Discuss | Edit | View PDF

Circular A-130

Archive Site

Welcome! This site is archival. It was used to collect feedback from the public on proposed revisions to OMB Circular A-130. The comment period closed in November 2015. The revised OMB Circular A-130 was announced on July 27, 2016.
Read more here.

Appendix III to OMB Circular No. A-130

Responsibilities for Protecting Federal Information Resources

Introduction

Agencies of the Federal Government depend on the secure acquisition, processing, storage, transmission, and disposition of information to carry out their core missions and business functions. This allows diverse information resources ranging from large enterprise information systems (or systems of systems) to small mobile computing devices to collect, process, store, maintain, transmit, and disseminate this information. The information relied upon is subject to a range of threats that could potentially harm or adversely affect organizational operations (e.g., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. These threats include environmental disruptions, purposeful attacks, structural failures, human errors, and other threats that can compromise the confidentiality, integrity, or availability of information. Leaders at all levels of the Federal Government must understand their responsibilities and be held accountable for managing information security and protecting privacy.

Federal agencies must implement information security programs and privacy programs with the flexibility to meet current and future information management needs and the sufficiency to comply with Federal requirements. Emerging technologies and services may continue to shift the ways in which agencies acquire, develop, manage, and use information and technology. As technologies and services continue to change, so will the threat environment. Agency programs must have the capability to identify, respond to, and recover from current threats while protecting their information resources and the privacy of the individuals whose information they maintain. The programs must also have the capability to address new and emerging threats. To be effective, information security and privacy considerations must be part of the day-to-day operations of agencies. This is best accomplished by planning for the requisite security and privacy capabilities as an integral part of the agency strategic planning and risk management processes, not as a separate activity. This includes, but is not limited to, the integration of Federal information security and privacy requirements (and security and privacy controls) into the enterprise architecture, system development life cycle activities, systems engineering processes, and acquisition processes.

To ensure that Federal agencies can successfully carry out their assigned missions and business operations in an environment of sophisticated and complex threats, they must deploy systems that are both trustworthy and resilient. To increase the level of trustworthiness and resilience of Federal information systems, the systems should employ technologies that can significantly increase the built-in protection capability of those systems and make them inherently less vulnerable. This can require a significant investment in security architectures, and the application of systems security engineering concepts and principles in the design of Federal information systems.

As Federal agencies take advantage of emerging information technologies and services to obtain more effective mission and operational capabilities, achieve greater efficiencies, and reduce costs, they must also apply the principles and practices of risk management, information security, and privacy to the acquisition and use of those technologies and services. While there are certain security requirements and associated controls that are mandatory, agencies are required to employ risk-based approaches and decision-making to ensure that security capabilities are sufficient to protect agency assets, operations, and individuals. Such risk-based approaches involve framing, assessing, responding to, and monitoring security risks on an ongoing basis. Risk-based approaches can also support potential performance improvements and cost savings when agencies make decisions about maintaining, modernizing, or replacing existing information technologies and services or implementing new technologies and services that leverage internal, other government, or private sector innovative and market-driven solutions. These responsibilities extend to the creation, collection, processing, storage, transmission, dissemination, and disposal of Federal information when such information is hosted by non-Federal entities on behalf of the Federal Government. Ultimately, agency heads remain responsible and accountable for ensuring that information management practices comply with all Federal requirements, and that Federal information is adequately protected commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information.

Purpose

This Appendix establishes minimum requirements for Federal information security programs, assigns Federal agency responsibilities for the security of information and information systems, and links agency information security programs and agency management control systems established in accordance with OMB Circular No. A-123, Management's Responsibility for Internal Control. This Appendix also establishes requirements for Federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies should take a coordinated approach to implementing information security and privacy controls.58 This Appendix revises requirements contained in previous versions of Appendix III to OMB Circular No. A-130, and incorporates requirements of the Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35), the E-Government Act of 2002 (44 U.S.C. chapters 35 and 36), and responsibilities assigned in Executive Orders and Presidential Directives.

General Requirements

a. Agencies shall ensure the requirements of the Federal Information Technology Acquisition Act (FITARA) are considered in establishing the responsibilities and accountability for the implementation of information and information security programs.

b. Agencies shall develop, implement, document, maintain, and oversee agency-wide information security and privacy programs including people, processes, and technologies to:

  1. Provide for agency information security and privacy policies, planning, budgeting, management, implementation, and oversight;
  2. Cost-effectively manage information security risk, which includes reducing such risk to an acceptable level;
  3. Ensure compliance with all applicable Federal privacy requirements, and use privacy impact assessments and other tools to analyze and address privacy risks;
  4. Protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide for their confidentiality, integrity, and availability;
  5. Provide adequate security for all information, including PII, created, collected, processed, stored, transmitted/disseminated, or disposed of by or on behalf of the Federal Government, to include Federal information residing in contractor information systems and networks;
  6. Employ systems security engineering concepts and techniques during the development of new or updated information systems to facilitate the trustworthiness and resilience of those systems;
  7. Implement supply chain risk management principles to protect against the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software, as well as poor manufacturing and development practices throughout the system development lifecycle;
  8. Provide information security safeguards and countermeasures commensurate with the risk from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency and information systems used or operated by an agency, or by a contractor of an agency or other organization on behalf of an agency;
  9. Implement an agency-wide risk management approach that frames, assesses, responds to, and monitors information security risk across three organizational tiers (i.e., organization level, mission/business process level, and information system level);59
  10. Implement a risk management framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems and environments of operation;
  11. Ensure, for information systems and the environments in which those systems operate, that security and privacy controls are implemented correctly, operating as intended, and continually monitored and assessed; that procedures are in place to ensure that security and privacy controls remain effective over time; and that steps are taken to maintain risk at an acceptable level within organizational risk tolerance;
  12. Ensure that, in a timely manner, agency CIOs are made aware of information systems and components that cannot be appropriately protected or secured and that such systems are given a high priority for upgrade, replacement, or retirement.
  13. Implement policies and procedures to ensure that all personnel are held accountable for complying with agency-wide information security and privacy programs; and
  14. Ensure that performance plans for all Federal employees include an element addressing the need to adhere to Federal and agency-specific requirements for the protection of information and information systems; and for individuals with significant security and privacy responsibilities, include requirements regarding their role in protecting information and information systems.

c. Agencies shall protect Controlled Unclassified Information (CUI) in accordance with requirements set forth by the National Archives and Records Administration.

d. Agencies shall limit the disclosure of proprietary information to that which is legally authorized, and impose appropriate conditions on use where a continuing obligation to ensure the confidentiality of the information exists.

e. Agencies shall implement security and privacy policies issued by the Office of Management and Budget (OMB), and the Office of Personnel Management, as well as requirements issued by Department of Commerce, Department of Homeland Security, and General Services Administration. This includes applying the standards and guidelines contained in National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), NIST (800-series) Special Publications, and, where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).

f. Agencies shall ensure that all contracts, and other third-party agreements for services, incorporate all relevant information security and privacy requirements outlined in statute, OMB policy, Executive Orders, and Presidential Directives.

