing system and application logs. Updating C&A documentation. Re-initiating the C&A.

Phase 9, Retire The Retirement phase ensures that appropriate archiving and security measures are taken and documented when decommissioning technology solution or components from the Postal Service Technology Infrastructure. Activities include: ¡¡ Retiring the information resource. ¡¡ Disposing of the data. ¡¡ Sanitizing the equipment and media (if required).

C&A Stakeholder Responsibilities VP Functional Business Area ¡¡ Ensures resources are available for completing information security tasks throughout an information resource life cycle. ¡¡ Works jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. The vice presidents of functional business areas may delegate this responsibility to the applicable executive sponsor. If this responsibility is delegated, notice to that effect must be in writing. Executive Sponsor ¡¡ Ensures completion of all security tasks throughout an information resource life cycle. ¡¡ (If the vice president functional business area delegated this responsibility) works jointly with the vice president IT (or the Business Relationship Management portfolio manager if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risk and approve deployment of the information resource. VP IT ¡¡ Works jointly with the vice president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and Risk Mitigation Plan and, if acceptable, accept residual risks and approve deployment of the information resource. The vice president of IT may delegate this responsibility to the applicable Business Relationship Management portfolio manager. If this responsibility is delegated, notice to that effect must be in writing.

6

Publication 805-A, May 2015

Certification and Accreditation

Business Relationship Portfolio Manager ¡¡ Serves as a liaison between the executive sponsor and IT providers. ¡¡ (If the vice president IT delegated this responsibility) works jointly with the vice president functional business area (or the executive sponsor if this responsibility is delegated) to review accreditation letter and risk mitigation plan and, if acceptable, accept residual risks and approve deployment of the information resource. Information Systems Security Representative or Project Manager ¡¡ Ensures security controls are implemented. ¡¡ Notifies the executive sponsor, Business Relationship portfolio manager and ISSO of any risks that emerge during development or acquisition of the application. ¡¡ Prepares or coordinates C&A documents. Information Systems Security Officer ¡¡ Provides security guidance and expertise throughout the C&A process. ¡¡ Reviews the security testing and evaluates C&A documents. ¡¡ Prepares the C&A evaluation report and submits it to the certifier. Certifier (Program Manager, C&A Process) ¡¡ Reviews the C&A evaluation report and supporting documents. ¡¡ If acceptable, prepares a certification letter and submits it to the accreditor. Accreditor (Chief Information Security Officer) ¡¡ Reviews the certification letter and supporting documents. ¡¡ If acceptable, prepares accreditation letter and recommends deployment.

Where to find additional information and help Information security policies and processes are available on PolicyNet at http://blue.usps.gov/cpim/hbkid.htm and C&A deliverables are incorporated in the eC&A application. Information Security Hotline..................919-501-9350 E-mail comments to: [email protected].

Publication 805-A, May 2015

7

Certification and Accreditation

Pub 805-A PSN 7610-07-000-8289 May 2015

8

Publication 805-A, May 2015