{"profile":{"uuid":"5effb4c6-1c4d-42c3-8275-85506013911b","metadata":{"title":"FSEA Tailoring Profile","parties":[{"name":"U.S. Federal Space Exploration Administration","type":"organization","uuid":"02ed489b-0334-4539-919c-81c763b800bd","links":[{"rel":"website","href":"https://www.ed.gov"}],"short-name":"ED"}],"remarks":"This profile defines the Federal Space Exploration Administration tailoring of NIST SP 800-53 Rev 5 controls. The alters section captures control statement modifications and additions made by the Federal Space Exploration Administration beyond the original NIST baseline text. ODP parameter assignments are applied separately. FSEA Control Overlays (ED-NN) are maintained in the FSEA Control Overlay Catalog.","version":"1.1.0","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"7a2a8e08-c575-4208-a375-80d5651d22a5"}],"last-modified":"2026-05-19T16:00:00+00:00","oscal-version":"1.2.2"},"imports":[{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","include-controls":[{"with-ids":["ac-1","ac-2","ac-2.1","ac-2.2","ac-2.3","ac-2.4","ac-2.5","ac-2.7","ac-2.9","ac-2.11","ac-2.12","ac-2.13","ac-3","ac-3.9","ac-3.11","ac-3.14","ac-4","ac-4.4","ac-4.21","ac-5","ac-6","ac-6.1","ac-6.2","ac-6.3","ac-6.5","ac-6.6","ac-6.7","ac-6.8","ac-6.9","ac-6.10","ac-7","ac-7.2","ac-8","ac-10","ac-11","ac-11.1","ac-12","ac-12.1","ac-14","ac-17","ac-17.1","ac-17.2","ac-17.3","ac-17.4","ac-17.9","ac-18","ac-18.1","ac-18.3","ac-18.4","ac-18.5","ac-19","ac-19.5","ac-20","ac-20.1","ac-20.2","ac-20.3","ac-20.5","ac-21","ac-22","ac-23","at-1","at-2","at-2.1","at-2.2","at-2.3","at-2.4","at-3","at-3.3","at-3.5","at-4","at-6","au-1","au-2","au-3","au-3.1","au-3.3","au-4","au-5","au-5.1","au-5.2","au-6","au-6.1","au-6.3","au-6.4","au-6.5","au-6.6","au-6.7","au-6.9","au-7","au-7.1","au-8","au-9","au-9.2","au-9.3","au-9.4","au-9.5","au-9.6","au-10","au-11","au-12","au-12.1","au-12.3","au-16","au-16.1","au-16.2","ca-1","ca-2","ca-2.1","ca-2.2","ca-2.3","ca-3","ca-3.6","ca-5","ca-6","ca-6.1","ca-7","ca-7.1","ca-7.3","ca-7.4","ca-8","ca-8.1","ca-9","ca-9.1","cm-1","cm-2","cm-2.2","cm-2.3","cm-2.7","cm-3","cm-3.1","cm-3.2","cm-3.4","cm-3.6","cm-3.7","cm-4","cm-4.1","cm-4.2","cm-5","cm-5.1","cm-5.5","cm-6","cm-6.1","cm-6.2","cm-7","cm-7.1","cm-7.2","cm-7.5","cm-7.9","cm-8","cm-8.1","cm-8.2","cm-8.3","cm-8.4","cm-9","cm-10","cm-11","cm-12","cm-12.1","cm-13","cm-14","cp-1","cp-2","cp-2.1","cp-2.2","cp-2.3","cp-2.5","cp-2.8","cp-3","cp-3.1","cp-4","cp-4.1","cp-4.2","cp-6","cp-6.1","cp-6.2","cp-6.3","cp-7","cp-7.1","cp-7.2","cp-7.3","cp-7.4","cp-8","cp-8.1","cp-8.2","cp-8.3","cp-8.4","cp-8.5","cp-9","cp-9.1","cp-9.2","cp-9.3","cp-9.5","cp-9.8","cp-10","cp-10.2","cp-10.4","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.5","ia-2.6","ia-2.8","ia-2.12","ia-3","ia-3.1","ia-4","ia-4.4","ia-5","ia-5.1","ia-5.2","ia-5.5","ia-5.6","ia-5.7","ia-5.8","ia-5.12","ia-5.13","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ia-12","ia-12.1","ia-12.2","ia-12.3","ia-12.4","ia-12.5","ir-1","ir-2","ir-2.1","ir-2.2","ir-2.3","ir-3","ir-3.2","ir-3.3","ir-4","ir-4.1","ir-4.2","ir-4.4","ir-4.6","ir-4.8","ir-4.10","ir-4.11","ir-5","ir-5.1","ir-6","ir-6.1","ir-6.2","ir-6.3","ir-7","ir-7.1","ir-7.2","ir-8","ir-8.1","ir-9","ir-9.2","ir-9.3","ir-9.4","ma-1","ma-2","ma-2.2","ma-3","ma-3.1","ma-3.2","ma-3.3","ma-3.4","ma-3.5","ma-4","ma-4.1","ma-4.3","ma-4.4","ma-4.6","ma-4.7","ma-5","ma-5.1","ma-5.5","ma-6","mp-1","mp-2","mp-3","mp-4","mp-5","mp-5.3","mp-6","mp-6.1","mp-6.2","mp-6.3","mp-6.8","mp-7","pe-1","pe-2","pe-3","pe-3.1","pe-3.2","pe-4","pe-5","pe-6","pe-6.1","pe-6.4","pe-8","pe-8.1","pe-8.3","pe-9","pe-10","pe-11","pe-11.1","pe-12","pe-13","pe-13.1","pe-13.2","pe-14","pe-14.2","pe-15","pe-15.1","pe-16","pe-17","pe-18","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-8.1","pl-9","pl-10","pl-11","pm-1","pm-2","pm-3","pm-4","pm-5","pm-5.1","pm-6","pm-7","pm-7.1","pm-8","pm-9","pm-10","pm-11","pm-12","pm-13","pm-14","pm-15","pm-16","pm-16.1","pm-17","pm-18","pm-19","pm-20","pm-20.1","pm-21","pm-22","pm-23","pm-24","pm-25","pm-26","pm-27","pm-28","pm-29","pm-30","pm-30.1","pm-31","pm-32","pt-1","pt-2","pt-3","pt-3.1","pt-3.2","pt-4","pt-4.1","pt-4.2","pt-4.3","pt-5","pt-5.1","pt-5.2","pt-6","pt-6.1","pt-6.2","pt-7","pt-7.1","pt-7.2","pt-8","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.3","ra-5.4","ra-5.5","ra-5.6","ra-5.8","ra-5.10","ra-5.11","ra-7","ra-8","ra-9","sa-1","sa-2","sa-3","sa-3.2","sa-4","sa-4.1","sa-4.2","sa-4.5","sa-4.8","sa-4.9","sa-4.10","sa-4.12","sa-5","sa-8","sa-8.33","sa-9","sa-9.1","sa-9.2","sa-9.3","sa-9.5","sa-9.6","sa-9.8","sa-10","sa-10.1","sa-10.3","sa-10.7","sa-11","sa-11.1","sa-11.6","sa-11.8","sa-15","sa-15.3","sa-16","sa-17","sa-21","sa-22","sc-1","sc-2","sc-2.1","sc-3","sc-3.2","sc-4","sc-5","sc-5.1","sc-5.2","sc-5.3","sc-7","sc-7.3","sc-7.4","sc-7.5","sc-7.7","sc-7.8","sc-7.9","sc-7.10","sc-7.11","sc-7.12","sc-7.14","sc-7.15","sc-7.17","sc-7.18","sc-7.20","sc-7.21","sc-7.22","sc-7.24","sc-8","sc-8.1","sc-10","sc-12","sc-12.1","sc-13","sc-15","sc-15.4","sc-17","sc-18","sc-18.1","sc-18.2","sc-18.4","sc-20","sc-20.2","sc-21","sc-22","sc-23","sc-23.1","sc-23.3","sc-23.5","sc-24","sc-28","sc-28.1","sc-35","sc-39","sc-45","sc-45.1","si-1","si-2","si-2.2","si-2.3","si-2.4","si-2.5","si-2.6","si-3","si-4","si-4.1","si-4.2","si-4.4","si-4.5","si-4.10","si-4.11","si-4.12","si-4.13","si-4.14","si-4.16","si-4.18","si-4.19","si-4.20","si-4.22","si-4.23","si-4.24","si-5","si-5.1","si-6","si-7","si-7.1","si-7.2","si-7.5","si-7.7","si-7.15","si-8","si-8.2","si-10","si-11","si-12","si-12.1","si-12.2","si-12.3","si-16","si-18","si-18.4","si-19","sr-1","sr-2","sr-2.1","sr-3","sr-3.2","sr-3.3","sr-4","sr-4.1","sr-4.2","sr-4.3","sr-5","sr-5.2","sr-6","sr-6.1","sr-8","sr-9","sr-9.1","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"modify":{"alters":[{"adds":[{"by-id":"ca-7_smt.a","parts":[{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness or in accordance with OSA assessment schedule and in conjunction with the Continuous Diagnostics and Mitigation (CDM) Program;"}],"position":"after"}],"removes":[{"by-id":"ca-7_smt.b"}],"control-id":"ca-7"},{"adds":[{"by-id":"cm-2.7_smt","parts":[{"id":"cm-2.7_smt.b","name":"item","parts":[{"id":"cm-2.7_smt.b_ed.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Examination for signs of tampering;"},{"id":"cm-2.7_smt.b_ed.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Reimaging of the hard drive;"},{"id":"cm-2.7_smt.b_ed.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Scanning for malware; and"}],"props":[{"name":"label","value":"(b)"}],"prose":"Perform the following actions on Government Furnished Equipment and Services (GFES) which traveled outside of the United States and its territories upon the user’s return from travel."},{"id":"cm-2.7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Other actions deemed necessary by the EDSOC based upon the foreign travel location(s)."}],"position":"ending"},{"by-id":"cm-2.7_smt.b","parts":[{"id":"cm-2.7_ed-add.4","name":"item","prose":"Scanning for malware; and"}],"position":"after"},{"by-id":"cm-2.7_smt.b","parts":[{"id":"cm-2.7_ed-add.5","name":"item","prose":"Other actions deemed necessary by the EDSOC based upon the foreign travel location(s)."}],"position":"after"}],"removes":[{"by-id":"cm-2.7_smt.b"}],"control-id":"cm-2.7"},{"adds":[{"by-id":"cm-3.1_smt","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to FSEA systems;"}],"position":"starting"}],"removes":[{"by-id":"cm-3.1_smt.a"}],"control-id":"cm-3.1"},{"adds":[{"by-id":"ir-8_smt.a.1","parts":[{"id":"ir-8_ed-add.1","name":"item","prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated"}],"position":"after"}],"control-id":"ir-8"},{"adds":[{"by-id":"pl-2_smt.a.3","parts":[{"id":"pl-2_ed-add.1","name":"item","props":[{"name":"label","value":"•"}],"prose":"A System Overview: a detailed description of the system, including its purpose, the type of data it handles, and its role within the organization"}],"position":"after"},{"by-id":"pl-2_smt.a","parts":[{"id":"pl-2_ed-add.2","name":"item","props":[{"name":"label","value":"16."}],"prose":"Include risk determinations for security and privacy architecture and design decisions."}],"position":"ending"},{"by-id":"pl-2_smt.a","parts":[{"id":"pl-2_ed-add.3","name":"item","props":[{"name":"label","value":"17."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with other individuals or groups within the organization, including but limiting to, those responsible for assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing, as required."}],"position":"ending"},{"by-id":"pl-2_smt.a","parts":[{"id":"pl-2_ed-add.4","name":"item","props":[{"name":"label","value":"18."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}],"position":"ending"}],"control-id":"pl-2"},{"adds":[{"by-id":"pl-4_smt.d","parts":[{"id":"pl-4_smt.d_ex.1","name":"item","prose":"Alice, an employee at the Department, receives access to the IT systems after completing the \nrequired Cybersecurity and Privacy Awareness training and acknowledging the \nDepartment's Rules of Behavior. She adheres to the rules by using the IT resources for workrelated activities, securing her workstation when not in use, and reporting a suspected \nphishing email to the IT security team. Her actions demonstrate compliance with the rules, \ncontributing to the security of the Department's IT systems.","title":"Hypothetical Scenario Demonstrating Adherence:"},{"id":"pl-4_smt.d_ex.2","name":"item","prose":"Bob, another employee, violates the Rules of Behavior by using his department-issued laptop \nfor personal activities during work hours, which includes browsing non-work-related \nwebsites and downloading unauthorized software. This behavior is detected during a \nroutine IT security audit. As a result, Bob faces disciplinary action, which may include \nrevocation of his access to the Department's IT systems and further administrative or lega1 \nconsequences, as outlined in the Department's policies.","title":"Hypothetical Scenario Demonstrating Violation:"}],"position":"ending"}],"control-id":"pl-4"},{"adds":[{"by-id":"pt-8_smt.c","parts":[{"id":"pt-8_ed-add.1","name":"item","prose":"in accordance with subsection (e)(12) of the Privacy Act of 1974"}],"position":"after"}],"control-id":"pt-8"},{"adds":[{"by-id":"ac-1_smt.a.1.b","parts":[{"id":"ac-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"ac-1_smt","parts":[{"id":"ac-1_smt_ed-1","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system access control policy."},{"id":"ac-1_ed-add.4","name":"item","prose":"Review and update the policy annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ac-1_ed-add.5","name":"item","prose":"The Office of the Chief Information Officer (OCIO), Information Assurance Services (IAS) manage the development, documentation, and dissemination of the Department-level IT system access control standard operating procedures in support of this policy standard. IAS Branch Chiefs shall review these access control procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ac-1_ed-add.6","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system access control policy, and the associated access controls. The ISO and ISSO review access control procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ac-1_smt.a.2"},{"by-id":"ac-1_smt.b"},{"by-id":"ac-1_smt.c"}],"control-id":"ac-1"},{"adds":[{"by-id":"at-1_smt","parts":[{"id":"at-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"at-1_smt.a.1.b","parts":[{"id":"at-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"at-1_smt","parts":[{"id":"at-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level awareness and training policy."},{"id":"at-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"at-1_ed-add.4","name":"item","prose":"The Office of the Chief Information Officer (OCIO), Information Assurance Services (IAS) manage the development, documentation, and dissemination of the Department-level awareness and training standard operating procedures in support of this policy standard. IAS Branch Chiefs shall review these procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"at-1_ed-add.5","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department's awareness and training policy and the associated awareness and training controls. The ISO and ISSO shall review awareness and training procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"at-1_smt.a.2"},{"by-id":"at-1_smt.b"},{"by-id":"at-1_smt.c"}],"control-id":"at-1"},{"adds":[{"by-id":"au-1_smt","parts":[{"id":"au-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"au-1_smt.a.1.b","parts":[{"id":"au-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"au-1_smt","parts":[{"id":"au-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) and Senior Procurement Executive or designee are designated to manage the development, documentation, and dissemination of the Department-level IT system and services acquisition policy."},{"id":"au-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"au-1_ed-add.4","name":"item","prose":"Principal Office (PO) Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system and services acquisition policy and the associated controls. The ISO and ISSO shall review IT system and services acquisition procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"au-1_smt.a.2"},{"by-id":"au-1_smt.b"},{"by-id":"au-1_smt.c"}],"control-id":"au-1"},{"adds":[{"by-id":"ca-1_smt","parts":[{"id":"ca-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"ca-1_smt.a.1.b","parts":[{"id":"ca-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"ca-1_smt","parts":[{"id":"ca-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system security assessment and authorization policy."