Specific Requirements60

a. Security Categorization

Agencies shall:

  1. Identify authorization boundaries for information systems; and
  2. Categorize information and information systems, in accordance with FIPS Publication 199 and NIST Special Publication 800-60, considering potential adverse security and privacy impacts to organizational operations and assets, individuals, other organizations, and the Nation.

b. Planning, Budgeting, and Enterprise Architecture

Agencies shall:

  1. Identify and plan for the resources needed to implement information security and privacy programs;
  2. Ensure that information security and privacy are addressed throughout the life cycle of each agency information system, and that security and privacy activities and costs are explicitly identified and included in IT investment capital plans and budgetary requests;
  3. Plan and budget to upgrade, replace or retire any information systems for which security and privacy protections commensurate with risk cannot be effectively implemented;
  4. Ensure that investment plans submitted to OMB as part of the budget process meet the information security and privacy requirements appropriate for the life cycle stage of the investment; and
  5. Incorporate Federal information security and privacy requirements into the agency's enterprise architecture to ensure information systems and the environments in which those systems operate achieve the necessary levels of trustworthiness, protection, and resilience.

c. Plans, Controls, and Assessments

Agencies shall:

  1. Develop and maintain information security program and privacy program plans that provide an overview of the organization-wide information security and privacy requirements and describe the program management controls and common controls in place or planned for meeting those requirements;
  2. Employ a system life cycle process that incorporates the principles, concepts, methods, and techniques of systems security engineering as described in NIST Special Publication 800-160 to ensure the development of trustworthy and resilient information systems;
  3. Develop supply chain risk management plans for all organizational tiers as described in NIST Special Publication 800-161 to ensure the integrity, security, resilience, and quality of information systems;
  4. Implement a risk-based security control selection process for information systems and environments of operation that satisfies the minimum information security requirements in FIPS Publication 200 and security control baselines in NIST Special Publication 800-53, tailored as appropriate;
  5. Implement a privacy control selection process for information systems and environments of operation that satisfies the privacy requirements in OMB guidance, including, but not limited to, Appendix I to this Circular, OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, and NIST Special Publication 800-53;
  6. Develop and maintain security and privacy plans for information systems and environments of operation to document which security and privacy controls have been selected and how those controls have been implemented;
  7. Implement security controls and privacy controls in information systems and environments of operation using systems/security engineering principles, concepts, methods, practices, and techniques;
  8. Deploy effective security controls to provide Federal employees and contractors with multifactor authentication, digital signature, and encryption capabilities that provide assurance of identity and are interoperable and accepted across all Executive Branch agencies;
  9. Designate common controls in order to provide cost-effective security and privacy capabilities that can be inherited by multiple agency information systems;61
  10. Assess all selected and implemented security and privacy controls in agency information systems (and environments in which those systems operate) prior to operation, and periodically thereafter, consistent with the frequency defined in the agency information security continuous monitoring (ISCM) and privacy continuous monitoring (PCM) strategies and the agency risk tolerance;
  11. Conduct and record the results of security control assessments and privacy control assessments in security and privacy assessments, respectively;
  12. Use agency Plans of Action and Milestones (POA&Ms), and make available or provide access to OMB, DHS, Inspectors General, and the Government Accountability Office, upon request, to record and manage the mitigation and remediation of identified weaknesses and deficiencies, not associated with accepted risks, in agency information systems and environments of operation; and
  13. Obtain approval from the authorizing official for connections from the information system, as defined by its authorization boundary, to other information systems based on the risk to the agency's operations and assets, individuals, other organizations, and the Nation.

d.Authorization and Continuous Monitoring

Agencies shall:

  1. Designate senior Federal officials to formally: authorize an information system to operate; and authorize agency-designated common controls for use based on a determination of, and explicit acceptance of, the information security and privacy risk to agency operations and assets, individuals, other organizations, and the Nation, and prior to operational status;
  2. Complete an initial authorization for each information system and all agency-designated common controls;
  3. Transition information systems and common controls to an ongoing authorization process when eligible for such a process and with the formal approval of the respective authorizing officials;
  4. Reauthorize information systems and common controls as needed, on a time- or event-driven basis in accordance with agency risk tolerance;
  5. Develop and maintain an ISCM strategy and PCM strategy to address information security and privacy risks and requirements across the organizational risk management tiers (i.e., organization/governance tier, mission/business process tier, and/or information system tier);62
  6. Implement and periodically update the ISCM strategy and PCM strategy to reflect: the effectiveness of deployed controls; significant changes to information systems and environments of operations; and adherence to Federal statutes, policies, directives, instructions, regulations, standards, and guidelines;
  7. Ensure that all selected and implemented controls are addressed in the ISCM strategy and PCM strategy and are effectively monitored on an ongoing basis, as determined by the agency's ISCM and PCM programs;63
  8. Establish and maintain an ISCM program that:

    a. Provides an understanding of agency risk tolerance and helps officials set priorities and manage information security risk consistently throughout the agency;

    b. Includes metrics that provide meaningful indications of security status at all organizational risk management tiers;

    c. Ensures the continued effectiveness of all security controls selected and implementedby monitoring controls with the frequencies specified in the ISCM strategy;

    d. Verifies compliance with information security requirements derived from missions/business functions, Federal statutes, directives, instructions, regulations, policies, and standards/guidelines;

    e. Is informed by all applicable agency IT assets to help maintain visibility into the security of those assets;

    f. Ensures knowledge and control of changes to information systems and environments of operation; and

    g. Maintains awareness of threats and vulnerabilities;

  9. Establish and maintain a PCM program that:

    a. Ensures continued compliance with all applicable privacy requirements;

    b. Verifies the continued effectiveness of all Federal privacy controls selected and implemented across all organizational risk management tiers;

    c. Includes metrics to monitor the effective implementation of privacy requirements and privacy controls across all organizational risk management tiers;

    d. Monitors changes to information systems and environments of operation that collect, process, store, maintain, use, or disseminate PII; and

    e. Maintains adequate awareness of any threats and vulnerabilities that may affect PII and impact individual privacy;

  10. Ensure that a robust ISCM program and PCM program are in place before agency information systems or common controls are eligible for ongoing authorization; and

  11. Leverage available Federal shared services, where practicable and appropriate.

e. Privacy Controls for Federal Information Systems and Organizations

The senior agency official for privacy (SAOP) has overall agency-wide responsibility and accountability for developing, implementing, and maintaining an agency-wide governance and privacy program to ensure compliance with all applicable statutes, regulations, and policies regarding the collection, use, maintenance, dissemination, and disposal of PII by programs and information systems. The SAOP shall: 1. Develop and maintain a PCM strategy to address privacy risks and requirements across the organizational risk management tiers (i.e., organization/governance tier, mission/business process tier, and/or information system tier); 2. Establish and maintain a PCM program to maintain ongoing awareness of privacy risks and assess privacy controls at a frequency sufficient to ensure compliance with applicable requirements and to adequately protect PII; 3. Review IT capital investment plans and budgetary requests to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included; 4. Review and approve, in accordance with NIST FIPS Publication 199 and Special Publication 800-60, the categorization of information systems that collect, process, store, maintain, or disseminate PII; 5. Designate system-specific, hybrid, and common privacy controls; 6. Review and approve the privacy plans for agency information systems prior to authorization, reauthorization, or ongoing authorization; 7. Conduct privacy control assessments to ensure that privacy controls are implemented correctly, operating as intended, and effective in satisfying privacy requirements; and 8. Review authorization packages and determine that all applicable privacy requirements are met and the risk to PII is sufficiently addressed prior to authorizing officials making risk determination and acceptance decisions.

f. Incident Detection, Response and Recovery

After agencies have selected and implemented the necessary security controls to protect their information and systems consistent with their understanding of agency operations and assets and management of information security risk, agencies shall subsequently ensure they can react appropriately to information security incidents.

