11.02.01 PURPOSE

11.02.02 BACKGROUND

11.02.03 SCOPE

11.02.04 LEGAL AUTHORITY

11.02.05 POLICY

11.02.06 DELEGATION OF AUTHORITY

11.02.07 RESPONSIBILITIES

11.02.07a – NIST Director
11.02.07b – NIST Chief Information Officer
11.02.07c – NIST IT Security Officer/Senior Agency Information Security Officer
11.02.07d – NIST Human Capital Officer, Human Resources Management Division
11.02.07e – NIST Office of the Chief Facilities Management Officer
11.02.07f – NIST Chief Officers/Operating Unit Directors
11.02.07g – Authorizing Official and Co-Authorizing Official
11.02.07h – OU IT Security Officer
11.02.07i – System Owner
11.02.07j – Information Owner
11.02.07k – Information System Security Officer
11.02.07l – Certification Agent
11.02.07m – Acquisition Management Division – Bureau Procurement Office
11.02.07n – Acquisition, Procurement and Contracting Officers
11.02.07o – Contracting Officer Technical Representative
11.02.07p – Supervisor
11.02.07q – Account, Application, Database, Network and System Administrators
11.02.07r – Software, Application, and System Developers and Programmers
11.02.07s – Key Contingency Roles
11.02.07t – Users
11.02.07u – IT Security Working Group
11.02.07v – DOC Office of Security at NIST
11.02.07w – Office of General Counsel
11.02.07x – Privacy Officer/Freedom of Information Act Officer
11.02.07y – Office of Inspector General

11.02.09 CONTENT OWNER

11.02.10 EFFECTIVE DATE

11.02.11 REFERENCES

11.02.12 ACRONYMS
 

11.02.01
PURPOSE
The Department of Commerce (DOC) Information Technology Security Program Policy (ITSPP) defines information technology (IT) security policy for the Department and its Operating Units including NIST.  The content within this subchapter specifies NIST program level IT security policy requirements in accordance with, and supplemental to, the DOC ITSPP.  The DOC ITSPP is available online at http://home.commerce.gov/CIO/ITSITnew/IT_Security_Program_Documentation.html.

The ITSPP, Commerce Interim Technical Requirements (CITRs), this subchapter, and associated supplemental IT security policies define the minimum IT security requirements for NIST and are directly aligned with Federal Information Processing Standards (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems”; FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems”; NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems and Organizations”, and other federal IT security standards and guidance.

Management, operational, and technical IT security requirements are aligned with the seventeen (17) control families specified in FIPS 200 and SP 800-53, and are documented in the DOC ITSPP, section 4.0 “Baseline Security Controls”.  NIST supplemental requirements are developed by the NIST Chief Information Officer (CIO) and the NIST IT Security Officer/Senior Agency Information Security Officer (ITSO/SAISO), and are maintained in the NIST IT Security Management Handbook, available online at:  http://www-i.nist.gov/cio/itsd/pp_nist/index.htm.

This subchapter and related supplemental IT security policies have four main goals:
1. Ensure the availability, confidentiality, and integrity of NIST computing resources and data.
2. Ensure that IT security is implemented using a risk-based decision process in a cost-effective manner.
3. Ensure management accountability for protecting NIST computing resources and data.
4. Ensure user accountability for the secure use of computing resources and data.
 

11.02.02
BACKGROUND
NIST’s mission is dependent on the confidentiality, integrity, and availability of information and IT resources. IT security supports the NIST mission by ensuring that information and IT resources are protected against risks of unauthorized disclosure, unauthorized or unintentional modification, or misuse.  Further, the reliance on technology as part of routine business model has significantly increased, which requires assurance that information and technological resources are available to meet mission requirements.

As the NIST mission includes both administrative and scientific elements, and includes a wide variety of IT resources supporting these elements, a risk management approach that takes this into account is essential to the success of administering IT security at NIST.
 

11.02.03
SCOPE
This subchapter applies to all NIST information systems, data, facilities, NIST employees, NIST associates, users 1/, and IT resources, regardless of ownership, used to support NIST programs.

The term "IT security", as used in this subchapter, encompasses the full range of management, operational and technical security controls.  Security controls may include physical measures, and administrative procedures applied to networks, software, data/information, and/or users.

