DLMS 9 – Chapter 400, IT Security

U. S. DEPARTMENT OF LABOR MANUAL SERIES

DLMS 9 – INFORMATION RESOURCES DEPARTMENTAL___ OASAM X MANUAL TRANSMITTAL

DATE: February 15, 2007 Chapter Reference: DLMS 9 – Chapter 400, IT Security

Nature of Revisions: This revised policy incorporates requirements from FISMA, such as roles and responsibilities as well as the DOL Inventory of Major Information Systems. It also addresses e- Authentication and EA Governance, and incorporates guidance from OMB on Privacy Compliance on oversight and reporting. In addition, it addresses areas such as wireless, peer-to-peer networks, emerging technologies, granting access, COOP/DRP, and logical access controls.

Action Required:

 Please add this new chapter on LaborNet under the DLMS 9 chapters. Please remove the old chapter DLMS 9 Chapter 400.

Approval for Issuance and Distribution:

PATRICK PIZZELLA Assistant Secretary for Administration and Management DLMS – 4 PERSONNEL MANAGEMENT Chapter 700 – HARASSING CONDUCT IN THE WORKPLACE

DL 1-517 (Rev. 11/96) Previous Editions Obsolete

Rev. 4/03 DLMS - 9 Information Resources Information Technology Security – 400

400 INFORMATION TECHNOLOGY SECURITY

401 Purpose. This document establishes policy and assigns organizational and management responsibilities to ensure the implementation of Departmental and Federal Information Technology (IT) security practices throughout the Department of Labor (DOL). It implements the Federal Information Security Management Act (FISMA); Office of Management and Budget (OMB) Circular No. A-130, Appendix III; Chief Financial Officers (CFO) Act of 1990; the Government Performance and Results Act (GPRA) of 1993; Confidential Information Protection and Statistical Efficiency Act (CIPSEA) of 2002; Privacy Act of 1974; other statutes and regulations (see References, section 406); and Departmental policies including DOL Cyber Security Program Plan (CSPP) and DOL Computer Security Handbook (CSH). In addition, it applies protection to information systems which, due to their sensitivity or business function, deserve or require the application of security controls and oversight.

402 Scope. This policy applies to:

A. All information held, used, or owned by DOL;

B. All DOL information systems or equipment used to access those systems;

C. All DOL agencies, bureaus and offices; and

D. Users as provided in Section 408(M).

Nothing in this chapter will conflict with the responsibilities and operations of the OIG as set forth in the IG Act of 1978, as amended.

403 Objective. The primary objective of this policy is to provide information assurance and security policy to ensure that DOL Information Security Program operates securely and complies with Federal mandates. This policy will also ensure that DOL Information Security Program implements appropriate protective measures (management, operational, and technical controls) that provide cost effective and reasonable assurances that the confidentiality, integrity, and availability of the Department’s information systems and resources are appropriately implemented and maintained.

404 Background. Information systems and networks have increased the complexity of safeguarding Federal government operations, financial resources, property, and information. Moreover, sensitive information and non-public, including private information about individuals (for example, personal information about DOL or

1 Rev. 1/07 DLMS - 9 Information Resources Information Technology Security – 400

contractor personnel and members of the general public, including Social Security Numbers) or other confidential information (for example, trade secrets), is vulnerable to inappropriate use, accidental disclosure, or malicious compromise. The systems and information covered by this policy require ongoing assessments and management oversight to ensure comprehensive protection. To be effective, a comprehensive, integrated “defense in depth” approach to managing IT resources is required that incorporates security and business objectives.

DOL must ensure that all information systems are protected from threats to confidentiality, integrity, and availability to a degree commensurate with the potential impact from a compromise. DOL maintains a variety of information systems that support the Department's mission. DOL information systems depend on adequate information, personnel, and physical security for proper operation and protection from unauthorized access and modification. The increased number and complexity of network attacks, the mandatory use of the Internet to provide services to the public, and the inherent vulnerability of networked information systems require a rigorous approach to protect the integrity of DOL information systems as well as preventing access to non-public information.