Agencies shall:64

  1. Develop and implement incident management policies and procedures that address incident detection, response, and recovery. This includes developing and implementing appropriate activities to identify the occurrence of an incident; developing and implementing appropriate activities to take action regarding a detected cybersecurity incident; and developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an incident;
  2. Designate sensitive positions and execute commensurate security clearance levels for appropriate agency personnel;
  3. Establish clear roles and responsibilities to ensure the oversight and coordination of incident response activities and that incidents are appropriately documented, reported, investigated and handled;
  4. Periodically test incident response procedures to ensure effectiveness of such procedures;
  5. Document lessons learned for incident response and update procedures annually and/or as required by OMB and/or DHS;
  6. Ensure processes are in place to verify corrective actions;
  7. Maintain formal security and privacy incident response capabilities and mechanisms to include breach notification and adequate training and awareness for employees and contractors on how to report and respond to security and privacy incidents;
  8. Report security and privacy incidents to OMB, DHS, the SAOP, their respective Inspectors General and General Counsel, law enforcement, and Congress in accordance with procedures issued by OMB;
  9. Implement formal security and privacy incident policies to include definitions, detection and analysis, containment, internal and external notification and reporting requirements, incident reporting methods, post-incident procedures, roles and responsibilities, and guidance on how to mitigate impacts to the agency and its respondents following an incident; and
  10. Provide reports on incidents as required by FISMA, OMB policy, DHS binding operational directives, US-CERT guidelines, NIST guidelines, and agency procedures.

g. Contingency Planning

Agencies shall:

  1. Develop contingency plans65 for information systems that:

    a. Identify essential missions and business functions and associated contingency requirements;

    b. Provide recovery objectives, restoration priorities, and metrics;

    c. Address contingency roles and responsibilities; and

    d. Address maintaining essential missions and business functions despite a disruption, compromise, or failure of information systems; and

  2. Provide for the recovery and reconstitution of information systems to a known state after a disruption, compromise, or failure.

h. Awareness and Training

Agencies shall:

  1. Develop, maintain, and implement mandatory agency-wide information security and privacy awareness and training programs for all employees and contractors;
  2. Ensure that the security and privacy awareness and training programs are consistent with applicable standards and guidelines issued by OMB, NIST, and OPM;
  3. Apprise agency personnel about available assistance and technical security and privacy products and techniques;
  4. Provide foundational as well as more advanced levels of security and privacy awareness training to information system users (including managers, senior executives, and contractors) and ensure that measures are in place to test the knowledge level of information system users;
  5. Provide role-based security and privacy training to personnel with assigned security and privacy roles and responsibilities before authorizing access to the information system or performing assigned duties;
  6. Establish rules of behavior, that include consequences for violating rules of behavior, for personnel having access to agency information and information systems;
  7. Ensure that agency personnel have read and agreed to abide by the rules of behavior for the information systems for which they require access prior to being granted access; and

i. Specific Safeguarding Measures to Reinforce the Protection of Federal Information and Information Systems66

Agencies shall:

  1. Implement a policy of least functionality by only permitting the use of networks, systems, applications, and data, as well as programs, functions, ports, protocols, and/or services that are necessary in meeting mission or business needs;
  2. Implement policies of least privilege at multiple layers – network, system, application, and data so that users have role-based access to only the information and resources that are necessary for legitimate purpose;
  3. Implement a policy of separation of duties to address the potential for abuse of authorized privileges and help to reduce the risk of malicious activity without collusion;
  4. Isolate sensitive and/or critical information resources (e.g., information systems, system components, applications, databases, and information) into separate security domains with appropriate levels of protection based on the sensitivity/criticality of those resources;
  5. Implement access control policies for information resources that ensure individuals have appropriate authorization and need, and that the appropriate level of identity proofing and/or background investigation is conducted prior to granting access;
  6. Protect administrator, user, and system documentation related to the design, development, operation, maintenance, and security of the hardware, firmware, and software components of information systems;
  7. Continuously monitor, log, and audit the execution of information system functions by privileged users to detect misuse and to help reduce the risk from insider threats;
  8. Prohibit the use of unsupported information systems and system components, and ensure that systems and components that cannot be appropriately protected or secured are given a high priority for upgrade or replacement;67
  9. Implement and maintain current updates and patches for all software and firmware components of information systems;68
  10. For systems that promote public access, ensure that identity proofing, registration, and authentication processes provide assurance of identity consistent with security and privacy requirements, in accordance with Executive Order 13681,69 OMB policy, and NIST standards and guidelines;
  11. Require use of multifactor authentication for employees and contractors in accordance with government-wide identity management standards;
  12. Encrypt all FIPS 199 moderate-impact and high-impact information at rest and in transit, unless encrypting such information: is technically infeasible or would demonstrably affect the ability of agencies to carry out their respective missions, functions, or operations; and the risk of not encrypting is accepted by the authorizing official and approved by the agency CIO;
  13. Implement the current encryption algorithms and validated cryptographic modules in accordance with NIST standards and guidelines;
  14. Ensure that only users with legitimate need for access have the ability to decrypt sensitive information.
  15. Develop and implement processes to support use of digital signatures for employees and contractors;70
  16. Implement attribute-based access controls71 to control and monitor access to Federal information; and
  17. Ensure that all Federal systems and services identified in the Domain Name System are protected with Domain Name System Security (DNSSEC) and that all systems are capable of validating DNSSEC protected information.72

j. Contracts and Agreements

Organizations that collect or maintain information on behalf of a Federal agency or that operate or use information systems on behalf of a Federal agency, must comply with the requirements in the FISMA and OMB policies. Agencies shall ensure that terms and conditions in contracts, and other agreements involving the processing, storage, transmission, and destruction of Federal information, are sufficient to enable agencies to meet necessary security and privacy requirements concerning Federal information. For additional information and associated requirements pertaining to information technology acquisitions, refer to the Federal Acquisition Regulation.

k. Oversight of Non-Federal Entities

Agencies shall:

  1. Provide oversight of information systems used or operated by contractors or other entities on behalf of the Federal government or that collect or maintain Federal information on behalf of the Federal government, to include:

    a. Documenting and implementing policies and procedures for information security and privacy oversight, to include ensuring appropriate vetting and access control processes for contractors and others with access to systems containing Federal information;

    b. Ensuring that security and privacy controls of such information systems and services are effectively implemented and comply with NIST standards and guidelines and agency requirements;

    c. Maintaining and continuously updating an inventory of information systems and system components using automated reporting, cataloguing, and inventory tools;

    d. Ensuring that the inventory identifies interfaces between these systems and organization-operated systems;

    e. Ensuring that procedures are in place for incident response for these systems including timelines for breach notification;

    f. Requiring agreements (e.g., Memorandum of Understandings, Interconnection Security Agreements, contracts) for interfaces between these systems and agency-owned and operated systems; and

    g. Implementing policies, procedures, and verification methods to ensure, within the risk tolerance of the agency, that systems that are owned or operated by contractors or entities that contain Federal information are compliant with FISMA requirements, OMB policies, and applicable NIST standards and guidelines;