Classified information systems used in support of NIST programs must be secured in coordination with the NIST ITSO/SAISO and the DOC Office of Security (OSY), and according to the classifying authority's requirements.

1/ Per DOC ITSPP, users are defined as:  individuals having non-public access to DOC information and/or technological resources. This includes those who may only have physical access within DOC facilities, or those who may only have access to shared technological resources.
 

11.02.04
LEGAL AUTHORITY
The following laws, mandates and standards reference relevant legal authority.  This subchapter aligns with current and future versions or amendments of:

Federal Information Security Management Act of 2002 (FISMA);
Office of Management and Budget (OMB) Circular A-130, Appendix III;
FIPS 140-2, Security Requirements for Cryptographic Modules;
FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems;
DOC Department Administrative Order 202-751;
DOC ITSPP; and
NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
 

11.02.05
POLICY
11.02.05a - General

The NIST CIO is responsible for maintaining an IT security program that defines, implements, and manages the overall NIST IT security strategy and ensuring that it is aligned with DOC policies, federal laws, regulations, and standards.

IT security must be commensurate with the impact level of an information system and take into account existing threats, vulnerabilities, risks, and consider the value of NIST information, technological resources, cost effectiveness, and overall security environment of the organization, and given interconnectivity, to the Federal Government.  To ensure that IT security is applied consistently and commensurate with risk levels, all information systems:

• Shall be assigned an impact level rating of low, moderate, or high, in accordance with FIPS 199 and approved by the NIST ITSO/SAISO for NIST-wide consistency;
• Shall use the security controls baseline defined in NIST SP 800-53, supplemented by the DOC ITSPP and the NIST IT Security Management Handbook; and
• Shall be regularly assessed using processes defined in NIST SP 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems”, supplemented by the DOC ITSPP and the NIST IT Security Management Handbook.

NIST employees, NIST associates, and users shall adhere to the requirements and fulfill their responsibilities as specified in the DOC ITSPP, this subchapter, and the NIST IT Security Management Handbook.

Scoping2/  provides specific terms and conditions on the applicability and implementation of NIST SP 800-53 security controls. In addition, scoping may be applied to controls that fall outside of the NIST SP 800-53 framework (e.g., DOC criteria) for which waivers are not required by the NIST CIO. The Information System Security Officer (ISSO), Operating Unit (OU 3/) ITSO, and NIST ITSO/SAISO can address questions regarding controls.

Authorizing Officials (AOs) have the flexibility to tailor security control baselines in accordance with the terms and condition set forth in the Scoping Guidance section of NIST SP 800-53, as do System Owners (SOs) (subject to acceptance of associated risks by AOs).

2/ As defined by NIST SP 800-53: Scoping guidance provides organizations with specific terms and conditions on the applicability and implementation of individual security controls in the security control baselines. Application of scoping guidance helps to ensure that organizations implement only those controls that are essential to providing the appropriate level of protection for the information system based on specific mission/business requirements and particular environments of operation. There are several scoping considerations within NIST SP 800-53 which can potentially affect how the baseline security controls are applied and implemented by organizations.

3/ In this document, the term Operating Unit or OU is used generically to refer to top-level organizations at NIST, i.e., laboratories, user facilities, extramural programs, and chief offices.  References to “OU” in DOC ITSPP excerpts refer to DOC operating units, which for the purposes of this document equates to NIST.

AOs may approve the tailoring of security control baselines. However, depending on the current security posture or issue, some controls may require a waiver.  In such instances, requests shall be submitted to the NIST CIO (or delegate), through the NIST ITSO/SAISO.   The DOC CIO has the discretion to elevate the waiver approval process to the level of the DOC Departmental Office of the CIO when actions or controls are identified that affect department-wide security.

Waiver requests required to be submitted to the DOC CIO, must first be approved by the NIST CIO, and shall describe the controls that cannot be fully implemented, the compensating controls in-place, and the operational or mission requirements that justify the basis for requesting the waiver. Corrective action items shall be specified in the waiver requests, if appropriate.  Plans of Actions and Milestones (POA&Ms) shall be used to track and manage the implementation of corrective action items. Waivers will be reviewed on a case-by-case basis and responses may include approval with conditions to mitigate associated risks.