405 References.

A. Federal Information Security Management Act (35 U.S.C. 3541)

B. Public Law 105-277, the Government Paperwork Elimination Act (44 U.S.C. 3504)

C. Public Law 101-576, the Chief Financial Officers Act of 1990 (31 U.S.C. 501)

D. Public Law 105-220, the Workforce Investment Act, section 309 [29 U.S.C. 49l-2(a)(2)]

E. Public Law 104-106, Division E, the Information Technology Management Reform Act (Clinger-Cohen Act) of 1996

F. Public Law 104-13, the Paperwork Reduction Act of 1995

G. Public Law 100-503, the Computer Matching and Privacy Protection Act

H. Public Law 93-579, 5 U.S.C. 552a, the Privacy Act of 1974 (5 U.S.C. 552a)

I. Trade Secrets Act (18 U.S.C. 1905)

J. Federal Records Act, 44 U.S.C. 2101 et seq., 2501 et seq., 2701 et seq., 2901 et seq., 3101 et seq.

K. Public Law 107-347, Title V, Confidential Information Protection and Statistical Efficiency Act of 2002

L. 29 CFR Part 71, DOL Regulations Implementing the Privacy Act

M. 5 CFR Part 731, Office of Personnel Management (OPM) Regulations, Suitability

N. 5 CFR Part 930, Subpart C OPM Regulations Implementing Training Requirements of Computer Security Act of 1987

O. Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection

P. OMB Circular No. A-130, Management of Federal Information Resources

Q. OMB Circular No. A-127, Financial Management Systems

R. OMB Circular No. A-123, Management Accountability and Control

S. OMB Circular No. A-11, Preparation, Submission and Execution of the Budget (Revised 07/25/2003)

T. OMB Memorandum No. M-03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003)

U. National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (December 2003)

V. NIST FIPS 200 Federal Information Processing Standards (FIPS) Publication Minimum Security Requirements for Federal Information and Information Systems

W. FIPS 201, Personal Identity Verification (PIV) for Federal Employees and

3 Rev. 1/07 DLMS - 9 Information Resources Information Technology Security – 400 contractors

X. Secretary's Order 3-2003, Update of Delegation of Authority and Assignment of Responsibility to the Chief Information Officer

Y. NIST Special Publication Series 800

Z. Secretary’s Order 9-89, Establishment of Data Integrity Board within Department of Labor

406 Policy. DOL will protect its information, information systems, and resources from unauthorized users and from threats to integrity, availability, authenticity, confidentiality, and nonrepudiation. It is DOL policy to implement and maintain an information Security Program (herein referred to as the “Security Program”) that ensures adequate protection for all information and information systems that collect, process, transmit, store, and/or disseminate information. The Security Program must meet all DOL and other applicable Federal statutes and regulations governing this area.

A. Information Assurance and Security. In accordance with FISMA and other Federal laws, DOL must ensure that all information systems are protected from threats to confidentiality, integrity, and availability to a degree commensurate with the potential impact resulting from a compromise. DOL maintains a variety of information systems that support the Department's mission. DOL information systems depend on clear policies, based on “best practices,” adequate information, appropriate training, skilled personnel, and appropriate physical security for proper operation and protection from unauthorized access and modification. The increased exposure to system attacks, mandated reliance on the Internet, and the inherent vulnerability of networked information systems require a rigorous approach to protect DOL information systems and resources. The Chief Information Security Officer (CISO) is the focal point for the Security Program. DOL information security policies and directives include the following:

(1) DOL Manual Series (DLMS) 9 Chapters 400 and 900,

(2) DOL Cyber Security Program Plan,

(3) DOL Computer Security Handbook, and

(4) Any additional document identified as a policy or directive by the Chief Information Officer (CIO), Deputy Chief Information Officer (DCIO) or CISO.

With respect to other entities and persons outside of DOL, DOL will, as authorized by law and regulation, assure that appropriate safeguards are put in place to protect the integrity of DOL systems.

B. Security and Configuration Standards. DOL CISO, through the Enterprise Architecture (EA) governance process will, to the extent consistent with applicable law, develop and maintain security and configuration standards and guidelines to support the requirements of maintaining an effective and efficient Information Security Program. These standards and guidelines will be principally based on direction provided by NIST and OMB, and other recognized federal organizations responsible for developing and issuing standards. In the absence of DOL policy, standards, or guidelines, NIST standards and guidelines will be applied when available. As an alternate source, standards developed by recognized independent standards bodies not affiliated with commercial product vendors may be identified and implemented, as long as such standards are consistent with applicable federal standards and guidelines. When other appropriate standards do not exist from federal or independent standards issuing organizations, Agencies may select and implement vendor standards limited only to their specific products, as long as they satisfy the principal tenets of DOL’s security policy, and are consistent with applicable federal security standards and guidelines.