  2. Collaborate with non-Federal entities and other agencies as appropriate to ensure that security and privacy requirements pertaining to these non-Federal entities, such as State, local, tribal, and territorial governments, are consistent to the greatest extent possible; and

  3. Ensure that non-Federal entities protect CUI in accordance with NARA requirements and any associated NIST standards and guidelines.

l. Mitigation of Deficiencies and Issuance of Status Reports

Agencies must correct deficiencies that are identified through information security and privacy assessments, ISCM and PCM programs, or internal/external audits and reviews, to include OMB reviews. OMB Circular No. A-123, Management's Responsibility for Internal Control, provides guidance to determine whether a deficiency in controls is material when so judged by the agency head against other agency deficiencies. Material deficiencies must be included in the annual Federal Managers Financial Integrity Act (FMFIA) report, and remediation tracked and managed through the agency's POA&M process. Less significant deficiencies need not be included in the FMFIA report, but must be tracked and managed through the agency's POA&M process.

m. Reporting

Agencies shall provide FISMA reports in accordance with processes established by OMB and DHS in accordance with the Federal Information Security Modernization Act of 2014.

n. Cybersecurity Framework

The Cybersecurity Framework was developed by NIST in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The Framework describes five core cybersecurity functions (i.e., Identify, Protect, Detect, Respond, and Recover) that may be helpful in raising awareness and facilitating communication among agency stakeholders, including executive leadership. The Cybersecurity Framework may also be helpful in improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. The Framework is not intended to duplicate the current information security and risk management practices in place within the Federal Government. However, in the course of managing information security risk using the established NIST Risk Management Framework and associated security standards and guidelines required by FISMA, agencies can leverage the Cybersecurity Framework to complement their current information security programs. NIST will provide additional guidance on how agencies can use the Cybersecurity Framework and in particular, how the two frameworks can work together to help agencies develop, implement, and continuously improve their information security programs.

o. Independent Evaluations

Agencies shall:

  1. Perform an independent evaluation of the information security programs and practices to determine the effectiveness of such programs and practices. The evaluation may include an evaluation of their privacy program and practices, as appropriate. Each evaluation must include:

    a. Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency's information systems;

    b. An assessment of the effectiveness of the information security policies, procedures, and practices of the agency; and

    c. Separate presentations, as appropriate, regarding information security relating to national security systems.

  2. For each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section must be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency. For agencies in which the Inspector General Act of 1978 does not apply, the head of the agency shall engage an independent external auditor to perform the evaluation.

5. Government-wide Responsibilities

a. Department of Commerce

The Secretary of Commerce shall:

  1. Develop and issue standards and guidelines for the security and privacy of information in Federal information systems, and systems which create, collect, process, store, transmit/disseminate, or dispose of information on behalf of the Federal Government;
  2. Evaluate new information technologies to assess their security vulnerabilities, with technical assistance from the Department of Defense (DoD) and DHS;
  3. Follow a transparent process that allows and addresses input from the agencies and the public when developing standards and guidelines; and
  4. Solicit and consider the recommendations of the Information Security and Privacy Advisory Board, established by the National Institute of Standards and Technology Act.73

b. Department of Homeland Security

The Secretary of Homeland Security shall:74

  1. Monitor and assist agencies with the implementation of information security policies and practices for information systems;
  2. Assist OMB in carrying out its information security oversight and policy responsibilities;
  3. Develop and oversee the implementation of binding operational directives that reinforce the policies, principles, standards, and guidelines developed by OMB, that focus on:

    a. Requirements for the mitigation of exigent risks to information systems;

    b. Requirements for the mitigation of known or reasonably suspected information security threats, vulnerabilities, and risks;

    c. Requirements for reporting incidents to the Federal information security incident center; and

    d. Other operational requirements, as deemed necessary by OMB;

  4. Coordinate the development of binding operational directives and the oversight of the implementation of such directives with OMB and NIST to ensure consistency with OMB policies and NIST standards and guidelines;

  5. Consult with the Director of NIST regarding any binding operational directives that implement or affect the standards and guidelines developed by NIST;

  6. Convene meetings with senior agency officials to help ensure the effective implementation of information security policies and procedures;

  7. Coordinate government-wide efforts on information security policies and practices, including consultation with the CIO Council and NIST;

  8. Manage government-wide information security programs and provide and operate Federal information security shared services, as directed by OMB;

  9. Provide operational and technical assistance to agencies in implementing policies, principles, standards, and guidelines on information security. This includes:

a. Operating the Federal information security incident center;

b. Deploying technology to assist agencies to continuously diagnose and mitigate cyber threats and vulnerabilities, with or without reimbursement and at the request of the agency;

c. Compiling and analyzing data on agency information security; and d. Developing and conducting targeted operational evaluations, including threat and vulnerability assessments, on information systems; 10. Provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments and proactive mitigation; 11. Consult with OMB to determine what other actions may be necessary to support implementation of effective government-wide information security programs; 12. Provide the public with timely notice and opportunities for comment on proposed information security directives and procedures to the extent that such directives and procedures affect the public or communication with the public; and 13. Solicit and consider the recommendations of the Information Security Privacy Advisory Board, established by the National Institute of Standards and Technology Act.

c. Department of Defense

The Secretary of Defense shall:

  1. Provide technical advice and assistance to the Departments of Commerce and Homeland Security; and
  2. Assist the Departments of Commerce and Homeland Security in evaluating the vulnerabilities of emerging information technologies.

d. General Services Administration

The Administrator of General Services shall:

  1. When developing contract vehicles for agencies to use in the acquisition of information security products and services, or when providing government-wide services, ensure these contract vehicles and services are cost effective and provide for capabilities that are consistent with government-wide requirements;
  2. Maintain a Federal public key infrastructure (FPKI) framework to allow efficient interoperability among agencies when using digital certificates; and
  3. Ensure effective controls are in place to protect the confidentiality, integrity, and availability of the FPKI framework components managed and overseen by the agency, to include performing information security continuous monitoring of the FPKI.

e. Office of Personnel Management

The Director of the Office of Personnel Management shall determine the minimum investigative requirements for Federal employees and contractors requiring access to Federal facilities, information, and/or information systems.

Discussion of the Major Provisions in the Appendix

1. NIST Standards and Guidelines

NIST standards and guidelines associate each information system with an impact level. The standards and guidelines also provide a corresponding starting set of baseline security controls and tailoring guidance to ensure that the set of security controls in the security plan (approved by the authorizing official) and privacy controls in the privacy plan (approved by the SAOP), satisfy the information security, privacy, and mission/business protection needs of the agency.

For non-national security programs and information systems, agencies must apply NIST guidelines unless otherwise stated by OMB. Federal Information Processing Standards (FIPS) are mandatory. There is flexibility within NIST's guidelines (specifically in the 800-series) in how agencies apply those guidelines. Unless specified by additional implementing policy by OMB, the concepts and principles described in NIST guidelines must be applied. However, NIST guidelines generally allow agencies latitude in their application. Consequently, the application of NIST guidelines by agencies can result in different security solutions that are equally acceptable and compliant with the guidelines.

For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.