},{"id":"ca-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ca-1_ed-add.4","name":"item","prose":"The Office of the Chief Information Officer (OCIO), Information Assurance Services (IAS) manage the development, documentation, and dissemination of the Department-level IT system security assessment and authorization standard operating procedures in support of this standard. IAS Branch Chiefs shall review security assessment and authorization procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ca-1_ed-add.5","name":"item","prose":"Principal Office personnel including Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s security assessment and authorization policy and the associated controls. The ISO and ISSO shall review security assessment and authorization procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ca-1_smt.a.2"},{"by-id":"ca-1_smt.b"},{"by-id":"ca-1_smt.c"}],"control-id":"ca-1"},{"adds":[{"by-id":"cm-1_smt","parts":[{"id":"cm-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"cm-1_smt.a.1.b","parts":[{"id":"cm-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"cm-1_smt","parts":[{"id":"cm-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT Configuration Management policy."},{"id":"cm-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"cm-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT Configuration Management policy and the associated controls. The ISO and ISSO shall review IT Configuration Management procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"cm-1_smt.a.2"},{"by-id":"cm-1_smt.b"},{"by-id":"cm-1_smt.c"}],"control-id":"cm-1"},{"adds":[{"by-id":"cp-1_smt","parts":[{"id":"cp-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"cp-1_smt.a.1.b","parts":[{"id":"cp-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"cp-1_smt","parts":[{"id":"cp-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system contingency planning policy."},{"id":"cp-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"cp-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system contingency planning policy and the associated controls. The ISO and ISSO shall review IT system contingency planning procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"cp-1_smt.a.2"},{"by-id":"cp-1_smt.b"},{"by-id":"cp-1_smt.c"}],"control-id":"cp-1"},{"adds":[{"by-id":"ia-1_smt","parts":[{"id":"ia-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"ia-1_smt.a.1.b","parts":[{"id":"ia-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"ia-1_smt","parts":[{"id":"ia-1_ed-add.2","name":"item","prose":"The Department CISO is designated to manage the development, documentation, and dissemination of the Department-level IT identification and authentication policy."},{"id":"ia-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ia-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISOs) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT identification and authentication policy and the associated identification and authentication controls. The ISO and ISSO shall review identification and authentication procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ia-1_smt.a.2"},{"by-id":"ia-1_smt.b"},{"by-id":"ia-1_smt.c"}],"control-id":"ia-1"},{"adds":[{"by-id":"ir-1_smt","parts":[{"id":"ir-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"ir-1_smt.a.1.b","parts":[{"id":"ir-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"ir-1_smt","parts":[{"id":"ir-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT Incident Response policy."},{"id":"ir-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ir-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s Incident Response policy and the associated controls. The ISO and ISSO shall review Incident Response procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ir-1_smt.a.2"},{"by-id":"ir-1_smt.b"},{"by-id":"ir-1_smt.c"}],"control-id":"ir-1"},{"adds":[{"by-id":"ma-1_smt","parts":[{"id":"ma-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"ma-1_smt","parts":[{"id":"ma-1_ed-add.2","name":"item","prose":"The Department Chief Information Security Officer (CISO) is designated to manage the development, documentation, and dissemination of the Department-level maintenance policy."},{"id":"ma-1_ed-add.3","name":"item","prose":"This policy is reviewed and updated (at least) annually and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ma-1_ed-add.4","name":"item","prose":"Principal Office (PO) Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s maintenance policy and the associated maintenance controls. The ISO and ISSO shall review maintenance procedures (at least) annually and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ma-1_smt.a.2"},{"by-id":"ma-1_smt.b"},{"by-id":"ma-1_smt.c"}],"control-id":"ma-1"},{"adds":[{"by-id":"mp-1_smt","parts":[{"id":"mp-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"mp-1_smt.a.1.b","parts":[{"id":"mp-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"mp-1_smt","parts":[{"id":"mp-1_ed-add.2","name":"item","prose":"The Department Chief Information Security Officer (CISO) in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system media protection policy."},{"id":"mp-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"mp-1_ed-add.4","name":"item","prose":"Principal Office (PO) Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system media protection policy and the associated media protection controls. The ISO and ISSO shall review media protection procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"mp-1_smt.a.2"},{"by-id":"mp-1_smt.b"},{"by-id":"mp-1_smt.c"}],"control-id":"mp-1"},{"adds":[{"by-id":"pe-1_smt","parts":[{"id":"pe-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"pe-1_smt.a","parts":[{"id":"pe-1_smt.a.1","name":"item","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"},{"id":"pe-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pe-01_odp.03 }} physical and environmental protection policy, ACSD-OFO-031, Physical Security Program, in addition to this document that:"}],"position":"starting"},{"by-id":"pe-1_smt","parts":[{"id":"pe-1_ed-add.2","name":"item","prose":"The Deputy Assistant Secretary, Office of Security, Facilities, and Logistics within the Office of Finance and Operations (OFO) is designated to manage the development, documentation, and dissemination of the Department-level physical security policy. The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) and Physical Security Officer are designated to manage the development, documentation, and dissemination of the Department-level IT system physical and environmental protection policy standard (this document)."},{"id":"pe-1_ed-add.3","name":"item","prose":"This policy standard shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"pe-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system physical and environmental protection policy and the associated physical and environmental protection controls. The ISO and ISSO shall review IT system physical and environmental protection procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"pe-1_smt.a.1"},{"by-id":"pe-1_smt.a.2"},{"by-id":"pe-1_smt.b"},{"by-id":"pe-1_smt.c"}],"control-id":"pe-1"},{"adds":[{"by-id":"pl-1_smt","parts":[{"id":"pl-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"pl-1_smt.a.1.b","parts":[{"id":"pl-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"pl-1_smt","parts":[{"id":"pl-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system planning policy."},{"id":"pl-1_ed-add.3","name":"item","prose":"The policy must be checked and refreshed yearly and when new threats appear, or when there are major updates to Federal laws, executive orders, directives, regulations, and FSEA policies. It should also be updated to reflect new technologies and ways of delivering IT services. Changes should be made to enhance its effectiveness, based on suggestions from Principal Office staff."},{"id":"pl-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISOs) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of this policy standard and associated IT system planning controls. The ISO and ISSO shall review procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"pl-1_smt.a.2"},{"by-id":"pl-1_smt.b"},{"by-id":"pl-1_smt.c"}],"control-id":"pl-1"},{"adds":[{"by-id":"pt-1_smt","parts":[{"id":"pt-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"pt-1_smt.a.1.b","parts":[{"id":"pt-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"pt-1_smt","parts":[{"id":"pt-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Department Senior Agency Official for Privacy (SAOP) is designated to manage the development, documentation, and dissemination of the Department-level personally identifiable information processing and transparency policy."},{"id":"pt-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"pt-1_ed-add.4","name":"item","prose":"The Department-level personally identifiable information processing and transparency standard operating procedures shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"pt-1_smt.a.2"},{"by-id":"pt-1_smt.b"},{"by-id":"pt-1_smt.c"}],"control-id":"pt-1"},{"adds":[{"by-id":"ra-1_smt","parts":[{"id":"ra-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"ra-1_smt.a.1.b","parts":[{"id":"ra-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"ra-1_smt","parts":[{"id":"ra-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system risk assessment policy."},{"id":"ra-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"ra-1_ed-add.4","name":"item","prose":"Principal Office (PO) Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of the Department’s IT system risk assessment policy and the associated risk assessment controls. The ISO and ISSO shall review IT system risk assessment procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"ra-1_smt.a.2"},{"by-id":"ra-1_smt.b"},{"by-id":"ra-1_smt.c"}],"control-id":"ra-1"},{"adds":[{"by-id":"sa-1_smt","parts":[{"id":"sa-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"sa-1_smt.a.1.b","parts":[{"id":"sa-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"sa-1_smt","parts":[{"id":"sa-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) and Senior Procurement Executive or designee are designated to manage the development, documentation, and dissemination of the Department-level IT system and services acquisition policy."},{"id":"sa-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"sa-1_ed-add.4","name":"item","prose":"Principal Office (PO) Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of this policy standard and associated system and services acquisition controls. The ISO and ISSO shall review system and services acquisition procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"sa-1_ed-add.extra","name":"item","prose":"Control Overlay SA-1 ED-01 (P, L, M, H): This IT System and Services Acquisition (SA) Standard supplements ACSD-OCIO-011, Software Asset Management Acquisition Policy, ACSD-OFO-006, Acquisition Planning, Acquisition Procedures Manual, and Security and Privacy Requirements for IT Procurements."}],"position":"ending"}],"removes":[{"by-id":"sa-1_smt.a.2"},{"by-id":"sa-1_smt.b"},{"by-id":"sa-1_smt.c"}],"control-id":"sa-1"},{"adds":[{"by-id":"sc-1_smt","parts":[{"id":"sc-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"sc-1_smt.a.1.b","parts":[{"id":"sc-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"sc-1_smt","parts":[{"id":"sc-1_ed-add.2","name":"item","prose":"The Department CISO is designated to manage the development, documentation, and dissemination of the Department-level IT system and communications protection policy."},{"id":"sc-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"sc-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of this policy standard and associated system and communications protection controls. The ISO and ISSO shall review system and communications protection procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"sc-1_smt.a.2"},{"by-id":"sc-1_smt.b"},{"by-id":"sc-1_smt.c"}],"control-id":"sc-1"},{"adds":[{"by-id":"si-1_smt","parts":[{"id":"si-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"si-1_smt.a.1.b","parts":[{"id":"si-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"si-1_smt","parts":[{"id":"si-1_ed-add.2","name":"item","prose":"The Department CISO in conjunction with the Senior Agency Official for Privacy (SAOP) are designated to manage the development, documentation, and dissemination of the Department-level IT system and information integrity policy."},{"id":"si-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"si-1_ed-add.4","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of this policy standard and associated system and information integrity controls. The ISO and ISSO shall review IT system and information integrity procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"si-1_smt.a.2"},{"by-id":"si-1_smt.b"},{"by-id":"si-1_smt.c"}],"control-id":"si-1"},{"adds":[{"by-id":"sr-1_smt","parts":[{"id":"sr-1_ed-add.1","name":"item","prose":"The Department shall"}],"position":"starting"},{"by-id":"sr-1_smt.a.1.b","parts":[{"id":"sr-1_smt.a.1.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"authorizes the Department Chief Information Security Officer (CISO) and Department Chief Information Officer (CIO) to issue subordinate standards, procedures, and memos, with the same authority and enforcement as ACSD-OCIO-004, Cybersecurity Policy."}],"position":"after"},{"by-id":"sr-1_smt","parts":[{"id":"sr-1_ed-add.2","name":"item","prose":"The Department CISO is designated to manage the development, documentation, and dissemination of the Department-level IT supply chain risk management policy."},{"id":"sr-1_ed-add.3","name":"item","prose":"This policy shall be reviewed and updated annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"sr-1_ed-add.4","name":"item","prose":"The Office of the Chief Information Officer (OCIO), Information Assurance Services (IAS) manage the development, documentation, and dissemination of the Department-level supply chain risk management standard operating procedures in support of this policy standard. IAS Branch Chiefs shall review these procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."},{"id":"sr-1_ed-add.5","name":"item","prose":"Principal Office Information System Owners (ISO) and Information System Security Officers (ISSOs) are required to manage the development, documentation, and dissemination of system specific procedures to facilitate the implementation of this policy standard and associated IT supply chain risk management controls. The ISO and ISSO shall review IT supply chain risk management procedures annually (i.e., each fiscal year) and following the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and FSEA policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel."}],"position":"ending"}],"removes":[{"by-id":"sr-1_smt.a.2"},{"by-id":"sr-1_smt.b"},{"by-id":"sr-1_smt.c"}],"control-id":"sr-1"}],"set-parameters":[{"values":["internal system functions, FSEA Identity, Credential, and Access Management (ICAM), single sign on, or recommended automated mechanisms approved by the FSEA Authorizing Official (AO) and with email, telephonic, and text messaging notifications sent to system personnel, including the ISO and ISSO, when functionality is available"],"param-id":"ac-02.01_odp"},{"values":["disable"],"param-id":"ac-02.02_odp.01"},{"values":["identification that the temporary/emergency access is no longer required, not to exceed one business day"],"param-id":"ac-02.02_odp.02"},{"values":["as soon as possible but no later than one business day"],"param-id":"ac-02.03_odp.01"},{"values":["ninety (90) days for Moderate systems and 30 days for High systems and HVAs. If no automated capability is available, manual methods must be implemented and documented in the SSP. ISSOs are responsible for ensuring inactive accounts are disabled if the system cannot do so automatically"],"param-id":"ac-02.03_odp.02"},{"values":["they expect to be inactive for more than 12 hours"],"param-id":"ac-02.05_odp"},{"values":["a role-based access scheme, and only one local account to be used as the account of last resort in the event the authentication service is unavailable"],"param-id":"ac-02.07_odp"},{"values":["a defined need with business justification explaining why such accounts are necessary and the conditions for establishing shared and group accounts"],"param-id":"ac-02.09_odp"},{"values":["ISSO recommended circumstances and/or usage conditions which determine when system accounts can be used such as restricting usage to certain days of the week, time of day, or specific durations of time approved by the ISO"],"param-id":"ac-02.11_odp.01"},{"values":["privileged user, temporary and emergency accounts"],"param-id":"ac-02.11_odp.02"},{"values":["atypical times of day and originating internet protocol (IP) address for a known privileged account user that are inconsistent with normal usage patterns"],"param-id":"ac-02.12_odp.01"},{"values":["the FSEA Security Operations Center (EDSOC) and ISSO"],"param-id":"ac-02.12_odp.02"},{"values":["twenty-four (24) hours"],"param-id":"ac-02.13_odp.01"},{"values":["a security incident reported to or under investigation by the EDSOC. Accounts can be directed to be disabled by the CIO/CISO/FSEA Information System Security Manager (ISSM)/ISSO/ISO/Contracting Officer’s Representative (COR)/EDSOC in reference to a security incident. If automated disabling capability is unavailable, manual methods must be implemented and documented in the SSP. ISSOs are responsible for ensuring inactive accounts are disabled"],"param-id":"ac-02.13_odp.02"},{"values":["the following attributes as defined in the user role(s) matrix in SSP System Description Narrative: User Types: Internal or External; Privileged (P), Non-Privileged (NP), or No Logical Access (NLA); Sensitivity Level in accordance with control PS-2; Authorized Privileges; and Functions Performed"],"param-id":"ac-02_odp.02"},{"values":["ISO, ISSO, or assigned delegate"],"param-id":"ac-02_odp.03"},{"values":["least privilege and separation of duties, and Department policies and supporting standards, including the standards within this document"],"param-id":"ac-02_odp.04"},{"values":["assigned help desks, support services teams, ISO, ISSO, or assigned delegate(s), when applicable"],"param-id":"ac-02_odp.05"},{"values":["As soon as possible but no later than one business day after notification received with actions for privileged users prioritized"],"param-id":"ac-02_odp.06"},{"values":["As soon as possible but no later than one business day after notification received with actions for privileged users prioritized"],"param-id":"ac-02_odp.07"},{"values":["As soon as possible but no later than one business day after notification received with actions for privileged users prioritized"],"param-id":"ac-02_odp.08"},{"values":["Requested roles/privileges"],"param-id":"ac-02_odp.09"},{"values":["monthly for HVAs and High impact systems and quarterly for Moderate and Low impact systems. Based upon the review, modify, or remove accounts, as necessary, to correctly reflect organizational mission and business need. Not applicable to cloud service providers or Shared Services"],"param-id":"ac-02_odp.10"},{"values":["system or system component"],"param-id":"ac-03.09_odp.01"},{"values":["a level of protection commensurate with the confidentiality, integrity, and availability impact levels of the information being shared"],"param-id":"ac-03.09_odp.02"},{"values":["A documented manual process or automated tools"],"param-id":"ac-03.09_odp.03"},{"values":["cryptographic keys, authentication information, and sensitive information requiring extra protection (e.g., personally identifiable information, federal tax information)"],"param-id":"ac-03.11_odp"},{"values":["a self-service mechanism (e.g., application interface) and/or the Department's Privacy Act Request Form"],"param-id":"ac-03.14_odp.01"},{"values":["those elements identified in privacy disclosures with the SAOP and Office of the General Counsel (OGC) consulted to determine appropriate mechanisms and access rights or limitations"],"param-id":"ac-03.14_odp.02"},{"values":["business or mission required separations by types of information"],"param-id":"ac-04.21_odp.03"},{"values":["the approved enterprise zero trust architecture (ZTA) services (e.g., Web Service Security [WS Security], WS-Security Policy, WS Trust, WS Policy Framework, Security Assertion Markup Language [SAML], Extensible Access Control Markup Language [XACML])"],"param-id":"ac-04_odp"},{"values":["within the system description narrative, all system user roles, privileges, and duties assigned to each role, the specific duties and privileges that each role cannot perform, and rationale for why they are incompatible"],"param-id":"ac-05_odp"},{"values":["security relevant information or security functions (examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions)"],"param-id":"ac-06.02_odp"},{"values":["all privileged commands (i.e., any command requiring privileges above a standard user)"],"param-id":"ac-06.03_odp.01"},{"values":["compelling operational needs as approved by the ISO, ISSO, and or the AO, based upon an assessment of risk"],"param-id":"ac-06.03_odp.02"},{"values":["individuals, services and systems/machines approved by the ISO, ISSO, and/or the AO based upon an assessment of risk"],"param-id":"ac-06.05_odp"},{"values":["monthly for HVAs and High impact systems; quarterly for Moderate impact systems"],"param-id":"ac-06.07_odp.01"},{"values":["all privileged roles and users"],"param-id":"ac-06.07_odp.02"},{"values":["any software except software explicitly documented, approved, and registered on the technology standards and products guide (TSPG)"],"param-id":"ac-06.08_odp"},{"values":["mobile devices"],"param-id":"ac-07.02_odp.01"},{"values":["approved purging or wiping requirements and techniques"],"param-id":"ac-07.02_odp.02"},{"values":["ten (10)"],"param-id":"ac-07.02_odp.03"},{"values":["three (3)"],"param-id":"ac-07_odp.01"},{"values":["thirty (30) minute period with system accounts locked immediately upon any unsuccessful attempt to login"],"param-id":"ac-07_odp.02"},{"values":["lock the account or node for thirty (30) minutes unless the user contacts the Help Desk to manually unlock the account during the thirty (30) minute period. For system accounts and systems unable to set the thirty (30) minute lockout duration, accounts must remain locked until being reset by an administrator. After three (3) consecutive account lock- outs due to unsuccessful login attempts, the account must be disabled until an administrator can re-enable it"],"param-id":"ac-07_odp.03"},{"values":["the Department’s approved system use notification message or banner (see APPENDIX B - USER NOTIFICATION WARNING BANNER)"],"param-id":"ac-08_odp.01"},{"values":["when accessed via logon interfaces with human users"],"param-id":"ac-08_odp.02"},{"values":["standard user, power user, privileged user, service account and machine account"],"param-id":"ac-10_odp.01"},{"values":["the number of sessions required by specific role to perform essential duties as documented and approved by the ISSO"],"param-id":"ac-10_odp.02"},{"values":["initiating a device lock after fifteen (15) minutes of inactivity and requiring the user to initiate a device lock before leaving the system unattended"],"param-id":"ac-11_odp.01"},{"values":["a. Fifteen (15) minutes of session inactivity within user-initiated application sessions;","b. Targeted responses to certain types of incidents; and","c. Time-of-day restrictions on system use, if implemented."],"param-id":"ac-02_odp.01"},{"values":["a. Fifteen (15) minutes of session inactivity within user-initiated application sessions","b. Targeted responses to certain types of incidents; and","c. Time-of-day restrictions on system use, if implemented."],"param-id":"ac-12_odp"},{"values":["sensitive information (e.g., personally identifiable information [PII], FTRI)"],"param-id":"ac-12.01_odp"},{"values":["specific actions based upon an assessment of risk"],"param-id":"ac-14_odp"},{"values":["timelines commensurate with the situational need as identified by the ISO, ISSO, and/or AO"],"param-id":"ac-17.09_odp"},{"values":["ISO, ISSO, and/or AO approved special cases for remote administration and maintenance tasks"],"param-id":"ac-17.4_prm_1"},{"values":["users and devices and FIPS validated encryption"],"param-id":"ac-18.01_odp"},{"values":["full device encryption whenever possible, or with written AO authorization, container encryption when full device is not possible"],"param-id":"ac-19.05_odp.01"},{"values":["ED-approved and authorized mobile devices and services"],"param-id":"ac-19.05_odp.02"},{"values":["governance policies and procedures, and when available automated technology which prohibits the use of any external system that is not FSEA owned or authorized including the use of personally owned or corporate-owned systems and services"],"param-id":"ac-20.02_odp"},{"values":["Establish, maintain and monitor Interconnection Security Agreements (ISAs), Inter Agency Agreements (IAA) and other agreements with external agencies per NIST SP 800-47 and FSEA policies and standards including ACSD-OFO-05112, Interagency Agreements and ACSD- OCIO-00213, Controlled Unclassified Information Program; and establish, maintain and monitor other binding agreements with employees and contractors which include ED-defined controls to be implemented on personally owned systems, components, or devices consistent with trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to"],"param-id":"ac-20_odp.01"},{"values":["external systems not covered by a current ISA, IAA, or other agreements with external agencies"],"param-id":"ac-20_odp.04"},{"values":["information that may be restricted in some manner based on some formal or administrative determination including but not limited to contract-sensitive information, privileged information, proprietary information, and personally identifiable information"],"param-id":"ac-21_odp.01"},{"values":["non-disclosure agreements (NDAs) and when feasible automated processes which use information flow and security attributes"],"param-id":"ac-21_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"ac-22_odp"},{"values":["data mining prevention and detection techniques"],"param-id":"ac-23_odp.01"},{"values":["data storage objects"],"param-id":"ac-23_odp.02"},{"values":["bypassing authorized information flow control mechanisms available for use"],"param-id":"ac-04.04_odp.01"},{"values":["decrypting the information; blocking the flow of the encrypted information; or terminating communications sessions attempting to pass encrypted information"],"param-id":"ac-04.04_odp.02"},{"values":["defined mechanisms and/or techniques"],"param-id":"ac-4.21_prm_1"},{"values":["security administrators, system administrators, system security officers, system programmers, and other privileged users"],"param-id":"ac-06.01_odp.01"},{"values":["Security functions (deployed in hardware, software, and firmware) including, at a minimum:","1. Establishing system accounts, configuring access authorizations (i.e., permissions, privileges);","2. Setting/modifying audit logs and auditing behavior","3. Setting/modifying boundary protection system rules;","4. Configuring/modifying access authorizations (i.e., permissions, privileges);","5. Setting/modifying authentication parameters; and","6. Setting/modifying system configurations and parameters; and"],"param-id":"ac-6.1_prm_2"},{"values":["Filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists"],"param-id":"ac-06.01_odp.05"},{"values":["FSEA Security Operations Center (EDSOC) defined indicators of malicious code"],"param-id":"at-02.04_odp"},{"values":["1. Conduct practical exercises that simulate actual cyber-attacks. Practical exercises may include social engineering attempts to collect information, gain unauthorized access, invoke opening malicious email attachments, or web links via spear phishing attacks.","2. Supplement training providing by using awareness techniques such as posting information on connectED, generating email advisories/notices (e.g., Department-wide or from senior Department officials), conducting information security awareness events, and conducting other awareness activities deemed appropriate."],"param-id":"at-02_odp.05"},{"values":["annually (i.e., each fiscal year)"],"param-id":"at-02_odp.06"},{"values":["security and privacy incidents or breaches"],"param-id":"at-02_odp.07"},{"values":["all FSEA employees, contractors, and other internal users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004 Cybersecurity Policy"],"param-id":"at-03.05_odp.01"},{"values":["annual (i.e., each fiscal year)"],"param-id":"at-03.05_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"at-03_odp.03"},{"values":["security and privacy incidents or breaches"],"param-id":"at-03_odp.05"},{"values":["a minimum of three (3) years"],"param-id":"at-04_odp"},{"values":["annually"],"param-id":"at-06_odp.01"},{"values":["annually: OCIO/IAS Cybersecurity Awareness and Training Program Manager upon request"],"param-id":"at-06_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"at-2_prm_1"},{"values":["a determination