C. Systems Development. DOL will maintain a systems development methodology that incorporates methods and practices for the purpose of ensuring security requirements are identified, developed, and implemented as an integral part of the development lifecycle of all information systems.

D. Program Integration. DOL will implement and maintain policies and practices which seek to ensure that information security management processes are integrated with agency strategic and operational planning processes such as Capital Planning and Investment Control, System Development Life Cycle Management and Enterprise Architecture.

E.System and Information Protection. In accordance with applicable laws, regulations, policies, and procedures, DOL Agencies will assess the sensitivity and criticality of the information used and maintained on each Agency system. Federal Information Processing Standard (FIPS) 199 will be the standard for performing such a categorization, and will include low, moderate, or high. Strategies for risk acceptance and mitigation will be developed in accordance with “The Risk Management Guide for Information Technology Systems” (NIST 800-30) and will take into consideration statutory and regulatory requirements governing the information. Each DOL agency

is responsible for ensuring the implementation and ongoing execution of DOL and Agency policies and procedures governing systems, information systems, and information they maintain or for which they are responsible.

DOL Agencies will implement security controls that are commensurate with the risk and magnitude of harm that may result from the loss, misuse, or unauthorized access to or modification of the systems or the information they manage.

All information in information systems, other IT assets, or any other media are subject to all relevant laws, regulations, and DOL policies and procedures, including (but not limited to) privacy and confidentiality protections provided by the Privacy Act of 1974 (including DOL implementing regulations and policy at 29 CFR Part 71 and DLMS 5-200), and the Trade Secrets Act.

F.Granting Access and Account Management. DOL and its Agencies will maintain standard operating procedures, consistent with law and regulation, to ensure that:

(1) Agencies determine which individuals may access systems.

(2) No such access will be provided unless there is compliance with appropriate levels of personnel security as provided by law, regulation, or DOL policies and procedures. Agencies shall consult with the Office of the Solicitor (SOL) as necessary.

(3) Those who access DOL information systems are authorized and sufficiently trained.

(4) Emergency access to information systems is strictly controlled.

(5) Access is promptly terminated when personnel are no longer authorized, such as upon termination, removal, or departure of the personnel of any DOL employee or contractor.

(6) Accurate records are maintained of all users who have access to DOL information systems.

(7) Access to DOL systems will be reviewed periodically to ensure users possess only the access rights/privileges required to do their assigned work. Refer to the Computer Security Handbook for procedures and standards on access rights/privileges.

G. Major Information Systems. DOL OCIO Security will maintain an inventory of major information systems as defined by the Office of Management and Budget in Circular A-130, i.e., those information systems that require special management attention because of their importance to agency mission; their high development, operating, or maintenance costs; or their significant role in the administration of the agency programs, finances, property or other resources. A detailed definition of DOL major information systems is included in the Computer Security Handbook.

H. Access to Sensitive Information. The agency owning a system will determine which individuals may access systems with sensitive information. No such access will be provided unless there is compliance with appropriate levels of personnel security as provided by law, regulation, or DOL policies and procedures. Access to sensitive information subject to Privacy Act, Trade Secrets Act, or other laws, must be on a need-to-know basis. Agencies shall consult with the Office of the Solicitor (SOL) as necessary. Employees must partake in a user level computer security awareness training session prior to being granted access to systems with sensitive information.

I. Intrusion Prevention and Detection. DOL system owners will implement appropriate controls, system and network monitoring, audit logging and monitoring of such logs, and testing to support the prevention and detection of unauthorized access to and use of DOL sensitive information through a combination of technology, policy, and procedures. All system connections must be documented in the system security plans.

J. Corrective Actions. Security weaknesses identified on DOL major information systems will be managed and mitigated through DOL Plans of Actions and Milestones (POA&M).

K. Authorization to Operate (ATO). All DOL major information systems providing or supporting sensitive information will be authorized to operate by the owning agency’s Designated Approval Authority (DAA) prior to being placed in production. The OCIO Security will develop methods for obtaining a system ATO that are appropriate to the criticality, value, and sensitivity of the information system and its information.