11.02.06
DELEGATION OF AUTHORITY
The NIST Director has delegated to the CIO the authority to approve NIST IT policy.  Authority is further delegated by the NIST CIO to the NIST OUs so that they may develop and maintain OU specific IT security policies, so long as they are no less restrictive and are not in conflict with DOC and NIST IT security policies.  NIST SOs may develop and maintain system-specific security policies, so long as they are no less restrictive and are not in conflict with DOC, NIST, and their respective OU IT security policies.
 

11.02.07
RESPONSIBILITIES
NIST employees, NIST associates and system users with specific security roles and responsibilities, hold individual and collective responsibility for the security of NIST information and IT resources.

The following identifies specific security roles and responsibilities associated with NIST management, employees, associates and system users of NIST information and IT resources.  Text identified within the boxes is derived directly from the DOC ITSPP:

11.02.07a - NIST Director

DOC ITSPP: The head of each OU or departmental office, in consultation with the Servicing Human Resources Office (SHRO), shall ensure that each position is designated at the appropriate level of sensitivity and/or risk in accordance with the DOC Security Manual, Chapter 10. Heads of OUs shall assign responsibilities based on management responsibility. They shall also ensure that this designation is clearly stated in the position description so that the OSY can perform the appropriate background investigation.

o Hold NIST Chief Officers and OU Directors accountable for the security of the information systems under their control;
o Appoint a NIST CIO;
o Ensure that appropriate levels of security are applied to all NIST information systems;
o Ensure that NIST has an established IT security program; and
o Allocate sufficient resources necessary for the protection of NIST information systems.

DOC ITSPP: OU CIOs shall examine the interdependencies and interconnections of IT resources and provide for the separation of duties, including sufficient supervision and coordination among System Owners (SOs). The responsibilities of the CIO are generally defined in NIST SP 800-37.  The OU CIO shall coordinate with the DOC CIO, CISO/SAISO, Director of OITSIT, CRMO, and CIPM to: • Manage the OU IT Security Program and approve OU supplements to the DOC ITSPP; • Develop, maintain, and oversee the OU IT Security Policy; • Ensure that IT security policies are developed and approved; • Appoint, in writing, an OU CISO/ SAISO/ ITSO to implement the IT Security Program; • Ensure the implementation of the IT Security Program complies with Federal Information Security Management Act (FISMA), which includes independent evaluations of the program; • Provide overall management of and leadership and direction to the IT Security Program; • Report the status of the IT Security Program to the DOC CRMO, and any weaknesses of the program; • Ensure that the IT Security Planning is done throughout the life cycle of the system; • Ensuring that all IT resources are identified, including complying with the Department’s capital asset budget planning process and following a methodology consistent with NIST SP 800-65, Integrating IT Security into the Capital Planning and Capital Investment Control Process, and making IT security explicit in IT investments and capital programming;  • Train and oversee personnel with significant responsibilities for information security; • Provide feedback to the Department on the status of the program in the OU as required by FISMA, and suggest improvements or areas of concern in the OU program or any other Departmental program or activity; and,  • Serve as the AO or Co-AO, as necessary, for unclassified systems within the OU.

o Respond, directly or through delegated authority, to waiver requests within thirty (30) calendar days unless the request is elevated to DOC, in which case the timing will be determined by DOC;
o Maintain a Top Secret/Sensitive Compartmented Information (TS/SCI) clearance;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Manage and coordinate IT-related Disaster Recovery (DR) activities;
o Change the operating status of any NIST information system not being managed or operated according to NIST IT security policy or in the event of an IT security related incident;
o Issue and mandate new IT security requirements with minimal vetting (primarily in limited situation where elevated risks warrant); and
o Serve as the NIST Privacy Officer with the following responsibilities:
 

--Ensure that Personally Identifiable Information (PII) in IT systems is effectively protected and secured, and ensure that confidentiality is addressed commensurate with NIST privacy concerns;
--Develop IT privacy policy and guidance and ensure their dissemination and implementation throughout NIST;
--Ensure Privacy Impact Assessments (PIAs) are conducted, documented and submitted per DOC policy;
--Prepare and submit an annual report on compliance with the privacy provisions of the E-Government Act of 2002; and
--Coordinate with the Privacy Act Officer as needed.