by the Department CIO, CISO, or Governance, Risk and Policy Branch (GRP) branch chief that additional training is required to manage risk"],"param-id":"at-2_prm_2"},{"values":["The types of events shall include those events that are significant and relevant to the security of systems and the privacy of individuals and that provide the ability to establish, correlate, and investigate events relating to an incident or identify those responsible for one"],"param-id":"au-02_odp.01"},{"values":["annually (i.e., each fiscal year) or whenever there is a change in Department policies and standards, system’s threat environment, or tiers and maturity model for event log management published by OMB memo"],"param-id":"au-02_odp.04"},{"values":["the reduction in the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability. At a minimum, audit log storage capacity must comply with OMB M-21-31 or successor"],"param-id":"au-04_odp"},{"values":["Administrators (Application, System, Network, etc.)"],"param-id":"au-05.01_odp.01"},{"values":["an hour"],"param-id":"au-05.01_odp.02"},{"values":["75%"],"param-id":"au-05.01_odp.03"},{"values":["an hour"],"param-id":"au-05.02_odp.01"},{"values":["Administrators (Application, System, Network, etc.)"],"param-id":"au-05.02_odp.02"},{"values":["Inability to forward audit logs to separate system","Audit records overwritten","Generation of audit logs stopped."],"param-id":"au-05.02_odp.03"},{"values":["Administrators (Application, System, Network, etc.) and ISSO, at a minimum"],"param-id":"au-05_odp.01"},{"values":["a matter of minutes (i.e., real-time alerts) in the event of an audit logging process failure"],"param-id":"au-05_odp.02"},{"values":["overwrite oldest audit records for those systems which are configured to offload audit logs to a separate system or shut down the information system when audit records are not offloaded to a separate system. Actions taken must comply with OMB M-21-31 or successor"],"param-id":"au-05_odp.03"},{"values":["Department authorized automated tools with the ability to consolidate, analyze and report the results of audit record review as required to comply with OMB M-21-31 or successor"],"param-id":"au-06.01_odp"},{"values":["vulnerability scanning information, performance data, system monitoring information, physical access control devices, and other systems within the system authorization boundary and/or hosting environment and other data and information as required to comply with OMB M-21-31 or successor"],"param-id":"au-06.05_odp.01"},{"values":["role or user"],"param-id":"au-06.07_odp"},{"values":["as required to comply with OMB M-21-31 or successor"],"param-id":"au-06_odp.01"},{"values":["compromise such as unauthorized access, unauthorized account additions or role modifications, misuse of authority or access, misconfiguration, unauthorized modification or deletion of data"],"param-id":"au-06_odp.02"},{"values":["ISOs, ISSOs, and FSEA Security Operations Center (EDSOC) personnel"],"param-id":"au-06_odp.03"},{"values":["system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol (IP) addresses involved, or event success or failure and other content as required to comply with OMB M-21-31 or successor"],"param-id":"au-07.01_odp"},{"values":["as required to comply with OMB M-21-31 or successor"],"param-id":"au-09.02_odp"},{"values":["a subset of privileged users, as required to comply with OMB M-21-31 or successor"],"param-id":"au-09.04_odp"},{"values":["manual movement and deletion"],"param-id":"au-09.05_odp.01"},{"values":["system audit logs"],"param-id":"au-09.05_odp.02"},{"values":["system-identified and documented privileged accounts only"],"param-id":"au-09.06_odp"},{"values":["actions sufficient to prove user non-repudiation as required to comply with OMB M21-"],"param-id":"au-10_odp"},{"values":["time frames required to comply with OMB M-21-31 or successor, to provide support for after-the-fact investigations of incidents and to meet statutory, regulatory, and organizational information retention requirements"],"param-id":"au-11_odp"},{"values":["all system components"],"param-id":"au-12.01_odp.01"},{"values":["a timeframe as required to comply with OMB M-21-31 or successor"],"param-id":"au-12.01_odp.02"},{"values":["Administrators (Application, System, Network, etc.), ISO, ISSO, Information System Security Manager (ISSM), System Program/Project Managers"],"param-id":"au-12.03_odp.01"},{"values":["all system components"],"param-id":"au-12.03_odp.02"},{"values":["change management decisions or threat criteria provided by the EDSOC and as required to comply with OMB M-2131 or successor"],"param-id":"au-12.03_odp.03"},{"values":["one hour"],"param-id":"au-12.03_odp.04"},{"values":["ISOs and ISSOs in accordance with OMB M-21-31 or successor to select the event types that are to be logged by specific components of the system"],"param-id":"au-12_odp.02"},{"values":["authorized organizations"],"param-id":"au-16.02_odp.01"},{"values":["cross organizational sharing agreements"],"param-id":"au-16.02_odp.02"},{"values":["contracts or agreements"],"param-id":"au-16_odp.01"},{"values":["audit information"],"param-id":"au-16_odp.02"},{"values":["annual (i.e., each fiscal year)"],"param-id":"ca-02.02_odp.01"},{"values":["announced"],"param-id":"ca-02.02_odp.02"},{"values":["annual (i.e., each fiscal year), announced, penetration testing and other forms of security assessments to include but not be limited to the following: in- depth monitoring; malicious user testing; vulnerability scanning; insider threat assessment; performance/load testing"],"param-id":"ca-02.02_odp.03"},{"values":["any Federal Risk and Authorizati"],"param-id":"ca-02.03_odp.01"},{"values":["Management Program (FedRAMP) accredited third party assessment organization (3PAO) on FedRAMP authorized cloud service providers (CSP)"],"param-id":"ca-02.03_odp.02"},{"values":["the conditions of the Joint Authorization Board (JAB) or agency AO for systems listed as FedRAMP Authorized in the FedRAMP Marketplace"],"param-id":"ca-02.03_odp.03"},{"values":["at least annually (i.e., each fiscal year) using independent assessors, self-assessments or ongoing security control monitoring/ongoing security authorization processes"],"param-id":"ca-02_odp.01"},{"values":["Chief Information Security Officer (CISO), AO, Chief Privacy Officer/Senior Agency Official for Privacy (CPO/SAOP), ISO, and ISSO"],"param-id":"ca-02_odp.02"},{"values":["interconnection security agreements (ISA); memorandum of understanding (MOU); interagency agreements (IAA); service level agreements (SLA)"],"param-id":"ca-03_odp.01"},{"values":["in the following manner: Reviews must be undertaken annually, with the review completion reflected by ISSO validation of this control within the Department’s system of record Governance, Risk, and Compliance Tool (GRCT). The MOU must be updated at least every three years or when a major change impacting the MOU takes place, whichever occurs soonest"],"param-id":"ca-03_odp.03"},{"values":["monthly, at minimum"],"param-id":"ca-05_odp"},{"values":["in accordance with the terms and conditions established by the AO"],"param-id":"ca-06_odp"},{"values":["including, at minimum, metrics defined in the current version of the IAS Information System Continuous Monitoring (ISCM) Roadmap"],"param-id":"ca-07_odp.01"},{"values":["at least monthly"],"param-id":"ca-07_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"ca-07_odp.03"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"ca-08_odp.01"},{"values":["all FIPS 199 High impact and HVA information systems"],"param-id":"ca-08_odp.02"},{"values":["all components or classes of components"],"param-id":"ca-09_odp.01"},{"values":["determining it no longer provides support for organizational missions or business functions or when conditions meet one or more of the following"],"param-id":"ca-09_odp.02"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"ca-09_odp.03"},{"values":["CISO, AO, CPO/SAOP"],"param-id":"ca-7_prm_4"},{"values":["monthly"],"param-id":"ca-7_prm_5"},{"values":["applicable manual and automated tools designated by the PO and approved for use by the Enterprise Architecture Technical Insertion, (EA(TI))"],"param-id":"cm-02.02_odp"},{"values":["at a minimum one (1) previous version of baseline configuration of the system to support rollback"],"param-id":"cm-02.03_odp"},{"values":["a hardened device"],"param-id":"cm-02.07_odp.01"},{"values":["a temporary network and email alias for the duration of travel, at the discretion of the FSEA Security Operations Center (EDSOC)"],"param-id":"cm-02.07_odp.02"},{"values":["At a minimum annually (i.e., each fiscal year)"],"param-id":"cm-02_odp.01"},{"values":["significant system change"],"param-id":"cm-02_odp.02"},{"values":["FSEA approved automated mechanisms"],"param-id":"cm-03.01_odp.01"},{"values":["the FSEA Configuration Change Board (CCB) or CCB approved alternate, ISO, and ISSO"],"param-id":"cm-03.01_odp.02"},{"values":["time period specified in the change management process documentation"],"param-id":"cm-03.01_odp.03"},{"values":["the FSEA CCB, ISO, and ISSO"],"param-id":"cm-03.01_odp.04"},{"values":["CCB"],"param-id":"cm-03.04_odp.03"},{"values":["at least twice a year"],"param-id":"cm-03.07_odp.01"},{"values":["dictated by the FSEA configuration change control process"],"param-id":"cm-03.07_odp.02"},{"values":["a minimum of 6 months"],"param-id":"cm-03_odp.01"},{"values":["the FSEA Configuration Change Board (CCB) or CCB approved alternate"],"param-id":"cm-03_odp.02"},{"values":["at a minimum monthly or in accordance with FSEA CCB process documentation"],"param-id":"cm-03_odp.03"},{"values":["FSEA approved automated mechanisms"],"param-id":"cm-05.01_odp"},{"values":["key components of infrastructure, to include but not limited to, network servers, desktops and databases related to those information systems based on mission requirements running within the FISMA system boundary"],"param-id":"cm-06.01_odp.01"},{"values":["approved baseline configuration settings"],"param-id":"cm-06.02_odp.01"},{"values":["1. Alert designated organizational personnel including the EDSOC, ISO, ISSO;","2. Restore established configuration settings; or","3. In extreme cases, halt affected information system processing"],"param-id":"cm-06.02_odp.02"},{"values":["the most updated DISA STIG, with Security Engineering and Architecture Branch (SEA) authorized deviations as needed"],"param-id":"cm-06_odp.01"},{"values":["individual components within systems including, but not limited to, servers, workstations, network components and databases"],"param-id":"cm-06_odp.02"},{"values":["explicit operational requirements which are documented in the system security plan (SSP) and/or secure configuration baseline"],"param-id":"cm-06_odp.03"},{"values":["at a minimum annually for non-HVA systems, and quarterly for HVA systems"],"param-id":"cm-07.01_odp.01"},{"values":["FSEA defined policies regarding software program usage and restrictions, to include but not limited to","a. FSEA authorized software programs (i.e., allow-list); and","b. FSEA unauthorized software programs (i.e., deny-list) only in circumstances where it is technologically infeasible to deploy and operate the allow list."],"param-id":"cm-07.02_odp.01"},{"values":["software programs authorized to execute on FSEA information systems"],"param-id":"cm-07.05_odp.01"},{"values":["at a minimum annually (i.e., each fiscal year"],"param-id":"cm-07.05_odp.02"},{"values":["hardware components authorized for system use"],"param-id":"cm-07.09_odp.01"},{"values":["at least annually"],"param-id":"cm-07.09_odp.02"},{"values":["mission essential capabilities"],"param-id":"cm-07_odp.01"},{"values":["FSEA defined automated mechanisms"],"param-id":"cm-08.03_odp.04"},{"values":["Isolate the components; and","Notify the Information System Security Officer (ISSO)."],"param-id":"cm-08.03_odp.05"},{"values":["name, Principal Office (PO), position, and role"],"param-id":"cm-08.04_odp"},{"values":["as defined in Cyber Security Assessment and Management (CSAM) System Information, Appendix S – Hardware Listing and System Information, Appendix T – Software Listing; not required for cloud service providers or Shared Services"],"param-id":"cm-08_odp.01"},{"values":["at a minimum quarterly"],"param-id":"cm-08_odp.02"},{"values":["Information System Owner (ISO) and Information System Security Officer (ISSO)"],"param-id":"cm-09_odp"},{"values":["policies as specified in ACSD-OCIO-0119, Software Asset Management Acquisition Policy and FSEA Acceptable Use, as necessary, documenting permitted and prohibited actions regarding software installation and procedural enforcement methods"],"param-id":"cm-11_odp.01"},{"values":["Automated methods (e.g., configuration settings implemented on organizational systems); and","Manual methods (e.g., periodic examination of user accounts);"],"param-id":"cm-11_odp.02"},{"values":["through the continuous monitoring process"],"param-id":"cm-11_odp.03"},{"values":["sensitive informati"],"param-id":"cm-12.01_odp.01"},{"values":["by information type on FSEA system components"],"param-id":"cm-12.01_odp.02"},{"values":["sensitive data as determined by the CISO or Chief Privacy Officer (CPO)/SAOP"],"param-id":"cm-12_odp"},{"values":["software and firmware components"],"param-id":"cm-14_prm_1"},{"values":["FSEA required security and privacy representatives"],"param-id":"cm-3.4_prm_1"},{"values":["FSEA approved automated mechanisms"],"param-id":"cm-6.1_prm_2"},{"values":["identified functions, ports, protocols, software and services within the system deemed to be unnecessary and/or non-secure by the CISO"],"param-id":"cm-7.1_prm_2"},{"values":["those not needed to conduct business as specified in FSEA minimum security baselines (e.g., Hypertext Transfer Protocol [HTTP], teletype network [Telnet], File Transfer Protocol [FTP]); DISA STIGs; NIST standards and baselines; other U.S. Government standards; cyber security industry best practices, benchmarks, and guidelines; and vendor checklists and baselines, as determined to be appropriate by the CISO"],"param-id":"cm-7_prm_2"},{"values":["the Department's system of record for system inventory"],"param-id":"cm-8.2_prm_1"},{"values":["FSEA defined automated mechanisms"],"param-id":"cm-8.3_prm_1"},{"values":["mission essential functions (MEF), national essential functions (NEF), and"],"param-id":"cp-02.03_odp.01"},{"values":["system-level specified timeframes and metrics defined in the ISCP and BIA"],"param-id":"cp-02.03_odp.02"},{"values":["MEF and NEF, as documented within the Department Continuity of Operations Plan (COOP)"],"param-id":"cp-02.05_odp"},{"values":["critical and essential"],"param-id":"cp-02.08_odp"},{"values":["annually"],"param-id":"cp-02_odp.05"},{"values":["thirty (30) days"],"param-id":"cp-03_odp.01"},{"values":["Annually (i.e., each fiscal year)"],"param-id":"cp-03_odp.02"},{"values":["at least annually and following major system changes"],"param-id":"cp-04_odp.01"},{"values":["information system operations"],"param-id":"cp-07_odp.01"},{"values":["the time period defined in the system ISCP"],"param-id":"cp-07_odp.02"},{"values":["at least every 6 months"],"param-id":"cp-08.05_odp"},{"values":["information system operations"],"param-id":"cp-08_odp.01"},{"values":["the specified timeframes and metrics defined in the ISCP and BIA"],"param-id":"cp-08_odp.02"},{"values":["current response plans and all supporting documentation, critical system software (including operating systems, cryptographic key management systems, and intrusion detection/prevention systems), as well as copies of the system inventory (including hardware, software, and firmware components)"],"param-id":"cp-09.03_odp"},{"values":["all system backup information in storage at both primary and alternate locations when an alternate location is required and in place"],"param-id":"cp-09.08_odp"},{"values":["all system components in the authorization boundary"],"param-id":"cp-09_odp.01"},{"values":["all system components in the authorization boundary with incremental daily backups and monthly full backups or at a frequency consistent with the recovery time and recovery point objectives"],"param-id":"cp-09_odp.02"},{"values":["with incremental daily backups and monthly full backups or at a frequency consistent with the recovery time"],"param-id":"cp-09_odp.04"},{"values":["system-level specified recovery times and metrics defined in the ISCP and BIA"],"param-id":"cp-10.04_odp"},{"values":["system-level specified recovery times and metrics defined in the ISCP and BIA"],"param-id":"cp-10_prm_1"},{"values":["the ISO and the ISSO"],"param-id":"cp-2_prm_1"},{"values":["key contingency personnel, to include all response team personnel such as Telecommunications team"],"param-id":"cp-2_prm_2"},{"values":["ISSO, ISO, and other key contingency personnel"],"param-id":"cp-2_prm_4"},{"values":["Low-impact system: conduct annual tabletop exercise;","Moderate-impact system: conduct annual tabletop or functional exercise; and","High-impact systems conduct full-scale functional exercise to include system failover to the alternate location."],"param-id":"cp-4_prm_2"},{"values":["as needed but no less than annually"],"param-id":"cp-8.4_prm_1"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"cp-9.1_prm_1"},{"values":["at a transfer rate consistent with the specified timeframes and metrics defined in the ISCP and BIA"],"param-id":"cp-9.5_prm_1"},{"values":["remote"],"param-id":"ia-02.06_odp.01"},{"values":["privileged and non-privileged accounts"],"param-id":"ia-02.06_odp.02"},{"values":["Authenticator Assurance Level (AAL) 2 as defined by NIST SP 800-63"],"param-id":"ia-02.06_odp.03"},{"values":["privileged accounts and non- privileged accounts"],"param-id":"ia-02.08_odp"},{"values":["all devices"],"param-id":"ia-03.01_odp.01"},{"values":["a remote network"],"param-id":"ia-03.01_odp.02"},{"values":["Department authorized devices and system components"],"param-id":"ia-03_odp.01"},{"values":["local, remote, or network"],"param-id":"ia-03_odp.02"},{"values":["a federal employee (including unpaid positions), or contractor"],"param-id":"ia-04.04_odp"},{"values":["Information System Owners or authorized delegate"],"param-id":"ia-04_odp.01"},{"values":["one year"],"param-id":"ia-04_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"ia-05.01_odp.01"},{"values":["1. Passwords have a minimum length of 12 characters and must contain at least three types of characters"],"param-id":"ia-05.01_odp.02"},{"values":["different authenticators in different user authenticator domains to manage the risk of 1122 IInnffoorrmmaattiioonn TTeecchhnnoollooggyy ((IITT)) IIddeennttiiffiiccaattiioonn aanndd AAuutthheennttiiccaattiioonn ((IIAA)) SSttaannddaarrdd compromise due to individuals having accounts on multiple systems"],"param-id":"ia-05.08_odp"},{"values":["as defined in NIST SP 800-63"],"param-id":"ia-05.12_odp"},{"values":["baseline configuration (e.g., security technical implementation guides [STIGs]) defined time period"],"param-id":"ia-05.13_odp"},{"values":["in accordance with Federal Zero Trust Strategy, Department Zero Trust Architecture Strategy/Plan or 90 days when zero trust architecture is not implemented"],"param-id":"ia-05_odp.01"},{"values":["compromised, recovered/forgotten, or due to incident related events"],"param-id":"ia-05_odp.02"},{"values":["Federal Identity, Credential, and Access Management (FICAM) issued implementation profiles"],"param-id":"ia-08.04_odp"},{"values":["Required by zero trust architecture policies, standards, guidance, and memorandums provided by CISA, OMB and NIST;","Re-establishing authenticated access following activation of a device lock (e.g., screensaver);","Passwords are reset;","Privileged functions are executed; and","Periodic reauthentication time limits are met. For AAL 12 hours or 30 minutes inactivity; MAY use one authentication factor , For AAL 12 hours or 15 minutes inactivity; SHALL use both authentication factors."],"param-id":"ia-11_odp"},{"values":["methods which are consistent with the risks to the systems, roles, and privileges associated with the user’s account"],"param-id":"ia-12.03_odp"},{"values":["a registration code or notice of proofing"],"param-id":"ia-12.05_odp"},{"values":["thirty (30) days"],"param-id":"ir-02_odp.01"},{"values":["Annual refresher training thereafter"],"param-id":"ir-02_odp.02"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"ir-02_odp.03"},{"values":["events that may precipitate an update to incident response training content including, but not limited to","1. An incident response plan testing or response to an actual incident, to incorporate lessons learned.","2. Assessment or audit findings; or","3. Changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."],"param-id":"ir-02_odp.04"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"ir-03_odp.01"},{"values":["Tabletop or functional tests/checklist;","Strategic and tactical threat modeling;","Simulations;","Ad hoc penetration assessments; and","Other assessment methods identified and authorized by the Department."],"param-id":"ir-03_odp.02"},{"values":["FSEA Security Operations Center (EDSOC) automated mechanisms"],"param-id":"ir-04.01_odp"},{"values":["dynamic reconfiguration with the intent to reduce the window of time for a threat actor to maliciously exploit an incident"],"param-id":"ir-04.02_odp.01"},{"values":["identified critical system components"],"param-id":"ir-04.02_odp.02"},{"values":["interconnected external entities"],"param-id":"ir-04.08_odp.01"},{"values":["incident response requirements and reporting timelines, in accordance with United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines"],"param-id":"ir-04.08_odp.02"},{"values":["30 days or less based upon availability of staffing, funding, and tools"],"param-id":"ir-04.11_odp"},{"values":["FSEA approved automated mechanisms"],"param-id":"ir-06.01_odp"},{"values":["identified system personnel and EDSOC"],"param-id":"ir-06.02_odp"},{"values":["the EDSOC and ISSO"],"param-id":"ir-06_odp.02"},{"values":["FSEA approved automated mechanisms"],"param-id":"ir-07.01_odp"},{"values":["personnel responsible for SSP approval"],"param-id":"ir-08_odp.01"},{"values":["personnel responsible for SSP approval in accordance with the Department's required authorization documentation standards"],"param-id":"ir-08_odp.02"},{"values":["EDSOC"],"param-id":"ir-08_odp.03"},{"values":["at least annually"],"param-id":"ir-09.02_odp"},{"values":["activation of the contingency plan"],"param-id":"ir-09.03_odp"},{"values":["ensure the individuals are briefed and debriefed of the proper handling a processes for the information exposed to include governing laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the restrictions imposed based on the exposure to such information. approved and documented through the Department’s Risk Acceptance process. Deviations that introduce additional risks to the enterprise must be submitted through the Department Risk Acceptance Form (RAF) and must be approved by the FSEA CISO (as delegated). Requests must justify the reason for the deviation(s)/exception(s) as well as the compensating security controls implemented to secure the device or information, if applicable. Policy deviations that do not introduce additional risks do not need to be submitted through the Department RAF but will need to be approved by the Department CISO (as delegated)"],"param-id":"ir-09.04_odp"},{"values":["designated incident response personnel"],"param-id":"ir-09_odp.01"},{"values":["designated incident response personnel and EDSOC"],"param-id":"ir-09_odp.02"},{"values":["reporting to all appropriate internal and external entities based on the information spilled"],"param-id":"ir-09_odp.03"},{"values":["methodology within the Incident Response Plan (IRP)"],"param-id":"ir-5.1_prm_1"},{"values":["information the Department deems as sensitive, including but not limited to Personally Identifiable Information (PII), Sensitive PII, and Controlled Unclassified Information"],"param-id":"ma-02_odp.02"},{"values":["the date and time of maintenance","a description of the maintenance performed","names of the individuals or group performing the maintenance","name of the escort","system components or equipment that are removed or replaced"],"param-id":"ma-02_odp.03"},{"values":["the ISO, ISSO, or designated alternate"],"param-id":"ma-03.03_odp"},{"values":["multifactor authentication consistent with NIST SP 800-63 Digital Identity Guidelines requirements"],"param-id":"ma-04.04_odp"},{"values":["virtual private network (VPN) connection"],"param-id":"ma-04.06_odp"},{"values":["alternate security safeguards and/or Authorizing Official (AO) approved alternate controls defined in the security plan"],"param-id":"ma-05.01_odp"},{"values":["security critical information system components and/or essential information technology components"],"param-id":"ma-06_odp.01"},{"values":["system-level specified timeframes, defined in the System Security Plan (SSP), Information System Contingency Plan (ISCP), and Business Impact Analysis (BIA), of a failure"],"param-id":"ma-06_odp.02"},{"values":["FSEA approved automated mechanisms. Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed"],"param-id":"ma-2.2_prm_1"},{"values":["events defined in AU-02a"],"param-id":"ma-4.1_prm_1"},{"values":["digital media to include but not limited to diskettes; magnetic tapes; external/removable hard disk drives; flash drives' compact disks; and digital video disks and non-digital media to include but not limited to paper documents and microfilm"],"param-id":"mp-05_odp.01"},{"values":["Devices are purchased from manufacturers or vendors prior to initial use;","Unable to maintain a positive chain of custody for the devices."],"param-id":"mp-06.03_odp"},{"values":["the information system remotely"],"param-id":"mp-06.08_odp.01"},{"values":["the information system remotely; under the following conditions: the system or its component has been obtained by unauthorized individuals"],"param-id":"mp-06.08_odp.02"},{"values":["on all FSEA information systems"],"param-id":"mp-07_odp.03"},{"values":["Restrict"],"param-id":"mp-07_odp.02"},{"values":["non-FIPS 140-2 compliant digital storage devices, to include but not limited to backup media, removable media, and mobile devices"],"param-id":"mp-07_odp.01"},{"values":["technical and nontechnical controls"],"param-id":"mp-07_odp.04"},{"values":["digital media"],"param-id":"mp-2_prm_1"},{"values":["include but not limited to diskettes; magnetic tapes; external/removable hard disk drives; flash drives' compact disks; and digital video disks and non- digital media to include but not limited to paper documents and microfilm to FSEA approved personnel and roles"],"param-id":"mp-2_prm_2"},{"values":["digital media to include but not limited to diskettes; magnetic tapes; external/removable hard disk drives; flash drives' compact disks; and digital video disks and non-digital media to include but not limited to: paper documents and microfilm"],"param-id":"mp-4_prm_1"},{"values":["FSEA secure/controlled facilities"],"param-id":"mp-4_prm_2"},{"values":["a FIPS 140-2 validated encryption module/mechanism for digital assets and locked containers for physical assets"],"param-id":"mp-5_prm_2"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"mp-6.2_prm_1"},{"values":["all digital and non-digital information system media"],"param-id":"mp-6_prm_1"},{"values":["the current version of NIST SP 80088, Guidelines for Media Sanitization, techniques and procedures to include, but not limited to: clearing; purging; cryptographic erase; de-identification of personally identifiable information; and destruction"],"param-id":"mp-6_prm_2"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"pe-02_odp"},{"values":["designated entry/exit facility access points and interior access points to the system and components"],"param-id":"pe-03.01_odp"},{"values":["at least daily"],"param-id":"pe-03.02_odp"},{"values":["designated entry/exit facility access points and interior access points to the system and components"],"param-id":"pe-03_odp.01"},{"values":["physical access devices such as keys, locks, combinations, biometric readers, card readers, devices and/or guards based upon an assessment of risk"],"param-id":"pe-03_odp.02"},{"values":["all facility entry/exit points"],"param-id":"pe-03_odp.04"},{"values":["for individuals requiring visitor escorts and monitoring in non-public areas"],"param-id":"pe-03_odp.06"},{"values":["all physical devices"],"param-id":"pe-03_odp.07"},{"values":["fiscal year (at least annually)"],"param-id":"pe-03_odp.08"},{"values":["system