L.Logical Access Controls. All DOL information systems will implement and maintain logical access controls appropriate to the FIPS-199 rated sensitivity, level of risk, and the magnitude of harm caused by compromise of the information on that system. Factors such as system value, information value, criticality, legislative mandates, potential impact of loss, system environment, external exposure, and sensitivity will be used to determine the rigor of controls required by FIPS-200 that must be applied.

M. Risk Management. DOL Agencies will establish and execute measures for information security risk management in concert with other risk management activities to ensure the effective application of resources toward providing adequate protective measures for DOL information systems. Security weaknesses identified on DOL information systems will be managed through DOL process for security Plans of Actions and Milestones (POA&M). This process will encompass the identification and remediation of identified weaknesses.

N. Interconnectivity and Information Sharing. If a DOL system is interconnected with a system outside the scope of its DAA, the DAA shall enter into an Interconnection Security Agreement with the organization responsible for that system. Such agreements will ensure that protective measures and communications are implemented that provide assurances that:

(1) Security controls are complementary and not duplicative or counteracting.

(2) Time sensitive information related to security incidents and vulnerabilities is openly shared.

(3) Shared information is used solely for its intended and authorized purpose.

(4) Dispute resolution is affected.

(5) Contingency planning activities are coordinated.

Peer-to-Peer file sharing which is not DOL or Agency moderated and controlled shall not be allowed on DOL or Agency systems or infrastructure. Other communication software which includes similar functionality shall have that functionality permanently disabled or shall not be allowed if that functionality can not be disabled if not moderated and controlled. Agencies may elect to forbid any peer-to-peer technologies.

O. Emergency Processing. DOL will ensure that plans and procedures are in place that address emergency processing, essential functions, and service restoration for all DOL critical infrastructures and resources.

P.Testing. DOL agencies will test information system security controls through the performance of:

(1) Risk assessments every three years or upon major system changes to identify system vulnerabilities.

(2) Security Controls Assessment (SCA) to ensure that implemented controls adequately mitigate risks identified in the risk assessment, item (1) above.

(3) Annual controls review to ensure that protective controls and measures are in place and effective.

(4) Annual contingency testing to ensure restoration procedures and documentation is effective.

(5) Regularly scheduled (to be completed periodically commensurate with the systems sensitivity independent vulnerability scanning and non-intrusive testing to ensure that systems remain properly secured against known vulnerabilities. Refer to the Computer Security Handbook for procedures and standards on vulnerability scanning and testing.

Security controls of sensitive systems will be tested in accordance with applicable laws and using related federally-produced manuals where appropriate (e.g., Financial systems are subject to the Federal Financial Management Improvement Act (FFMIA) and appropriate controls must be implemented in accordance with the Federal Information System Controls Audit Manual (FISCAM) produced by the Government Accountability Office (GAO)).

The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office, is designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency.

Q. Rules of Behavior. DOL Agencies will establish "Rules of Behavior" consistent with Agency System Security Plans (SSP), DOL CSH, other agency requirements, and other DOL policies and procedures such as DLMS-9-900, Appropriate Use of DOL Information Technology. Agencies will conduct a review of the Rules of Behavior annually and upon major change to the system to ensure their adequacy.

Rules of Behavior, developed for each system, establish acceptable behavior concerning use of the system within an acceptable level of security risk for that

system. The rules shall be based on the needs of the information on the system. The security required by the rules shall be only as stringent as necessary to provide adequate security as required for information in the system. Such rules shall clearly delineate responsibilities and expected behavior of all individuals with access to the system. They shall also include appropriate limits on interconnections to other systems and shall define service provision and restoration priorities.

The rules of behavior will be implemented through the issuance of appropriate regulations where required by law.

R. Position Descriptions. DOL employees with significant security responsibility will have those responsibilities detailed in their job descriptions. Performance reviews will factor in the successful performance of these security responsibilities.

S. Contracts. To the extent permitted by applicable procurement regulations, contracts awarded by DOL that involve significant security responsibility on the part of contractors or subcontractors will delineate these responsibilities.