2. Risk Management Framework

The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF requires agencies to categorize each information system and the information processed, stored, and transmitted by that system based on a mission/business impact analysis. Agencies select an initial set of baseline security controls for the information system based on the security categorization and then tailor the security control baseline as needed, based on an organizational assessment of risk and local conditions. After implementing the security controls, agencies assess the controls using appropriate assessment methods as described in NIST Special Publication 800-53A to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The authorization to operate the system is based on a determination of the risk to agency operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the system and the decision by the authorizing official, that this risk is acceptable. Subsequent to the authorization decision and as part of an information security continuous monitoring strategy and program, agencies monitor the security controls in the system on an ongoing basis. Monitoring includes, but is not limited to, assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated agency officials on an ongoing basis.

An effective implementation of the RMF ensures that managing information system-related security risks is consistent with the agency's mission/business objectives and overall risk management strategy, and risk tolerance established by the senior leadership through the risk executive function75 as discussed in NIST Special Publication 800-37. It also ensures that the requisite security requirements and controls are integrated into the agency's enterprise architecture and system development life cycle processes. Finally, the RMF supports consistent, well-informed, and ongoing security authorization decisions, transparency of security and risk management information, reciprocity, and information sharing.

3. Security Control Baselines

It is important to achieve adequate security for Federal information and information systems and a consistent level of protection for such information and systems government-wide. To meet this objective, agencies must select an appropriate set of security controls for their information systems that satisfy the minimum security requirements set forth in FIPS Publication 200. The security controls must include one of the three security control baselines from NIST Special Publication 800-53 that are associated with the designated impact levels of their information systems. The security control baselines define the set of minimum security controls for a low-impact, moderate-impact, or high-impact information system and provide a starting point for the tailoring process. Agencies are required to tailor the security control baselines to customize their safeguarding measures for specific missions, business lines, and operational environments—and to do so in a cost-effective, risk-based manner. Tailoring allows agencies to designate common controls; apply scoping considerations; select compensating controls; assign specific values to agency-defined control parameters; supplement baselines with additional controls when necessary; and provide additional specification information for control implementation. Agencies must provide a justification for any tailoring actions that result in changes to the initial security control baselines. Agencies are not permitted to make changes to security control baselines when such changes result in control selections that are inconsistent with security requirements set forth in Federal statutes, Executive Orders, regulations, directives, or policies.

Agencies may also develop overlays as part of the security control selection process. Overlays provide a specification of security and/or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple systems. All selected security controls must be documented in a security plan and implemented. Agencies can use the priority code designations associated with each security control in NIST Special Publication 800-53 to assist in making sequencing decisions for control implementation. This prioritization helps to ensure that the foundational security controls upon which other controls depend are implemented first, thus enabling agencies to deploy controls in a more structured and timely manner in accordance with available resources. Independent evaluations, when conducted, should focus on the effectiveness of the security controls selected and implemented (as documented in agency security plans after all tailoring actions have been completed on the security control baselines) and the justification for any decisions to change the control baselines.

4. Security and Privacy Assessments

Agencies must ensure that periodic testing and evaluation of the effectiveness of information security and privacy policies, procedures, and practices are performed with a frequency depending on risk, but at least annually. This general requirement to test and evaluate the effectiveness of information security and privacy policies, procedures, and practices does not imply that agencies must assess every selected and implemented security and privacy control at least annually. Rather, agencies must continuously monitor all implemented security and privacy controls (i.e., system-specific, hybrid, and common controls) with a frequency determined by the agency in accordance with the ISCM and PCM strategies. These strategies will define the specific security and privacy controls selected for assessment during any one-year period (i.e., the annual assessment window) with the understanding that all controls may not be formally assessed every year. Rotational assessment of security and privacy controls is consistent with the transition to ongoing authorization and assumes the information system has completed an initial authorization where all controls were formally assessed for effectiveness.

Security and privacy control assessments should ensure that security and privacy controls selected by agencies are implemented correctly, operating as intended, and effective in satisfying security and privacy requirements. The security of information may change over time based on changes in the threat, agency missions/business functions, personnel, technology, or environments of operation. Consequently, maintaining a capability for real-time or near real-time analysis of the threat environment and situational awareness following an information security incident is paramount. The type, rigor, and frequency of control assessments should be commensurate with the level of awareness necessary for effectively determining information security risk that is established by the agency's risk tolerance and risk management strategy. Technical security tools such as malicious code scanners, vulnerability assessment products (which look for known security weaknesses, configuration errors, and the installation of the latest patches), and penetration testing can assist in the ongoing assessment of information systems.

5. Authorizing Official

The authorizing official is a senior agency official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations and assets, individuals, other organizations, and the Nation. Authorizing officials have budgetary oversight for an information system or are responsible for the mission or business operations supported by the system. Through the authorization process, authorizing officials are responsible and accountable for the security risks associated with information system operations. Because information security is closely related to the individual privacy protections required for PII (see Fair Information Practice Principles), authorizing officials are also responsible and accountable for the privacy-related risks that arise from the operation of an information system.Accordingly, authorizing officials must be in management positions with a level of authority commensurate with understanding and accepting such information system-related security and privacy risks. Since the SAOP is the senior official, designated by the head of each agency, who has overall agency-wide responsibility for information privacy, agencies must consider inputs and recommendations submitted by the SAOP in the authorization decision.Additionally, the SAOP has responsibility for reviewing the authorization package to ensure that privacy risks are addressed prior to system authorization. In situations where the authorizing official and SAOP cannot reach a final resolution regarding the appropriate protection for the agency information and information system, the head of the agency must review the associated risks and requirements and make a final determination regarding the issuance of the authorization to operate.76

Agencies can choose from several different approaches when planning for and conducting authorizations. These include an authorization with a single authorizing official, an authorization with multiple authorizing officials, or leveraging an existing authorization (see Section 8, Joint and Leveraged Authorizations). Agencies can, at their discretion, include the CIO or the SAOP as co-authorizing officials with other senior agency officials responsible for the mission or line of business supported by the system being authorized for operation. Regardless of the approach used, the role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.

6. Authorization to Operate

The authorization to operate an information system and the authorization of agency-designated common controls granted by senior Federal officials provide an important quality control for agencies. The decision to authorize a system to operate should be based on a review of the authorization package and includes an assessment of compliance with applicable requirements and risk to agency operations and assets, individuals, other organizations, and the Nation. As stated above, the decision to authorize a system, or agency-defined common controls, should be made by the appropriate authorizing official – an agency official responsible for the associated missions, business functions, and/or supporting infrastructure. Since the security plan and privacy plan establish the security and privacy controls selected for implementation, those plans are a critical part of the authorization package and should form the basis for the authorization, supplemented by more specific information as needed.

7. Ongoing Authorization

Ongoing authorization 77 is a process whereby the authorizing official makes risk determination and risk acceptance decisions subsequent to the initial authorization, taken at agreed-upon and documented frequencies in accordance with the agency's risk tolerance and mission/business requirements. Ongoing authorization is a time-driven or event-driven authorization process whereby the authorizing official is provided with the necessary and sufficient information regarding the near real-time state of the information system and inherited common controls to determine whether or not all applicable security and privacy requirements have been satisfied and the mission/business risk is acceptable. Effective ongoing authorization requires robust ISCM and PCM strategies and effective operational ISCM and PCM programs. Agencies can move from a static, point-in-time authorization process to a dynamic, near real-time ongoing authorization process for information systems and common controls after having satisfied two conditions: the system and/or common controls have been granted an initial authorization to operate by the designated authorizing official; and ISCM and PCM programs are in place to monitor all implemented security and privacy controls with the appropriate degree of rigor and at the appropriate frequencies in accordance with applicable ISCM and PCM strategies, OMB guidance and NIST guidelines.