DOC ITSPP: The OU ITSO is the CISO/SAISO appointed by the OU CIO. An OU CISO/SAISO is responsible for ensuring that the appropriate operational security posture is maintained for information systems and programs under their OU’s control. The OU CISO/SAISO reports to the DOC CISO/SAISO, through the OU CIO. In contrast, a Line Office (LO) ITSO has responsibility for the IT Security Program within their major subordinate component. The OU CISO/SAISO serves as the principal advisor to the AO, SO, LO ITSO and DOC CISO/SAISO on all matters (technical and otherwise) involving the security of the OU’s IT systems, and maintains a copy of each Security Accreditation Package (SAP) for use in performing required IT security monitoring and reporting responsibilities. The responsibilities of the OU CISO/SAISO are generally defined in NIST SP 800-37. Additionally, the OU CISO/SAISO/ITSO shall:  • Develop and maintain the OU IT Security Policy, procedures, standards, and guidance consistent with Departmental and Federal requirements; • Conduct continuous monitoring of the OU’s IT Security Program annually to ensure effective implementation of, and compliance with, established policies and procedures; • Establish a process to ensure that all users are provided annual information system security training, copies of Rules of Behavior (RoB), and are trained to fulfill their IT security responsibilities including procedures for general and specialized training; • Notify SOs of user infractions identified during routine compliance assessments; • Participate as a voting member of the ITSCC, participate in special committees under the ITSCC, and provide other support for the ITSCC as appropriate; and, • Coordinate with the Director of the OITSIT, OU CIO and CIPM, as appropriate, concerning incidents and potential threats.

o Advise the CIO on matters related to IT security, threats, vulnerabilities, and risks;
o Maintain a TS/SCI clearance and ensure that an appropriate subset of IT security support staff have Secret or higher clearances, as warranted to fulfill their roles;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Manage the NIST IT security awareness, training, and education program;
o Lead planning and budgeting of IT security functions;
o Communicate security requirements to NIST management and other staff having IT security responsibilities, serving as a resource on effective IT security practices (e.g.,  developing security plans, assessing risk, planning and testing for contingencies, implementing security controls, performing continuous monitoring, developing IT security policies and procedures);
o Manage the NIST IT security Certification and Accreditation (C&A) program;
o Manage the POA&M process;
o Manage and oversee NIST network security and vulnerability monitoring and remediation activities;
o Lead and coordinate IT-related aspects of investigations involving suspected misuse of IT resources at NIST.  In cases that involve Office of the Chief Information Officer (OCIO) staff, a team independent of the OCIO will lead investigations using OCIO’s methodology;
o Remove any information system, or sub-component(s) thereof, from the NIST network in the event of a security incident or the discovery or threat of a vulnerability that warrants immediate action;
o Issue and mandate new IT security requirements with minimal vetting (primarily in limited situation where elevated risks warrant); and
o Manage NIST IT security incident response activities.  IT Security Incident Response Personnel have the following responsibilities:
 

DOC ITSPP: The IT Security Incident Response Personnel responsibilities include: analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, coordinating incident response activities, interacting with the DOC Federation of Computer Incident Response Teams (FedCIRTs) and others to disseminate reasoned and actionable cyber security information as necessary. These responsibilities include assuring that coordination with the US-CERT and appropriate authorities occurs as necessary.

As it relates to the security of IT resources, the CHCO has the following responsibilities:
 

DOC ITSPP: The Office of Human Resources Management (OHRM) maintains the memorandum of agreement between the National Finance Center (NFC) and DOC. The MOU is for the NFC to provide services for maintaining the NFC database with DOC employee information. This database may be utilized for maintaining a credentials management system and authorization of individual employee physical access controls at the OU.  The NFC database manages personnel information used to perform background checks and other investigative information. In addition, the NFC database may be used to document the status of personnel access to information resources (e.g., employment status). The NFC database is a resource used in conjunction with OSY resources to maintain the status of physical access credentials such as building passes and badges for employees and contractors. This database consists of Privacy Act information which must be maintained consistent with PA requirements and can only be disclosed pursuant to disclosure provisions of the PA. SHRO manages the human resources records for all OU personnel. The responsibilities of SHRO for the maintenance of security of IT resources include: • Providing timely and accurate information concerning personnel hiring, transfer, and termination to the OU CISO/SAISO/ITSO; • Assisting in the administration of IT Security Awareness training for new employees in accordance with the DOC Manual of Security Policies and Procedures, Chapter 3; • Maintaining records concerning personnel security violations if resulting in disciplinary action; • Maintaining position descriptions for all positions within serviced area; • Developing and providing guidance on procedures for disciplinary and/or adverse action due to IT security violations; and, • Maintaining personnel records containing the status of background checks and investigations of all personnel in accordance with the DOC Manual of Security Policies and Procedures, Chapter 11.

o Assist NIST supervisors to ensure that position designation is at the appropriate level of sensitivity and/or risk.