T. Emerging Technologies. DOL will maintain efforts to investigate and remain abreast of emerging technologies such as, but not limited to, Internet Protocol version 6 and wireless technologies, for use in DOL business environment. These efforts will ensure that any research will factor in the security benefits and risks posed by new technologies to maximize their benefit and minimize any negative impact. Any new initiative that seeks to implement technologies that are considered “emerging” or “new” to DOL environment must seek guidance from the Enterprise Architecture (EA) Program Management Office (PMO).

The Technical Review Board and its subcommittees may issue new and unique requirements for programs implementing emerging technologies to ensure the application of appropriate oversight to minimize the financial, technology, and security risk exposure of DOL.

U. Wireless Technologies. Wireless communications are subject to the same controls and restrictions as wired communications. However, wireless technology remains relatively insecure and therefore requires additional controls. The implementation of wireless network devices is considered a major change to a general support system (GSS) and requires the re-accreditation of the system. Wireless networks not included as a component of an existing GSS will be classified as a GSS and will be responsible for satisfying all applicable security requirements. Agencies considering implementation of wireless technologies must first seek guidance from the Enterprise

Architecture (EA) Program Management Office (PMO) and must comply with DOL security and configuration standards.

Wireless implementations established prior to the release of this policy must be identified, approved, or removed within 120 days from the release of this policy.

V. Publicly Accessible Web Sites. Web sites which are accessible by the public will provide protective measures to assure the reliability and integrity of that information or service provided to the public. All Systems which perform transactions with the public requiring user authentication will conform to annual and ongoing e-Authentication requirements, as may be required by such programs.

W.Remote Connectivity. DOL and its Agencies will strictly enforce access control measures for all remote connectivity services to ensure that such connectivity does not weaken in place protections or circumvent established procedures for granting and managing system access.

X. Physical Security. DOL and its Agencies will ensure physical and environmental security is adequate for protecting information and information system resources.

407 Definitions.

A. Agency refers to individual DOL component agencies, such as the Employment and Training Administration, Employment Standards Administration, Women’s Bureau, or Office of the Assistant Secretary for Policy.

B. Agency Computer Security Program Plans are the strategic planning documentation for Agency Computer Security Programs and encompass the Agency's entire Information Architecture.

C. Agency Computer Security Programs embody adequate security for all Agency information collected, processed, transmitted, stored, or disseminated in general support systems, and major applications.

D. Authenticity is the prevention of alteration of a document or information. It means the ability to confirm that someone holds the original document or information in its unaltered form.

E. Availability is the assurance that systems work promptly and that service is not denied to authorized users.

F. Computer Security Incident Response Capability (CSIRC) addresses the prevention of information security breaches and responds to information security incidents.

G. Confidentiality Protection, in the context of information systems, requires access controls such as user ID/passwords, terminal identifiers, restrictions on actions like read, write, delete, etc. Examples of confidentiality-protected information are privacy act records, trade secrets, and high or new technology under Executive Order, Federal law or regulation.

H. Contingency Plan is a management policy and procedure designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster; other procedures may include the establishment of redundant systems to ensure continuity of operations following systems failures.

I. Designated Approving Authority is the senior agency management official who is responsible for ensuring that all agency major information systems are authorized to process in accordance with certification and accreditation procedures established by the CIO. The DAA is the agency head or an official designee appointed in writing with direct succession authority.

J. Financial System is defined by OMB Circular No. A-127, “Financial Management Systems” means an information system, comprised of one or more applications, that is used for collecting, processing, maintaining, transmitting, and reporting information about financial events; supporting financial planning or budgeting activities; accumulating and reporting cost information; or supporting the preparation of financial statements. A financial system:

(1) Supports the financial functions required to track financial events, provide financial information significant to the financial management of the agency, and/or required for the preparation of financial statements;

(2) Encompasses automated and manual processes, procedures, controls, information, hardware, software, and support personnel dedicated to the operation and maintenance of system functions; and

(3) May include multiple applications that are integrated through a common database or are electronically interfaced, as necessary, to meet defined information and processing requirements.

K. Information means any communication or representation of knowledge such as facts, data, or opinions in any medium (including electronic) or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. L. Information System encompasses any collection of IT or information processing, storage, or transmission device resources and the accompanying information. This collection is unique in that it is under the same direct management control, supporting the same function or mission objective, comprised of essentially the same operating characteristics and security needs, and residing in the same general operating environment.