Agencies must define and implement a process to specifically designate information systems and/or common controls that have satisfied the two conditions noted in the previous paragraph and have been transitioned to ongoing authorization. The process includes the means for the authorizing official to formally acknowledge that the information system and/or common controls are being managed under an ongoing authorization process and accept the responsibility for ensuring all necessary activities associated with the ongoing authorization process are performed. Until a formal approval is obtained from the authorizing official to transition to ongoing authorization, information systems (and common controls) remain under a static authorization process with specific authorization termination dates enforced by the agency.

8. Reauthorization

Reauthorization consists of a review of the information system similar to the review carried out during the initial authorization but conducted during the operations/maintenance phase of the system development life cycle rather than prior to that phase. In general, reauthorization actions may be time-driven or event-driven. However, under ongoing authorization, reauthorization is typically an event-driven action initiated by the authorizing official or directed by the Risk Executive (function) in response to an event that increases information security risk above the previously agreed-upon agency risk tolerance. Event-driven reauthorization triggers can include, for example: new threat, vulnerability, or impact information; an increased number of findings, weaknesses, or deficiencies from continuous monitoring programs; new missions or business functions; new or modified security requirements; changes in authorizing officials; significant changes in risk assessment findings; significant changes to information systems, common controls, or environments of operation; exceeding agency-designated thresholds; and changes in Federal statutes, OMB policies, or NIST standards and guidelines. A significant change is defined as a change that is likely to affect the security state of an information system.

The reauthorization process differs from the initial authorization inasmuch as the authorizing official can initiate: a complete zero-base review of the information system or common controls; or a targeted review based on the type of event that triggered the reauthorization, the assessment of risk related to the event, the risk response of the agency, and the agency risk tolerance. Reauthorization is a separate activity from the ongoing authorization process, though security- and privacy-related information from the agency's ISCM and PCM programs may still be leveraged to support reauthorization. Note also that reauthorization actions may necessitate a review of and changes to the ISCM or PCM strategy, which may in turn affect ongoing authorization.

9. Joint and Leveraged Authorizations

Agencies are encouraged to use joint and leveraged authorizations whenever practicable.78 Joint authorizations can be used when multiple agency officials either from the same agency or different agencies, have a shared interest in authorizing an information system or common controls. The participating officials are collectively responsible and accountable for the system and the common controls and jointly accept the information security risks that may adversely impact agency operations and assets, individuals, other organizations, and the Nation. Agencies choosing a joint authorization approach should work together on the planning and the execution of the Risk Management Framework tasks described in NIST Special Publication 800-37 and document their agreement and progress in implementing the tasks. The specific terms and conditions of the joint authorization are established by the participating parties in the joint authorization including, for example, the process for ongoing determination and acceptance of risk. The joint authorization remains in effect only as long as there is mutual agreement among authorizing officials and the authorization meets the requirements established by Federal and/or agency policies.

Leveraged authorizations can be used when an agency chooses to accept some or all of the information in an existing authorization package generated by another agency based on the need to use the same information resources (e.g., information system and/or services provided by the system). The leveraging agency reviews the owning agency's authorization package as the basis for determining risk to the leveraging agency. The leveraging agency considers risk factors such as the time elapsed since the authorization results were produced, differences in environments of operation (if applicable), the impact of the information to be processed, stored, or transmitted, and the overall risk tolerance of the leveraging agency. The leveraging agency may determine that additional security measures are needed and negotiate with the owning agency to provide such measures. To the extent that a leveraged authorization includes an information system that collects, processes, stores, maintains, transmits, or disseminates PII, leveraging agencies must consult their SAOP. The SAOP, may determine that additional measures are required to protect PII prior to leveraging the authorization.

10. Continuous Monitoring

Agencies must develop ISCM and PCM and implement ISCM and PCM activities in accordance with applicable statutes, directives, policies, instructions, regulations, standards, and guidelines. Agencies have the flexibility to develop an overarching ISCM and PCM strategy (e.g., at the agency, bureau, or component level) that address all information systems, or continuous monitoring strategies that address each agency information system individually. The ISCM and PCM strategies must address all security and privacy controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process. ISCM and PCM strategies, which must be approved by the SAOP and appropriate agency authorizing official, must also include all common controls inherited by agency information systems.

11. Critical Infrastructure

Agencies that operate information systems that are part of the critical infrastructure must conduct risk assessment to ensure that security controls for those systems are appropriately tailored (including the deployment of additional controls, when necessary), thus providing the required level of protection for critical Federal missions and business operations. In addition, agencies must ensure that the privacy controls assigned to critical infrastructure meet all applicable requirements and adequately protect individual privacy. This includes the ongoing monitoring of deployed security and privacy controls in critical infrastructure systems to determine the ongoing effectiveness of those controls against current threats; improving the effectiveness of those controls, when necessary; managing associated changes to the systems and environments of operation; and satisfying specific protection and compliance requirements in statutes, Executive Orders, directives, and policies required for critical infrastructure protection.

12. Encryption

When the assessed risk indicates the need, agencies must encrypt Federal information at rest and in transitunless otherwise protected by alternative physical and logical safeguards implemented at multiple layers, including networks, systems, applications, and data. Encrypting information at rest and in transit helps to protect the confidentiality, integrity, and availability of such information by making it less susceptible to unauthorized disclosure or modification. Agencies must apply encryption requirements to Federal information categorized as either moderate or high impact in accordance with FIPS Publication 199 unless encrypting such information is technically unfeasible or would demonstrably affect their ability to carry out their respective mission, functions, or operations. In situations where the use of encryption is technically infeasible, for example, due to an aging legacy system, agencies must initiate the appropriate system or system component upgrade or replacement actions at the earliest opportunity to be able to accommodate such safeguarding technologies. Authorizing officials who choose to operate information systems without the use of required encryption technologies must carefully assess the risk in doing so and they must receive written approval for the exception from the agency CIO. For high impact information, access to unencrypted content should be managed separately from access to the networks, systems, and applications where the encrypted data resides. Only FIPS-validated and NSA-approved cryptography are approved for use in Federal information systems.

13. Digital Signatures

Digital signatures can mitigate a variety of security vulnerabilities by providing authentication and non-repudiation capabilities, and ensuring the integrity of Federal information whether such information is used in day-to-day operations or archived for future use. Additionally, digital signatures can help agencies streamline mission/business processes and transition manual processes to more automated processes to include, for example, online transactions. Because of the advantages provided by this technology, OMB expects agencies to implement digital signature capabilities in accordance with Federal Public Key Infrastructure (PKI) policy, and NIST standards and guidelines. For employees and contractors, agencies must require the use of the digital signature capability of Personal Identity Verification (PIV) credentials when the capability is available.79 For individuals that fall outside the scope of PIV applicability, agencies should leverage approved Federal PKI credentials when using digital signatures.