distribution and transmission lines to include network circuits from the areas within the facility designated for housing the system components"],"param-id":"pe-04_odp.01"},{"values":["physical security safeguards to include but not limited to locked wiring closets; disconnected or locked spare jacks; and/or protection of cabling by conduit or cable trays"],"param-id":"pe-04_odp.02"},{"values":["devices (e.g., monitors, printers, scanners, audio devices, facsimile machines, copiers, etc.) connected to information systems processing sensitive information"],"param-id":"pe-05_odp"},{"values":["facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, and server rooms and media storage areas"],"param-id":"pe-06.04_odp"},{"values":["as needed"],"param-id":"pe-06_odp.01"},{"values":["events or potential indications of events including, but not limited to, suspicious physical activities such as excessive access outside of normal work hours, repeated access to areas not normally accessed, out of sequence access"],"param-id":"pe-06_odp.02"},{"values":["visitor first and last name, organization, purpose of visit, dates/times of visit, as well as first and last name of facility escort"],"param-id":"pe-08.03_odp"},{"values":["at least three (3) years"],"param-id":"pe-08_odp.01"},{"values":["on an as needed basis"],"param-id":"pe-08_odp.02"},{"values":["facility security staff, ISO and ISSO"],"param-id":"pe-08_odp.03"},{"values":["information systems or individual system components"],"param-id":"pe-10_odp.01"},{"values":["facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, and server rooms)"],"param-id":"pe-10_odp.02"},{"values":["automatically"],"param-id":"pe-11.01_odp"},{"values":["an orderly shutdown of the information system and/or transition of the information system to long-term alternate power"],"param-id":"pe-11_odp"},{"values":["facility personnel or roles with facility management"],"param-id":"pe-13.01_odp.01"},{"values":["/or physical security responsibilities and emergency responders (e.g., Police and Fire Department)"],"param-id":"pe-13.01_odp.02"},{"values":["facility personnel or roles with facility management and/or physical security responsibilities"],"param-id":"pe-13.02_odp.01"},{"values":["emergency responders (e.g., Police and Fire Department)"],"param-id":"pe-13.02_odp.02"},{"values":["identified personnel or roles"],"param-id":"pe-14.02_odp"},{"values":["temperature and humidity"],"param-id":"pe-14_odp.01"},{"values":["acceptable levels which ensure systems and equipment operate within vendor recommended limits, if any, and ranges consistent with American Society of Heating, Refrigerating and Air- conditioning Engineers (ASHRAE) guidelines for temperature and humidity"],"param-id":"pe-14_odp.03"},{"values":["continuously"],"param-id":"pe-14_odp.04"},{"values":["FSEA designated personnel or roles with Physical Security Program responsibilities"],"param-id":"pe-15.01_odp.01"},{"values":["FSEA approved automated mechanisms such as notification systems, water detection sensors and alarms"],"param-id":"pe-15.01_odp.02"},{"values":["all information system components"],"param-id":"pe-16_prm_1"},{"values":["FSEA approved alternate work sites"],"param-id":"pe-17_odp.01"},{"values":["controls defined within FSEA directives, policies, including but not limited to ACSD-OCIO-004 Cybersecurity Policy, ACSD-OCIO- 00213, Controlled Unclassified Information Program"],"param-id":"pe-17_odp.02"},{"values":["physical and environmental hazards"],"param-id":"pe-18_odp"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"pe-3_prm_9"},{"values":["available, FSEA approved automated mechanisms such as database management systems which are accessible by Department personnel"],"param-id":"pe-8.1_prm_1"},{"values":["personnel with cybersecurity and privacy responsibilities, including but not limited to the Authorizing Official (AO) or AO delegate, ISSO, and ISO"],"param-id":"pl-02_odp.02"},{"values":["at least annually or when a major change occurs to the system"],"param-id":"pl-02_odp.03"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pl-04_odp.01"},{"values":["when the rules are revised or updated"],"param-id":"pl-04_odp.02"},{"values":["multiple layers of security"],"param-id":"pl-08.01_odp.01"},{"values":["information systems processing business-sensitive information or are classified as an HVA"],"param-id":"pl-08.01_odp.02"},{"values":["at least annually (e.g., each fiscal year) and as necessary, in conjunction with SSP reviews and updates, to reflect changes in the enterprise architecture"],"param-id":"pl-08_odp"},{"values":["planning, implementing, assessing, authorizing, and monitoring of common and hybrid (e.g., inherited) controls within the Department's enterprise GRCT"],"param-id":"pl-09_odp"},{"values":["quarterly"],"param-id":"pm-05.01_odp"},{"values":["quarterly"],"param-id":"pm-05_odp"},{"values":["non-essential functions or services, as feasible"],"param-id":"pm-07.01_odp"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-09_odp"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-11_odp"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-17_prm_1"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-18_odp"},{"values":["roles defined in the FSEA Data Governance Board (DGB) Charter, led by the Chief Data Officer (CDO)"],"param-id":"pm-23_odp.01"},{"values":["responsibilities as defined in the FSEA DGB Charter"],"param-id":"pm-23_odp.02"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-25_prm_1"},{"values":["7 days"],"param-id":"pm-26_odp.03"},{"values":["45 days"],"param-id":"pm-26_odp.04"},{"values":["30 days"],"param-id":"pm-26_prm_1"},{"values":["privacy reports"],"param-id":"pm-27_odp.01"},{"values":["OMB, US Congress"],"param-id":"pm-27_odp.02"},{"values":["Inspector General and other officials as required"],"param-id":"pm-27_odp.03"},{"values":["annually"],"param-id":"pm-27_odp.04"},{"values":["the CIO, CISO, Chief Privacy Officer (CPO)/SAOP, and mission/business owners"],"param-id":"pm-28_odp.01"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-28_odp.02"},{"values":["metrics as defined in IAS Information Security Continuous Monitoring (ISCM) Roadmap"],"param-id":"pm-31_odp.01"},{"values":["at least monthly for monitoring"],"param-id":"pm-31_odp.02"},{"values":["annually (i.e., each fiscal year) for assessment of control effectiveness"],"param-id":"pm-31_odp.03"},{"values":["CISO, CPO/SAOP"],"param-id":"pm-31_prm_4"},{"values":["CISO, CPO/SAOP monthly"],"param-id":"pm-31_prm_5"},{"values":["all FISMA information systems and services"],"param-id":"pm-32_odp"},{"values":["authority as defined in the Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), and/or System of Records Notice (SORN) for the system"],"param-id":"pt-02_odp.01"},{"values":["processing"],"param-id":"pt-02_odp.02"},{"values":["processing as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-02_odp.03"},{"values":["personally identifiable information elements defined in the PTA, PIA, and/or SORN: regulating, controlling, and processing personally identifiable information identified in the PTA, PIA, and/or SORN by the information system"],"param-id":"pt-03.01_odp.01"},{"values":["personally identifiable information elements defined in the PTA, PIA, and/or SORN"],"param-id":"pt-03.01_odp.02"},{"values":["an automated tool"],"param-id":"pt-03.02_odp"},{"values":["purposes"],"param-id":"pt-03_odp.01"},{"values":["processing"],"param-id":"pt-03_odp.02"},{"values":["mechanisms as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-03_odp.03"},{"values":["existing FSEA privacy policies"],"param-id":"pt-03_odp.04"},{"values":["mechanisms as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-04.01_odp"},{"values":["mechanisms as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-04.02_odp.01"},{"values":["the point of collection"],"param-id":"pt-04.02_odp.02"},{"values":["personally identifiable information processing as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-04.02_odp.03"},{"values":["mechanisms as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-04.03_odp"},{"values":["mechanisms as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-04_odp"},{"values":["immediately prior to the point of collection"],"param-id":"pt-05.01_odp"},{"values":["the point when changes to the processing of PII requires notification"],"param-id":"pt-05_odp.01"},{"values":["other information as stated in the PTA, PIA, and/or SORN"],"param-id":"pt-05_odp.02"},{"values":["least biennially"],"param-id":"pt-06.01_odp"},{"values":["least biennially"],"param-id":"pt-06.02_odp"},{"values":["any processing conditions as defined in the PTA, PIA, and/or SORN"],"param-id":"pt-07_odp"},{"values":["FSEA systems, components, and services as defined in the FSEA Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Roadmap"],"param-id":"ra-03.01_odp.01"},{"values":["annually or as defined in the FSEA ICT SCRM Roadmap and Plan or the Department’s Supply Chain Risk Management standard"],"param-id":"ra-03.01_odp.02"},{"values":["the Security Assessment Report (SAR), Privacy Impact Assessment (PIA), when a PIA is required, and the Facility Risk Assessment Report, which is required when a system is deployed in a traditional, non-cloud-based datacenter or hosting environment"],"param-id":"ra-03_odp.01"},{"values":["annually or whenever an update to the risk assessment is made"],"param-id":"ra-03_odp.03"},{"values":["the AO, CISO, SAOP, ISO, and ISSO"],"param-id":"ra-03_odp.04"},{"values":["in accordance with the frequency defined in Department policy for each risk result documentation type"],"param-id":"ra-03_odp.05"},{"values":["no more than 24 hours prior to conducting a scan and in accordance with each tool's vendor data definition releases"],"param-id":"ra-05.02_odp.01"},{"values":["the following actions","a. Notify the ISO and ISSO, move or obfuscate the discoverable information or take other actions, as appropriate","b. Share the discoverable information with the FSEA Security Operations Center (EDSOC) within one (1) hour of identification if it is determined that knowledge of the discoverable information could be detrimental to a system's security posture."],"param-id":"ra-05.04_odp"},{"values":["all in"],"param-id":"ra-05.05_odp.01"},{"values":["mation system components as applicable (e.g., operating system, database, web application, containers, etc.) for all vulnerability scanning activities"],"param-id":"ra-05.05_odp.02"},{"values":["the implemented automated scanning capability"],"param-id":"ra-05.06_odp"},{"values":["all FISMA reportable systems and critical system components initially"],"param-id":"ra-09_odp.01"},{"values":["the system design/architectural design phase of the Enterprise Program Management Review Framework (EPMR) and continuously through the entire lifecycle, including operations and maintenance (O&M) phase if there are significant system changes impacting criticality of system components. approved and documented through the Department’s Risk Acceptance process. Deviations that introduce additional risks to the enterprise must be submitted through the Department Risk Acceptance Form (RAF) and must be approved by the FSEA CISO (as delegated). Requests must justify the reason for the deviation(s)/exception(s) as well as the compensating security controls implemented to secure the device or information, if applicable. Policy deviations that do not introduce additional risks do not need to be submitted through the Department RAF but will need to be approved by the Department CISO (as delegated)"],"param-id":"ra-09_odp.02"},{"values":["in accordance with"],"param-id":"ra-5_prm_1"},{"values":["ACSD-OCIO-00710, Lifecycle Management (LCM) Framework and associated Enterprise Program Management Review (EPMR) Framework"],"param-id":"sa-03_odp"},{"values":["security-relevant external system interfaces; high-level design; low-level design; source code (only if applicable) or hardware schematics; and information and information sensitivity"],"param-id":"sa-04.02_odp.01"},{"values":["level of detail necessary to permit analysis and testing"],"param-id":"sa-04.02_odp.03"},{"values":["FSEA approved security configurations consistent with the Department's baseline security and privacy configuration settings, as defined in the Information Technology (IT) Configuration Management (CM) Standard"],"param-id":"sa-04.05_odp"},{"values":["7 calendar days prior to contract termination"],"param-id":"sa-04.12_odp"},{"values":["Security and Privacy Requirements for IT Procurements"],"param-id":"sa-04_odp.01"},{"values":["action to create documentation if such documentation is essential to the effective implementation or operation of security controls"],"param-id":"sa-05_odp.01"},{"values":["ISO and ISSO; in addition, distribute to other personnel with a need to know when required by contract or to provide system support"],"param-id":"sa-05_odp.02"},{"values":["processes consistent with applicable laws and policies which ensure systems only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and only maintain personally identifiable information for as long as is necessary to accomplish the purpose"],"param-id":"sa-08.33_odp"},{"values":["a designated Department official"],"param-id":"sa-09.01_odp"},{"values":["all FSEA information systems and services which require an ATO"],"param-id":"sa-09.02_odp"},{"values":["information or data and system services"],"param-id":"sa-09.05_odp.01"},{"values":["the U.S. and its territories"],"param-id":"sa-09.05_odp.02"},{"values":["Department Information Security and Privacy Requirements, as amended"],"param-id":"sa-09.05_odp.03"},{"values":["the ED-defined baseline security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance"],"param-id":"sa-09_odp.01"},{"values":["as specified in Security and Privacy Requirements for IT Procurements document and applicable external system services documentation to include service level agreements (SLAs)"],"param-id":"sa-09_odp.02"},{"values":["designated security and privacy representatives"],"param-id":"sa-10.7_prm_1"},{"values":["configuration change management and control process"],"param-id":"sa-10.7_prm_2"},{"values":["design, development, implementation, operations, and disposal phases"],"param-id":"sa-10_odp.01"},{"values":["FSEA defined configuration