M. Information Security is the comprehensive framework of policies, procedures, and actions required to improve the security of Federal information systems and to protect sensitive and valuable information contained in those systems. Information security achieves this intent through security awareness training, policies and standards, guidelines, program and system security plans, assignment of responsibilities, assessments and testing of vulnerabilities, measures to mitigate risks on a cost effective basis, organized responses to incidents, and a regular review of the program status within each agency.

N. Information Technology (IT) is the application of computers, communications, and software technology to the management, processing, and dissemination of information.

O. Integrity – Data integrity is the assurance that information and programs are changed only in a specified and authorized manner. System integrity is the assurance that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

P. Major Application means an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access.

Q. Major Information System is a system that requires special management attention because of its:

(1) importance to an agency mission; or

(2) significant role in the administration of agency programs, finances, property, or other resources, or

(3) high development, operating, or maintenance costs.

R. Non-repudiation is the ability to ensure that electronic information can be attributed to a sender, and that the sender cannot deny that it came from them (or their organization). It will often include verifiable time stamp information, and it often uses digital signature technology for its implementation. Non-repudiation is also important for assuring that a message did not come from a hacker or malicious individual.

S. Plan of Actions and Milestones, which is prepared by the information system owner, describes the measures that have been implemented or planned: (i) to correct any deficiencies noted during the assessment of the security controls; and (ii) to reduce or eliminate known vulnerabilities in the information system.

T. Risk Management is the ongoing process of assessing the risk to information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities, and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk. Where an Interconnection Security Agreement (ISA) exists, risk management shall include all systems affected by interconnectivity and information sharing.

U. Sensitive Information refers to information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, unavailability, or destruction of the information. The term includes, but is not limited to, information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, as well as proprietary information, records about individuals requiring protection under the Privacy Act, information exempt from mandatory disclosure under the Freedom of Information Act, and any other information protected by Federal law or regulation.

V. System Administrators are the individuals who are responsible for operating, maintaining, and protecting the hardware, software, networks, and information used for processing, storing, or transmitting DOL information, and for alerting system owners or the security office when risks or threats require redress.

W. System Security Plan is a formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

408 Responsibilities. The Information Security Program has distributed responsibilities that depend on the involvement and participation of all DOL component agencies and their offices that acquire, develop, operate, or replace information systems components. Agencies and offices must participate in the formulation and approval of DOL policies, implementation directives, requirements, procedures, and controls for the program. Agencies, offices, and personnel must carry out responsibilities as follows:

A. Chief Information Officer will have ultimate responsibility for ensuring that the Department fulfills its responsibilities under Title III of the E-Government Act, the Federal Information Security Management Act, and the Clinger-Cohen Act. The CIO has been granted authority by Secretary’s Order 3-2003, to designate a senior Department official (CISO) with information security responsibilities.

B. Chief Financial Officer responsibilities are defined in Secretary’s Order 01-92, “Authority and Responsibilities for Implementation of the Chief Financial Officers Act of 1990”, Secretary's Order 01-97, “Authority and Responsibilities for Implementation of the Chief Financial Officers Act of 1990 and Related Legislation.” The CFO has ultimate responsibility for ensuring that the Department fulfills its financial responsibilities for internal financial controls and financial integrity under the Chief Financial Officers Act of 1990; the Federal Financial Management Improvement Act of 1996, Federal Managers Financial Integrity Act, and the Clinger- Cohen Act.

C. Chief Information Security Officer is responsible for the carrying out the CIO responsibilities under FISMA for a Department-wide information Security Program as his or her primary duty. The CISO must possess appropriate qualifications, including training and experience, required to administer the information Security Program functions. The DOL CISO is responsible for:

(1) Carrying out the CIO information security responsibilities under FISMA;

(2) Developing and implementing the Department-wide information Security Program;

(3) Developing an effective performance-based program to measure the adequacy and effectiveness of the Department-wide and agency specific information Security Programs;

(4) Ensuring that the component agencies effectively implement and maintain information security policies, procedures, and control techniques; and

(5) Carrying out any other information security duties designated by the CIO or DOL policy.