As it relates to the security of IT resources, the CFMO is for responsible for planning, organizing, directing, and managing physical security and environmental protection activities in accordance with the DOC ITSPP section 4.11, Physical and Environmental Protection.

Chief Officers and OU Directors are directly responsible for the security of the system(s) under their purview and have the following responsibilities:

o Support the NIST Director, NIST CIO, and NIST ITSO/SAISO in implementing the NIST IT security program;
o Ensure that their organization’s information systems are developed and operated in full compliance with DOC and NIST policies;
o Hold their organization’s management and staff accountable for the security of the information systems under their control and for compliance with NIST IT security policies;
o Account for IT security in capital investment plans; these plans must include all resources (e.g., labor, hardware, software, maintenance) for procurement, maintenance, retirement, and replacement of all OU information systems;
o Allocate sufficient resources necessary for the protection of the systems under their control;
o Ensure that OU positions requiring specialized security responsibilities are held by NIST employees or associates with sufficient training, education qualifications, and pass the appropriate background investigations;
o Appoint an OU ITSO and alternate.  In cases where the OU is located in both Gaithersburg and Boulder, an OU ITSO shall be appointed for each location.  Depending on the size of the organization in each location a local ISSO can serve as adviser to an OU ITSO that represents both locations;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Designate an SO for each information system within the OU; this individual will be identified as such in the C&A System Security Plan (SSP) documentation associated with each information system;
o Change the operating status of an information system, within the OU, not being managed according to NIST IT security policy or in the event of an IT security related incident; and
o Serve as the Co-AO for information systems in the OU (along with the CIO who co-authorizes all OU information systems), with associated responsibilities outlined below.

NIST Chief Officers and/or OU Directors are the designated approving authority (accepting operating risk) for their respective OU information systems.  The CIO co-authorizes all NIST OU information systems and has ultimate responsibility for the enterprise-wide purview.  NIST AOs are responsible for the following:
 

DOC ITSPP: The responsibilities of the AO are generally defined in NIST SP 800-37. The role of AO or Co-AO is commonly the DOC CIO for the Department and the OU CIO for their respective OU. AOs/Co-AOs must have the authority to oversee the budget and business operations of the information system within the DOC. The AO has the authority to assume responsibility for operating an information system at an acceptable level of risk to operations, assets, or individuals by granting an Authorization to Operate (ATO), Interim Authorization to Operate (IATO), or Deny Authorization to Operate (DATO) as defined in NIST SP 800-37. The AO shall approve system security requirements, System Security Plans (SSPs), Interconnection Security Agreements (ISAs), and Memorandums of Agreements (MOAs) and/or Memorandums of Understanding (MOUs). With the increasing complexities of missions and organizations, it is possible that a particular information system may involve multiple AOs. If so, agreements should be established among the AOs and documented in the SSP. In most cases, it will be advantageous to agree to a Lead AO to represent the interests of the other AOs. The AOs can also delegate an Authorizing Official Designated Representative (AODR).

o Compete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained.

OU ITSOs assist in the implementation of the NIST IT Security Program.  Specifically, primary and alternate OU ITSOs have the following responsibilities within their respective OU’s:

o Maintain a clearance level of Secret with a position sensitivity of non-critical sensitive;
o Recommend to the respective Chief Officer or OU Director how best to implement the NIST IT Security Program and policy within their organization;
o Coordinate the implementation of the NIST IT Security Program within their organization (including but not limited to coordinating C&A activities);
o Serve as primary point of contact for IT security related issues for the organization and act as a liaison to the NIST ITSO/SAISO;
o Communicate IT security requirements to NIST OU management and staff, and serve as a resource on IT security practices;
o Participate in the development and implementation of IT security policies, procedures, and guidance for NIST;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Assist in incident response activities in cooperation with and under direction of the SO, ISSO and NIST ITSO/SAISO (or delegate);
o Assist the OU SOs in developing and maintaining C&A documentation for each system, including  a SSP, asset inventory, contingency plan, etc.;
o Assist with assessing risk, planning and testing for contingencies, implementing security controls, performing continuous monitoring, and as necessary, developing system-specific policies and procedures;
o Promote security awareness and facilitate managing general and specialized training requirements within the OU; and
o Remove any OU information system, or sub-component(s) thereof, from the NIST network in the event of a security incident or the discovery or threat of a vulnerability that warrants immediate action.