14. Identity Assurance

To streamline the process of citizens, businesses, and other partners80 securely accessing government services online requires a risk-appropriate demand of identity assurance. Identity assurance, in an online context, is the ability of an agency to determine that a claim to a particular identity made by an individual can be trusted to actually be the individual's "true" identity. Citizens, businesses, and other partners that interact with the Federal Government need to have and be able to present electronic identity credentials to identify and authenticate themselves remotely and securely when accessing Federal information resources. An agency needs to be able to know, to a degree of certainty commensurate with the risk determination, that the presented electronic identity credential truly represents the individual presenting the credential before a transaction is authorized.81 To transform processes for citizens, businesses, and other partners accessing Federal services online, OMB expects agencies to use a standards-based federated identity management approach that enables security, privacy, ease-of-use, and interoperability among electronic authentication systems.

15. Unsupported Information System Components

Unsupported information system components (e.g., when vendors are no longer providing critical software patches) provide a substantial opportunity for adversaries to exploit weaknesses discovered in the currently installed components. Prohibit the use of unsupported information systems and system components, and ensure that systems and components that cannot be appropriately protected or secured are given a high priority for upgrade or replacement. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. For such systems, agencies can establish in-house support, for example, by developing customized patches for critical software components or securing the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors.

16. FISMA Applicability to Non-Federal Entities

FISMA describes Federal agency security responsibilities as including "information collected or maintained by or on behalf of an agency" and "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." FISMA requires each agency to provide information security for the information and "information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source." This includes services that are either fully or partially provided, including agency hosted, outsourced, and cloud-based solutions.

Additionally, because FISMA applies to Federal information and information systems, in certain circumstances, its requirements also apply to a specific class of information technology that the Clinger-Cohen Act of 1996 (40 U.S.C. § 1401(3)) did not include, i.e., "equipment that is acquired by a Federal contractor incidental to a Federal contract." Therefore, when Federal information is used within incidentally acquired equipment, the agency continues to be responsible and accountable for ensuring that FISMA requirements are met for such information.

17. Other Requirements

Agencies must adhere to all other applicable information requirements such as the privacy requirements in accordance with the Privacy Act of 1974 and OMB guidance, the Confidential Information Protection and Statistical Efficiency Act of 2002 and OMB guidance, and to statutes and regulations pertaining to management of Federal records, and other relevant statutes, Executive Orders, Presidential Directives, and policies.

18. Authorities and References82

a. Privacy Act of 1974 (5 U.S.C. § 552a), December 1974.

b. E-Government Act of 2002 (44 U.S.C. chapters 35 and 36), December 2002.

c. Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35), December 2014.

d. Intelligence Reform and Terrorism Prevention Act of 2004 (50 U.S.C. § 401 note), December 2004.

e. Executive Order 13556, Controlled Unclassified Information, November 2010.

f. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.

g. Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014.

h. Homeland Security Presidential Directive 20 (National Security Presidential Directive 51), National Continuity Policy, May 2007.

i. Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and Requirements, February 2008.

j. National Communications System (NCS) Directive 3-10, Minimum Requirements for Continuity Communications Capabilities, July 2007.

k. National Institute of Standards and Technology Federal Information Processing Standards Publication 199 (as amended), Standards for Security Categorization of Federal Information and Information Systems.

l. National Institute of Standards and Technology Federal Information Processing Standards Publication 200 (as amended), Minimum Security Requirements for Federal Information and Information Systems.

m. National Institute of Standards and Technology Federal Information Processing Standards Publication 201 (as amended), Personal Identity Verification of Federal Employees and Contractors.

n. Committee on National Security Systems Instruction 1253 (as amended), Security Categorization and Control Selection for National Security Systems.

o. National Institute of Standards and Technology Special Publication 800-18 (as amended), Guide for Developing Security Plans for Federal Information Systems.

p. National Institute of Standards and Technology Special Publication 800-30 (as amended), Guide for Conducting Risk Assessments.

q. National Institute of Standards and Technology Special Publication 800-37 (as amended), Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

r. National Institute of Standards and Technology Special Publication 800-39 (as amended), Managing Information Security Risk: Organization, Mission, and Information System View.

s. National Institute of Standards and Technology Special Publication 800-47 (as amended), Security Guide for Interconnecting Information Technology Systems.

t. National Institute of Standards and Technology Special Publication 800-53 (as amended), Security and Privacy Controls for Federal Information Systems and Organizations.

u. National Institute of Standards and Technology Special Publication 800-53A (as amended), Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans.

v. National Institute of Standards and Technology Special Publication 800-59 (as amended), Guideline for Identifying an Information System as a National Security System.

w. National Institute of Standards and Technology Special Publication 800-60 (as amended), Guide for Mapping Types of Information and Information Systems to Security Categories.

x. National Institute of Standards and Technology Special Publication 800-63 (as amended), Electronic Authentication Guideline.

y. National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

z. National Institute of Standards and Technology Special Publication 800-137 (as amended), Information Security Continuous Monitoring for Federal Information Systems and Organizations.

aa. National Institute of Standards and Technology Special Publication 800-160 (as amended), Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.

bb. National Institute of Standards and Technology Special Publication 800-161 (as amended), Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

cc. National Institute of Standards and Technology Special Publication 800-162 (as amended), Guide to Attribute Based Access Control (ABAC) Definition and Considerations.

dd. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (as amended).

ee. National Institute of Standards and Technology Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management (as amended).

19. Definitions

a. The terms 'Agency', 'Executive Agency', 'Federal information,' 'Federal information system,' 'information resources management', 'information security,' 'personally identifiable information,' and 'senior agency official for privacy' are defined in the main body of this Circular.

b. 'Adequate security' means security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

c. 'Authorization' means the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.

d. 'Authorization boundary' means all components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.83

e. 'Authorization official' means a senior Federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation.

f. 'Authorization package' means the essential information that an authorizing official uses to determine whether or not to authorize the operation of an information system or the use of a designated set of common controls. At a minimum, the authorization package includes the security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.

g. 'Breach' means the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.

h. 'Common control' means a security or privacy control that is inherited by multiple information systems.

i. 'Controlled unclassified information' means information that requires safeguarding or dissemination controls pursuant to and consistent with statutes, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

j. 'Critical infrastructure' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health safety, or any combination of those matters (42 U.S.C. § 5195c(e)).

k. 'Environment of operation' means the physical, technical, and organizational setting in which an information system operates.

l. 'Hybrid control' means a control that is implemented in an information system in part as a common control and in part as a system-specific control.

m. 'Information security architecture' means an embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, information security systems, personnel, and organizational subunits, showing their alignment with the enterprise's mission and strategic plans.

n. 'Information security continuous monitoring' means maintaining ongoing awareness of information security, vulnerabilities, and threats to support agency risk management decisions.84

o. 'Information security program plan' means a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. The information security program plan and the privacy program plan may be integrated into one consolidated document.

p. 'Information system resilience' means the ability of an information system: to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and to recover to an effective operational posture in a time frame consistent with mission needs.

q. 'Initial authorization' means the initial (start-up) risk determination and risk acceptance decision based on a zero-base review of the information system conducted prior to its entering the operations/maintenance phase of the system development life cycle. The zero-base review includes an assessment of all security and privacy controls (i.e., system-specific, hybrid, and common controls) contained in a security plan or in a privacy plan and implemented within an information system or the environment in which the system operates.