D. Agency Heads will have responsibility for ensuring that their respective Agency fulfills its responsibilities under Title III of the E-Government Act, FISMA, and other federal laws. The Agency Heads shall each designate an agency official who will have responsibility for Agency-wide information security as his or her primary duty depending on the mission and scope of a particular Agency. The Agency Heads or their designees are responsible for ensuring that all major Agency information systems obtain ATO prior to being placed in service; and assuring that their agencies:

(1) Implement and actively manage an Agency Computer Security Program that complies with DOL Computer Security Handbook and the Agency’s CSPP;

(2) Grant access to information systems and information only to appropriate personnel (in accordance with applicable law or regulation, or DOL policies and procedures) who meet the requirements of the Agency’s SSP and comply with guidance provided by the CIO;

(3) Address security requirements, corrective actions, and associated cost estimates in any DOL acquisition management system and throughout the life cycle for systems and services, including service-life extension and decommissioning activities; and

(4) Identifies, inventories, and reports to the CIO all major information systems within its control and identifies the security level and status of each system.

E. The Commissioner of Labor Statistics has security duties and responsibilities with respect to statistical data and data sharing and is responsible for carrying out responsibilities assigned by the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) of 2002 to heads of Designated Statistical Agencies, by the Statistical Policy Directive on Compilation, Release, and Evaluation of Principal Federal Economic Indicators (OMB Statistical Policy Directive #3) to heads of statistical agencies responsible for Principal Economic Indicators, and by the Federal Statistical Confidentiality Order to statistical agencies.

F. Each designated approving/accrediting authority (DAA also known as the Authorizing Official) will be a senior management official or executive, designated in writing by the Agency Head, with the authority to formally assume responsibility for

operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals. Through security accreditation, the DAA:

(1) Assumes responsibility and is accountable for the risks associated with operating an information system;

(2) Should have the authority to oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding; and

(3) Can deny authorization to operate the information system (or if the system is already operational, halt operations) if unacceptable security risks exist.

With the increasing complexities of agency missions and organizations, it is possible that a particular information system may involve multiple authorizing officials. If so, agreements should be established among the authorizing officials and documented in the system security plan. In most cases, it will be advantageous to agree to a lead authorizing official to represent the interests of the other authorizing officials.

G. Each Agency’s Certification Agent is an individual, group, or organization, designated in writing by the Agency Head, responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The Certifying Agent also:

(1) provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system;

(2) provides an independent assessment of the system security plan prior to initiating the security assessment activities that are a part of the certification process;

(3) ensures the system security plan provides a set of security controls for the information system that is adequate to meet all applicable security requirements;

(4) should be in a position that is independent from the persons directly responsible for the development of the information system and the day-to-day operation of the system, to preserve the impartial and unbiased nature of the security certification;

(5) should also be independent of those individuals responsible for correcting security deficiencies identified during the security certification.

H. System Owners/Managers are accountable for the collection, security, and release of information contained on a system. When dealing with the security of a system and its information, the system owner is responsible for controls associated with:

(1) ensuring compliance with the security requirements of the EA governance process, Capital Investment Planning and Control, Systems Development Life Cycle Management, and in Section 404 D. Program Integration;

(2) briefing all system users of system specific Rules of Behavior and attesting to the completion of this task to the Agency Security Official;

(3) coordinating with DOL Solicitor to identify if their system is a Privacy Act system and maintaining all associated records;

(4) ensuring that system security plans are sufficient to ensure the appropriate privacy, confidentiality, integrity, and availability of information;

(5) approving and managing all access to their system;

(6) ensuring information security staff have the means to implement and maintain a system Security Program;

(7) ensuring operational staff have the means to implement and maintain system operational controls;

(8) ensuring technical staff have the means to implement and maintain system technical controls; and

(9) preparing and updating, as necessary, Privacy Impact Assessments, as required by the E-Government Act.

Agencies may also designate, in writing, these functional roles to various individuals in order to better meet its organizational needs.