management items to include but not limited to : the formal model; the functional, high- level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation; software release files; and provenance data"],"param-id":"sa-10_odp.02"},{"values":["the ISO and ISSO"],"param-id":"sa-10_odp.03"},{"values":["unit, integration, system, and/or regression"],"param-id":"sa-11_odp.01"},{"values":["as defined in the configur"],"param-id":"sa-11_odp.02"},{"values":["ion management plan at a depth and coverage necessary to ensure that required security controls are implemented correctly and operating as intended"],"param-id":"sa-11_odp.03"},{"values":["initially at the system design/architectural design phase of the EPMR and continuously through the entire lifecycle, including Operations and Maintenance (O&M) phase if there are significant system changes impacting criticality of system components"],"param-id":"sa-15.03_odp.01"},{"values":["FSEA approved breadth and depth of criticality analysis"],"param-id":"sa-15.3_prm_2"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"sa-15_odp.01"},{"values":["Security and Privacy Requirements for IT Procurements"],"param-id":"sa-15_prm_2"},{"values":["FSEA approved training to ensure the effectiveness of security controls implemented within FSEA information systems"],"param-id":"sa-16_odp"},{"values":["any information system, component, or service where the developer needs direct access to the FSEA managed environment"],"param-id":"sa-21_odp.01"},{"values":["ISO and ISSO"],"param-id":"sa-21_odp.02"},{"values":["in accordance with ACSD- OFO-01312, Contractor Employee Personnel Security Screening, and/or FSEA defined contractor personnel screening criteria as defined in Information Technology (IT) System Personnel Security Standard"],"param-id":"sa-21_odp.03"},{"values":["Must be replaced unless extended support is obtained from either the component developer or third-party service supplier certified by the original component developer;","Risk acceptance (exceptions and/or waivers) signed by the FSEA Authorizing Official (AO) are required for continued use of unsupported system components required to satisfy mission/business needs."],"param-id":"sa-22_odp.01"},{"values":["principles, concepts, activities, and tasks for engineering trustworthy secure systems contained within the current version of SP 800-160 Vol. 1 Rev. 1, Engineering Trustworthy Secure Systems and the NIST Secure Software Development Framework (SSDF) FSEA defined systems security and privacy engineering principles as documented in the FSEA Technical Security Architecture"],"param-id":"sa-8_prm_1"},{"values":["Department Information Security and Privacy Requirements, as amended"],"param-id":"sa-9.3_prm_1"},{"values":["connect and transmit arbitrary information on the transport medium and use excessive system resources"],"param-id":"sc-05.01_odp"},{"values":["inspection tools to detect DoS anomalies both at the perimeter of the authorization boundary as well as inside the authorization boundary on access control points that form isolation zones"],"param-id":"sc-05.03_odp.01"},{"values":["defined system resources as required for each isolation zone based on a risk assessment"],"param-id":"sc-05.03_odp.02"},{"values":["including but not limited to teardrop; SYN (synchronize) flood; Smurf (internet control message protocol [ICMP]) flood; Ping flood; Ping of death; peer-to-peer attacks; and application-level floods. Refer to the current version of NIST SP 800-61, Computer Security Incident Handling Guide, and United States Computer Emergency Readiness Team (US-CERT) for additional guidance on the types of denial-of-service (DoS) events"],"param-id":"sc-05_odp.01"},{"values":["Protect against or limit"],"param-id":"sc-05_odp.02"},{"values":["Department approved security safeguards including but not limited to boundary protection devices; increased network capacity and bandwidth; service redundancy"],"param-id":"sc-05_odp.03"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"sc-07.04_odp"},{"values":["at managed interfaces; except for Managed Trusted Internet Provider Services (MTIPS) and when all traffic is encrypted and authenticated using zero trust architectures"],"param-id":"sc-07.05_odp.01"},{"values":["Department approved security safeguards, (i.e., adequately provisioned virtual private network [VPN])"],"param-id":"sc-07.07_odp"},{"values":["approved and defined internal communications traffic"],"param-id":"sc-07.08_odp.01"},{"values":["approved and defined external networks"],"param-id":"sc-07.08_odp.02"},{"values":["at least semi-annually"],"param-id":"sc-07.10_odp"},{"values":["documented (e.g., interconnection security agreements, service level agreements, memorandums of understanding) organization authorized sources"],"param-id":"sc-07.11_odp.01"},{"values":["documented (e.g., interconnection security agreements, service level agreements, memorandums of understanding) organization authorized destinations"],"param-id":"sc-07.11_odp.02"},{"values":["monitored host-based boundary protection mechanisms (e.g., firewall, host-based intrusion detection system, host-based intrusion prevention system"],"param-id":"sc-07.12_odp.01"},{"values":["access points and end point equipment)"],"param-id":"sc-07.12_odp.02"},{"values":["defined managed interfaces as deemed necessary in a facility physical environment risk assessment"],"param-id":"sc-07.14_odp"},{"values":["business/mission identified system components"],"param-id":"sc-07.20_odp"},{"values":["all information system components"],"param-id":"sc-07.21_odp.01"},{"values":["sensitive Department mission or business functions"],"param-id":"sc-07.21_odp.02"},{"values":["use only as authorized by the Privacy Act of 1974, the relevant System of Records Notice (SORN), and other applicable law, regulation or government-wide policy"],"param-id":"sc-07.24_odp"},{"values":["physically and logically"],"param-id":"sc-07_odp"},{"values":["prevent unauthorized disclosure of information and detect changes to information"],"param-id":"sc-08.01_odp"},{"values":["confidentiality and integrity"],"param-id":"sc-08_odp"},{"values":["FSEA zero trust architecture configured parameters or networks not connected through FSEA SASE (e.g., VPNs) and has exceeded twelve (12) hours"],"param-id":"sc-10_odp"},{"values":["applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance including NIST SP 800 133R and FIPS PUB 140-2/3 for key generation, distribution, storage, access, and destruction"],"param-id":"sc-12_odp"},{"values":["cryptographic uses including but not limited to the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals, and random number and hash generation"],"param-id":"sc-13_odp.01"},{"values":["non-deprecated FIPS-validated or National Security Agency (NSA)-approved cryptography"],"param-id":"sc-13_odp.02"},{"values":["collaboration meetings that involve sensitive information (e.g., federal tax return information, personally identifiable information)"],"param-id":"sc-15.04_odp"},{"values":["collaborative computing devices and applications authorized for use by the Department"],"param-id":"sc-15_odp"},{"values":["unacceptable mobile code"],"param-id":"sc-18.01_odp.01"},{"values":["corrective actions (e.g., blocking, quarantine, alerting administrators)"],"param-id":"sc-18.01_odp.02"},{"values":["all applicable security and privacy requirements"],"param-id":"sc-18.02_odp"},{"values":["software applications"],"param-id":"sc-18.04_odp.01"},{"values":["authentication and logging actions"],"param-id":"sc-18.04_odp.02"},{"values":["system defined randomness requirements"],"param-id":"sc-23.03_odp"},{"values":["agency approved certificate authorities"],"param-id":"sc-23.05_odp"},{"values":["Information system-defined types of failures and system components, as determined by ISO and ISSO"],"param-id":"sc-24_odp.01"},{"values":["n information system-defined approved known state, as determined by ISO and ISSO"],"param-id":"sc-24_odp.02"},{"values":["information system-defined state information, as determined by ISO and ISSO"],"param-id":"sc-24_odp.03"},{"values":["GFES or non-GFES (contractor-owned) equipment including internal or external hard disk drives, external USB drives, shared files/folders, storage area network devices, and databases for all sensitive information"],"param-id":"sc-28.01_odp.01"},{"values":["GFES or non-GFES (contractor-owned) equipment including internal or external hard disk drives, external USB drives, shared files/folders, storage area network devices, and databases"],"param-id":"sc-28.01_odp.02"},{"values":["confidentiality and integrity"],"param-id":"sc-28_odp.01"},{"values":["all sensitive information (i.e., data) stored either on Government Furnished Equipment and Services (GFES) or non-GFES (contractor-owned) equipment including but not limited to internal or external hard disk drives, external universal serial bus (USB) drives, shared files/folders, storage area network devices, and databases"],"param-id":"sc-28_odp.02"},{"values":["hourly"],"param-id":"sc-45.01_odp.01"},{"values":["an approved authoritative time source"],"param-id":"sc-45.01_odp.02"},{"values":["one second"],"param-id":"sc-45.01_odp.03"},{"values":["ED-approved automated mechanisms"],"param-id":"si-02.02_odp.01"},{"values":["ED-approved automated mechanisms at least monthly"],"param-id":"si-02.02_odp.02"},{"values":["security-relevant software and firmware updates"],"param-id":"si-02.05_odp.01"},{"values":["all systems"],"param-id":"si-02.05_odp.02"},{"values":["security-relevant software and firmware components"],"param-id":"si-02.06_odp"},{"values":["a timeline in accordance with Department policies and standards, the criticality of the updates, risk to the Department, prioritization of resources, and as required to comply with DHS CISA/OMB requirements for flaw remediation and patching"],"param-id":"si-02_odp"},{"values":["signature-based and non-signature-based"],"param-id":"si-03_odp.01"},{"values":["at least weekly"],"param-id":"si-03_odp.02"},{"values":["endpoint and network entry and exit points"],"param-id":"si-03_odp.03"},{"values":["Block or quarantine malicious code"],"param-id":"si-03_odp.04"},{"values":["the FSEA Security Operations Center (EDSOC) and when feasible, to system administrators, ISO, ISSO or other personnel assigned to serve in incident response roles"],"param-id":"si-03_odp.06"},{"values":["personnel with incident response, system administration, monitoring, and/or security responsibilities"],"param-id":"si-04.05_odp.01"},{"values":["FSEA defined list of compromised indicators or indications that the system's integrity has been breached including, but not limited to:","Protected system files or directories have been modified without notification from the appropriate change/configuration management channels.","System performance indicates resource consumption that is inconsistent with expected operating conditions.","Auditing functionality has been disabled or modified to reduce audit visibility.","Audit or log records have been deleted or modified without explanation.","The system is raising alerts or faults that indicate the presence of an abnormal condition.","Resource or service requests are initiated from clients outside the expected client membership set.","The system reports failed logins or administrative or key service account password changes.","Processes and services running outside of the baseline system profile.","Utilities, tools, or scripts have been saved or installed on production systems without clear indication of their use or purpose."],"param-id":"si-04.05_odp.02"},{"values":["ED-approved encrypted communications traffic"],"param-id":"si-04.10_odp.01"},{"values":["ED-approved system monitoring tools and mechanisms"],"param-id":"si-04.10_odp.02"},{"values":["personnel with incident response, system administration, monitoring, and/or security responsibilities, including but not limited to EDSOC and system administrators"],"param-id":"si-04.12_odp.01"},{"values":["ED- authorized automated mechanisms, including e-mail"],"param-id":"si-04.12_odp.02"},{"values":["activities that trigger alerts"],"param-id":"si-04.12_odp.03"},{"values":["strategic interior points within the system, such as boundary protection devices isolating the tiers (enclaves or application)"],"param-id":"si-04.18_odp"},{"values":["Privileged Account Management (PAM) sufficient to provide nonrepudiation for administrative actions (when technically feasible); device compliance authorization; locational account lockouts; statistical and analytical review of privileged user activity; multifactor authentication (MFA) misuse; naming policy compliance; date and time (normal operation time); and other logging requirements noted in OMB Memorandum M-21-31, dated August 27, 2021 or successor as appropriate"],"param-id":"si-04.20_odp"},{"values":["FSEA authorization or approval processes"],"param-id":"si-04.22_odp.01"},{"values":["Audit and alert personnel perform system and/or network monitoring"],"param-id":"si-04.22_odp.02"},{"values":["Implement host-based monitoring mechanisms at servers, notebook computers, and mobile devices: authorized host-based monitoring tools and solutions"],"param-id":"si-04.23_odp.01"},{"values":["government and non- government sources to identified personnel or roles"],"param-id":"si-04.24_odp.01"},{"values":["FSEA IT/Cybersecurity monitoring objectives as defined in FSEA Information Security Continuous Monitoring Roadmap"],"param-id":"si-04_odp.01"},{"values":["FSEA approved security safeguards including but not limited to endpoint detection and response tools, continuous monitoring, vulnerability scans, malicious code protection mechanisms, intrusion detection or prevention mechanisms, and/or boundary protection devices such as firewalls, gateways, and routers"],"param-id":"si-04_odp.02"},{"values":["FSEA approved information system moni"],"param-id":"si-04_odp.03"},{"values":["the ISO and ISSO who distribute the information to DHS CISA, and other personnel with system administration, monitoring, and/or security responsibilities"],"param-id":"si-04_odp.04"},{"values":["ring output to the ISO and ISSO who distribute the information to DHS CISA, and other personnel with system administration, monitoring, and/or security responsibilities as needed and in accordance with Department policy"],"param-id":"si-04_odp.05"},{"values":["ED-approved automated mechanisms, including but not limited to e-mail"],"param-id":"si-05.01_odp"},{"values":["EDSOC (e.g., FSEA alerts, advisories and directives as well as alerts and advisories received by FSEA from the CISA, OMB, etc.) as well as from external organizations, when appropriate and available, such as supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations"],"param-id":"si-05_odp.01"},{"values":["all staff with system administration, monitoring, and/or security responsibilities including, but not limited to, Principal Offices, ISO, and ISSO"],"param-id":"si-05_odp.02"},{"values":["on system startup, restart; and/or abort; upon command by user with appropriate privilege; every 7 days"],"param-id":"si-06_odp.03"},{"values":["designated FSEA personnel with information security and/or privacy responsibilities (e.g., System administrators, ISSO)"],"param-id":"si-06_odp.06"},{"values":["Shut down or restart the information system and notify system administrators, security personnel, and/or privacy personnel"],"param-id":"si-06_odp.07"},{"values":["initiate ED-approved incident response process"],"param-id":"si-07.05_odp.01"},{"values":["changes to established configuration settings and unauthorized elevation of system privileges. 