r. 'National security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency: the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy (44 U.S.C. § 3552).

s. 'Ongoing authorization' means the risk determinations and risk acceptance decisions subsequent to the initial authorization, taken at agreed-upon and documented frequencies in accordance with the agency's mission/business requirements and agency risk tolerance. Ongoing authorization is a time-driven or event-driven authorization process whereby the authorizing official is provided with the necessary and sufficient information regarding the security and privacy state of the information system to determine whether or not the mission/business risk of continued system operation is acceptable.

t. 'Overlay' means a specification of security and/or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines.The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. (See "tailoring" definition.)

u. 'Privacy continuous monitoring' means maintaining ongoing awareness of privacy risks and assessing privacy controls at a frequency sufficient to ensure compliance with applicable requirements and to adequately protect personally identifiable information.

v. 'Privacy control' means the administrative, technical, and physical safeguards employed within agencies to protect and ensure the proper handling of personally identifiable information or prevent activities that create privacy risk.

w. 'Privacy control assessment' means the testing or evaluation of privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements for an information system or organization.

x. 'Privacy program plan' means a formal document that provides an overview of the privacy requirements for an agency-wide privacy program and describes the program management controls and common controls in place or planned for meeting those requirements. The privacy program plan and the information security program plan may be integrated into one consolidated document.

y. 'Privacy plan' means a formal document that provides an overview of the privacy requirements for an information system or program and describes the privacy controls in place or planned for meeting those requirements. The privacy plan and the security plan may be integrated into one consolidated document.

z. 'Reauthorization' means the risk determination and risk acceptance decision that occurs after an initial authorization. In general, reauthorization actions may be time-driven or event-driven; however, under ongoing authorization, reauthorization is typically an event-driven action initiated by the authorizing official or directed by the Risk Executive (function) in response to an event that drives information security or privacy risk above the previously agreed-upon agency risk tolerance.

aa. 'Resilience' means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

bb. 'Risk' means a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

cc. 'Risk management' means the program and supporting processes to manage information security and privacy risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

dd. 'Risk response' means accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the Nation.

ee. 'Security category' means the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on agency operations, agency assets, individuals, other organizations, and the Nation.

ff. 'Security control' means the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

gg. 'Security control assessment' means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

hh. 'Security control baseline' means the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

ii. 'Security plan' means a formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The security plan and the privacy plan may be integrated into one consolidated document.

jj. 'Supply chain' means a linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.

kk. 'Supply chain risk management' means the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of information and communications technology product and service supply chains.

ll. 'System-specific control' means a control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an information system.

mm. 'Systems security engineering' means a specialty engineering discipline of systems engineering. It applies scientific, mathematical, engineering, and measurement concepts, principles, and methods to deliver, consistent with defined constraints and necessary trade-offs, a trustworthy asset protection capability that: satisfies stakeholder requirements; is seamlessly integrated into the delivered system; and presents residual risk that is deemed acceptable and manageable to stakeholders.

nn. 'Tailoring' means the process by which security control baselines are modified by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning specific values to agency-defined control parameters; supplementing baselines with additional controls or control enhancements; and providing additional specification information for control implementation. The tailoring process may also be applied to privacy controls. (See "overlay" definition.)

oo. 'Trustworthiness' means the degree to which an information system can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across a full range of threats.

pp. 'Trustworthy information system' means a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Footnotes

  • 58 Agencies should consult OMB policies on privacy, including Appendix I to this Circular and OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.
  • 59 Refer to NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, for additional information.
  • 60 The requirements in this section represent those areas deemed to be of fundamental importance to the achievement of effective agency information security programs and those areas deemed to require specific emphasis by OMB. The security programs developed and executed by agencies need not be limited to the aforementioned areas but can employ a comprehensive set of safeguards and countermeasures based on the principles, concepts, and methodologies defined in the suite of NIST standards and guidelines.
  • 61 When common controls protect multiple agency information systems of differing impact levels, the controls shall be implemented with regard to the highest impact level among the systems. If such controls cannot be implemented at the highest impact level of the information systems, agencies shall factor this situation into their assessments of risk and take appropriate risk mitigation actions (e.g., adding security controls, changing assigned values of security control parameters, implementing compensating controls, changing certain aspects of mission/business processes, or separating the higher impact system into its own domain where it can be afforded appropriate levels of protection).
  • 62 The ISCM strategy and PCM strategy may be integrated into one consolidated continuous monitoring strategy.
  • 63 The ISCM program and PCM program may be integrated into one consolidated continuous monitoring program.
  • 64 Pursuant to the Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35).
  • 65 The Federal Information Security Modernization Act (44 U.S.C. chapter 35) requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans.
  • 66 NIST Special Publication 800-53 provides information on additional security safeguarding measures.
  • 67 Includes hardware, software, or firmware components no longer supported by developers, vendors, or manufacturers through the availability of software patches, firmware updates, replacement parts, and maintenance contracts. NIST Special Publication 800-53 provides additional guidance on unsupported software components.
  • 68 Security-relevant software and firmware updates include, for example, patches, service packs, hot fixes, device drivers, basic input output system (BIOS), and antivirus signatures.
  • 69 Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014.
  • 70 Digital signatures can mitigate a variety of security vulnerabilities by providing authentication and non-repudiation capabilities, and ensuring the integrity of Federal information whether such information is used in day-to-day operations or archived for future use.
  • 71 NIST Special Publication 800-162 provides additional information on attribute-based access control.
  • 72 DNSSEC is a critical component of the Internet infrastructure. DNSSEC enables clients to cryptographically verify that each such translation is provided by a server with the authority to do so, and that the translation response from the server was not modified before reaching the client.
  • 73 Pursuant to the Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35).
  • 74 Pursuant to the Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35).
  • 75 The risk executive function is an individual or group within an agency that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an agency-wide perspective with regard to the overall strategic goals and objectives of the agency in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across theagency, reflects the agency's risk tolerance, and is considered along with other agency risks affecting its missions or business functions.
  • 76 The head of the agency is the highest-level senior official or executive within an agency with the overall responsibility to provide information security protections commensurate with the risk and magnitude of harm (i.e., impact) to organizational operations and assets, individuals, other organizations, and the Nation. It is possible for the head of the agency to serve as the Authorizing Official and, in those situations, the decision to authorize a system to operate is final.
  • 77 For additional information on Ongoing Authorization and its relationship to initial authorization and reauthorization, refer to NIST Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management.
  • 78 NIST Special Publication 800-37 provides guidance on joint and leveraged security authorizations.
  • 79 NIST FIPS 201 provides additional information on use of Personal Identity Verification credentials.
  • 80 "Other partners" may include contractors not subject to the NIST FIPS 201 identity standard.
  • 81 NIST Special Publication 800-63 provides additional guidance on identity assurance.
  • 82 OMB policy documents can be located at https://www.whitehouse.gov/omb/circulars_default and https://www.whitehouse.gov/omb/memoranda_default. References in this section without specific publication dates or revision numbers are assumed to refer to the most recent updates to those publications.
  • 83 Agencies have significant flexibility in determining what constitutes an information system and its associated boundary.
  • 84 The terms continuous and ongoing in this context mean that security controls and agency risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect agency information.