I. The designated Agency Security Officer is responsible for implementing and

maintaining their Agency’s information Security Program, applying DOL information security policy, leading their respective agency’s CSIRC activities, including:

(1) Developing and maintaining an Agency-wide information Security Program, for the protection of information and information systems that support the Agency’s operations and assets, including periodic evaluation, testing, and remediation of Agency information security policies, procedures and practices;

(2) Determining the personnel security levels required to access each Agency information system, based on information sensitivity and mission criticality;

(3) Including security requirements in the agency’s IT capital investment planning and management process as required by DOL Guide to IT Capital Investment Management;

(4) Ensuring compliance with DOL CSH;

(5) Ensuring compliance with the security requirements of DOL System Development and Life Cycle Management (SDLCM) Manual;

(6) Training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities;

(7) Establish and oversee an Agency Computer Security Incident Response Team (CSIRT); and

(8) Information security duties designated by DOL policy and DOL-approved Agency policy.

Agencies may also designate, in writing, these functional roles to various individuals in order to better meet its organizational needs.

J. The Director, Human Resources Center, Office of the Assistant Secretary for Administration and Management (OASAM), will:

(1) Develop and implement appropriate background screening policy and procedures for employees and contractors with significant security responsibilities;

(2) Apply personnel Security Program procedures defined by applicable personnel related laws to DOL personnel accessing information systems and sensitive information;

(3) Ensure that Federal and contractor personnel processing procedures include initiation and termination of access to all DOL and DOL-funded systems and facilities upon entry and prior to exit from DOL; and

(4) Ensure that all DOL employees, contractors, and new hires receive appropriate Computer Security Awareness Training (CSAT) prior to being given access to systems with sensitive information.

K. Contracting Officers shall ensure that:

(1) Agency planners for IT acquisitions comply with the IT security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's NIST. (2) Plans for IT acquisitions address IT security requirements. (3) IT acquisitions include the appropriate IT security policies and requirements. (4) IT acquisitions include clause 52.204–9 Personal Identity Verification of Contractor Personnel and 52.239-1, Privacy or Security Safeguards. (5) IT Acquisitions comply with FAR 39.105 Privacy and NIST FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems.”

L. The DOL Office of the Assistant Secretary for Administration and Management’s Departmental Budget Center must review all agency budgets to ensure that the costs associated with operational and IT security corrective actions are included.

M. Users. The term “user” applies to:

(1) DOL personnel, and

(2) any other Government employees who access DOL information and information systems or information systems provided for DOL use under contract, subcontract, or other agreement.

Users must apply the following DOL security practices to daily work activities: 22 Rev. 1/07 DLMS - 9 Information Resources Information Technology Security – 400

(1) It is the responsibility of the individual user to protect information to which they have access.

(2) Users must adhere to the rules of appropriate use in applicable SSP, DOL, and agency guidance, and DLMS 9-900 Appropriate Use of DOL Information Technology.

(3) Users must adhere to the unique Rules of Behavior for the systems they access.

(4) Users are prohibited from the unauthorized uploading, downloading, access, use, transmittal, copying, reproduction, erasure, modification, or distribution of information the Federal government deems to be sensitive or illegal.

(5) Users must not share their passwords or access codes, and they must not keep written facsimiles of passwords or access codes.

(6) Users must not allow anyone else to use their User ID or password, and they must never share passwords with anyone, including technical help desk support and system administrators.

(7) Users are to select a password that complies with the Computer Security Handbook and is appropriate to the information they are protecting.

(8) Users are responsible for complying with DOL computer security policies at all off-site locations such as residences when working in flexiplace arrangements.

DOL Agencies may wish to consider the imposition of user requirements on other parties who are not Federal government employees. Any imposition of such requirements shall be in accordance with law, including the Administrative Procedure Act, where possible.

N. Personnel with Significant Security Responsibility includes those positions which have a direct impact on the implementation and effectiveness of security controls. These include System Owners/Managers, System Administrators, System developers, and others with similar roles and access to systems. These personnel must:

(1) Ensure that their systems, technical personnel, and users comply with all applicable legal requirements, including the Privacy Act, as well as their Agency’s CSPP, the SSP, and DOL CSH.

(2) Attend information security awareness and technical training using course materials appropriate to their role.

(3) Report security incidents, including virus and malicious code attacks, spoofing and spamming, in accordance with their Agency’s Incident Response Guide. In addition, system administrators must cooperate with incident response team members as guided by the Agency Security Officers and DAAs.

(4) Cooperate with personnel designated by the CIO or Agency Head during compliance reviews of facilities storing, processing, or transmitting DOL information resources.

24 Rev. 1/07