2.7.5 SI—07(10) Software, Firmware, and Information Integrity | Protection of Boot Firmware Implement the following mechanisms to protect the integrity of boot firmware in system components: verifying the checksum of downloaded firmware"],"param-id":"si-07.07_odp"},{"values":["daily or when updates are made available from product vendor"],"param-id":"si-08.02_odp"},{"values":["character set, length, numerical range, and acceptable values to verify that they match specified definitions for format and content, both for manual user inputs and automated inputs"],"param-id":"si-10_odp"},{"values":["authorized FSEA personnel"],"param-id":"si-11_odp"},{"values":["Approved techniques such as collecting the minimum identity data needed, de-identifying data as soon as possible after collection, and/or separating data elements into coded data set, and an identity-only data set; using encryption if identifiable information is","a. stored on a networked computer or device;","b. transmitted over a network; and/or","c. stored on a removable medium (e.g., laptop computer or a universal serial bus [USB] flash drive); and limiting access to personally identifiable information."],"param-id":"si-12.2_prm_1"},{"values":["in accordance with the current version of NIST SP 800-88"],"param-id":"si-12.3_prm_1"},{"values":["ED-approved security safeguards to include but not limited to hardware or software-based data execution prevention and address space layout randomization"],"param-id":"si-16_odp"},{"values":["at least annually (i.e., each fiscal year)"],"param-id":"si-18_prm_1"},{"values":["PII and Sensitive PII"],"param-id":"si-19_odp.01"},{"values":["at least annually (i.e., each fiscal year) for the effectiveness of de-identification. introducing additional risks to the enterprise must be submitted through the Department Risk Acceptance Form (RAF) and approved by the FSEA CISO (as delegated). Requests must justify the reason for the deviation(s)/exception(s) and the compensating security controls implemented to secure the device or information, if applicable. Policy deviations that do not introduce additional risks do not need to be submitted through the Department RAF but must be approved by the Department CISO (as delegated). ACSD Administrative Communications System Directives BIOS Basic Input/Output System BOD Binding Operational Directive"],"param-id":"si-19_odp.02"},{"values":["continuously"],"param-id":"si-4.4_prm_1"},{"values":["unusual or unauthorized activities or conditions"],"param-id":"si-4.4_prm_2"},{"values":["security and privacy functions"],"param-id":"si-6_prm_1"},{"values":["software, firmware, and information within FSEA information systems"],"param-id":"si-7.1_prm_1"},{"values":["software, firmware, and information within FSEA information systems at startup or restart, when configuration changes or security-relevant events occur when a new threat is identified to which the information system is susceptible, and when new hardware is installed at least monthly"],"param-id":"si-7.1_prm_2"},{"values":["ED-authorized software, firmware, and information included, but not limited to, system kernels, drivers, firmware (e.g., basic input/output system [BIOS]) software (e.g., operating system [OS], applications, middleware) and security attributes"],"param-id":"si-7_prm_1"},{"values":["Supply Chain Risk Management (SCRM) Senior Agency Official, Information and Communications Technology (ICT) SCRM Program Manager, ICT SCRM Team, CISO, CIO, ISSO, ISO, Contracting Officer (CO) and Contracting Officer’s Representative (COR)"],"param-id":"sr-02.01_odp.01"},{"values":["Frame ICT SCRM risks based upon FSEA risk tolerance levels and multi-tiered risk management roles and responsibilities at the organizational, mission, and information system level;","Assess ICT SCRM risks based upon current version of NIST SP 800-30, Committee on National Security Systems Instruction (CNSSI) 4009, NIST SP 800-53, and other assessment methodologies when identified and authorized for use by the Department;","Respond to ICT SCRM risks by following the FSEA Plan of Actions and Milestones (POA&M) process; and","Monitor ICT SCRM risks in accordance with the current version of NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations guidance, Department risk tolerance levels, and the re-assessment preconditions defined by the Department."],"param-id":"sr-02.01_odp.02"},{"values":["within the Department's FISMA inventory; and"],"param-id":"sr-02_odp.01"},{"values":["annually (i.e., each fiscal year)"],"param-id":"sr-02_odp.02"},{"values":["Security controls may include:","Supply Chain Redundancy – Procuring from or the ability to procure from several vendors to prevent supply issues;","Scrutiny of Adversarial Products – Be aware of products manufactured, assembled, or shipped through adversarial countries and the possibility of tampering with controls to mitigate;","Evaluation of Suppliers – Ensure the vendors used are well established, credible, and enable an acceptance level of fault tolerance; and/or","Regular Assessments – Suppliers agree to cooperate with FSEA regarding risk assessment audits and inspections to ensure ongoing compliance in alignment with FSEA risk appetite and tolerance levels; and","In the event of an incident attributable to a failure in these security measures, the responsible party shall immediately take steps to limit the harm and prevent future incidents;","Notification shall occur for all impacted parties, as well as initiating an investigation, and the implementation of corrective and enhanced protocols as a result; and","FSEA and contractors agree to a collaborative approach in strengthening supply chain defenses and responding effectively to security threats. The contractor agrees to cooperate with FSEA regarding audits and inspections to ensure ongoing compliance."],"param-id":"sr-03.02_odp"},{"values":["Department systems and their components"],"param-id":"sr-03_odp.01"},{"values":["Department enterprise and mission stakeholders defined within the ICT SCRM Roadmap"],"param-id":"sr-03_odp.02"},{"values":["Department organizationally defined controls detailed in the FSEA ICT SCRM Strategy"],"param-id":"sr-03_odp.03"},{"values":["the system security plan"],"param-id":"sr-03_odp.04"},{"values":["all hardware components"],"param-id":"sr-04.02_odp"},{"values":["Contractor attestation of conformance to current version of NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations and Section 889 of the FY 2019 National Defense Authorization Act (NDAA) Part B; Contractor reporting of supply chain cyber incidents to FSEA Security Operations Center (EDSOC); Contractor compliance with Executive Order (EO) 14028, Improving the Nation’s Cybersecurity; and FSEA ICT SCRM stakeholder training"],"param-id":"sr-05_odp"},{"values":["annually (i.e., each fiscal year) or upon the identification of evolving threats, issuance of new or significantly changed existing Federal laws, executive orders, directives, regulations, and Department policies, identification of emerging technology and information technology service delivery models and determination that adjustments are deemed necessary to improve its effectiveness based upon feedback from Principal Office personnel"],"param-id":"sr-06_odp"},{"values":["notification of supply chain compromises; results of assessments or audits; for all instances of IT system compromises impacting Department systems"],"param-id":"sr-08_odp.01"},{"values":["the inspection of systems or components, inspections of packaging modifications, review of delivery invoices, and other physical properties for indications of a potential compromise will address physical and logical tampering. Software hashes will be inspected and the SSDF attestation, artifacts, and SBOM reviewed prior to use"],"param-id":"sr-10_odp.01"},{"values":["software and hardware documented in the system inventory, annually (i.e., each fiscal year), or upon indications of need for inspection by the ICT SCRM Team. Information System Owners, Information System Security Officers or other authorized system stakeholders, including contractor personnel, will inspect deliverables prior to use and consult with the ICT SCRM Team as needed"],"param-id":"sr-10_odp.02"},{"values":["Information System Owners, Information System Security Officers, and others responsible for hardware and software inventories"],"param-id":"sr-11.01_odp"},{"values":["All components"],"param-id":"sr-11.02_odp"},{"values":["the EDSOC, ICT SCRM Team, and ISSO for further action"],"param-id":"sr-11_odp.01"},{"values":["data, documentation (paper-based and digital files), tools, and system components throughout the system development lifecycle"],"param-id":"sr-12_odp.01"},{"values":["Enterprise Review Board Checklist, System Retirement Plan, Information Technology (IT) Media Protection (MP) Standard and the current version of NIST SP 800-88, Guidelines for Media Sanitization"],"param-id":"sr-12_odp.02"},{"values":["All hardware and software brought into the environment must be certified as genuine and unaltered from original state by the supplier;","Supplier guarantees all products are sourced directly from authorized manufacturers or distributors and have not been modified in any way;","Supplier shall provide adequate documentation to confirm authenticity and integrity of the products;","When a product is found not to be genuine and/or compliant with FSEA standards, the supplier, at their own expense shall promptly replace the affected product with genuine and compliant ones and shall be liable for any direct damages associated with the breach of the guarantee; and","The supplier agrees to cooperate with FSEA regarding counterfeit audits and inspections to ensure ongoing compliance."],"param-id":"sr-4.3_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems/services operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Polcy"],"param-id":"ac-1_prm_1"},{"values":["department-level"],"param-id":"ac-01_odp.03"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"at-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy, ACSD-OCIO-011, Software Asset Management Acquisition Policy, ACSD-OFO-006, Acquisition Planning, Acquisition Procedures Manual, and Security and Privacy Requirements for IT Procurements"],"param-id":"au-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"ca-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"cm-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"cp-1_prm_1"},{"values":["all Department employees, contractors, and users authorized to access to Department information systems, or systems operated or maintained on behalf of the Department, or Department information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"ia-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"ir-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"ma-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"mp-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"pe-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"pl-1_prm_1"},{"values":["annually (i.e., each fiscal year)"],"param-id":"pm-01_odp.01"},{"values":["organizational changes and identification of problems during plan implementation or security control assessments"],"param-id":"pm-01_odp.02"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"pt-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"ra-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy, ACSD-OCIO-011, Software Asset Management Acquisition Policy, ACSD-OFO-006, Acquisition Planning, Acquisition Procedures Manual, and Security and Privacy Requirements for IT Procurements"],"param-id":"sa-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"sc-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"si-1_prm_1"},{"values":["all FSEA employees, contractors, and users authorized to access to FSEA information systems, or systems operated or maintained on behalf of ED, or FSEA information as defined in ACSD-OCIO-004, Cybersecurity Policy"],"param-id":"sr-1_prm_1"},{"values":["department-level"],"param-id":"at-01_odp.03"},{"values":["department-level"],"param-id":"au-01_odp.03"},{"values":["department-level"],"param-id":"ca-01_odp.03"},{"values":["department-level"],"param-id":"cm-01_odp.03"},{"values":["department-level"],"param-id":"cp-01_odp.03"},{"values":["department-level"],"param-id":"ia-01_odp.03"},{"values":["department-level"],"param-id":"ir-01_odp.03"},{"values":["department-level"],"param-id":"ma-01_odp.03"},{"values":["department-level"],"param-id":"mp-01_odp.03"},{"values":["department-level"],"param-id":"pe-01_odp.03"},{"values":["department-level"],"param-id":"pl-01_odp.03"},{"values":["department-level"],"param-id":"pt-01_odp.03"},{"values":["department-level"],"param-id":"ra-01_odp.03"},{"values":["department-level"],"param-id":"sa-01_odp.03"},{"values":["department-level"],"param-id":"sc-01_odp.03"},{"values":["department-level"],"param-id":"si-01_odp.03"},{"values":["department-level"],"param-id":"sr-01_odp.03"}]}}}