Each information system must have a SO.  Typically, Division Chiefs or more senior managers are SOs and have the following responsibilities for the security of the system(s) under their purview:
 

DOC ITSPP: The responsibility of the SO, as defined by NIST SP 800-37, is the overall procurement, development, integration, modification, or operation and maintenance of an information system. The SO is responsible for the development and maintenance of the SSP and ensures the system is deployed and operated according to the agreed-upon security requirements. The SO is also responsible for deciding who has access to the information system (and with what types of privileges or access rights) and ensures that system users and support personnel receive the requisite security training (e.g., instruction in RoB). The SO informs key agency officials of the need to conduct a security C&A of the information system, ensures that appropriate resources are available for the effort, and provides the necessary system-related documentation to the Certification Agent (CA). The SO receives the security assessment results from the CA. After taking appropriate steps to reduce or eliminate vulnerabilities, the SO assembles the SAP and submits the package to the AO or the AODR for adjudication.

o Ensure that appropriate security controls are applied to the IT system (including interconnected systems) and that sufficient resources are assigned to maintain this level of security;
o Ensure that information systems are developed and operated in full compliance with DOC and NIST policies;
o Ensure that appropriate security requirements and disclosure agreements are included in the Statement of Work (SOW) for the acquisition of IT commodities and services;
o Develop and maintain C&A documentation for each system, including a system security plan, asset inventory, contingency plan, etc.;
o Assess risk, plan and test for contingencies, implement security controls, perform continuous monitoring, and, as necessary, develop and implement information system-specific policies and procedures;
o Define information system-specific requirements and enforce procedures to ensure that accountability is established and security violations are detectable;
o Account for IT security in capital investment plans; these plans must include all resources (e.g., labor, hardware, software, maintenance) for procurement, maintenance, and replacement of their information systems;
o Ensure that incidents involving their system are responded to and reported appropriately according to DOC and NIST IT security policies and procedures;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Ensure that system positions requiring specialized security responsibilities are held by NIST employees or associates with sufficient training, education qualifications and appropriate background investigations;
o Designate an ISSO and one or more System Administrators (SAs) for each information system; and
o Change the operating status of an information system, under their purview, not being managed or operated according to NIST IT security policy or in the event of an IT security related incident.

Each information system must have an IO.  The SO and the IO may be the same individual and will be noted in an approved SSP.  IOs are responsible for the following:
 

DOC ITSPP: The responsibilities of the IO are generally defined in NIST SP 800-37. The IO has statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. NIST SP 800-37 (included to further describe the responsibilities of the IO): The information owner is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with other organizations. The owner of the information stored within, processed by, or transmitted by an information system may or may not be the same as the information system owner. Also, a single information system may utilize information from multiple information owners. Information owners should provide input to information system owners regarding the security requirements and security controls for the information systems where the information resides.

o Assist SO in understanding necessary security impact levels associated with data processed or stored by the information system and assist with developing and maintaining required security documentation as it pertains to how the data is accessed and used;
o Know the data and associated security impact levels for the data for which they are directly responsible, which applications use the data (i.e., how the data flows), and who administers such applications; and
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained.

DOC ITSPP: The responsibility of the ISSO, as defined by NIST SP 800-37, is to ensure the appropriate operational security posture is maintained for an information system or program. The ISSO also serves as the principal advisor to the OU CIO, OU CISO/SAISO/ITSO, and SO on all security matters for the information system. In close coordination with the SO, the ISSO often plays an active role in developing and updating the SSP as well as in managing and controlling changes to the system and assessing the security impact of those changes.

o Assist the SO in developing and maintaining C&A documentation for each system, including a system security plan, asset inventory, contingency plan, etc.;
o Assist with assessing risk, planning and testing for contingencies, implementing security controls, performing continuous monitoring, and as necessary, developing and implementing system-specific policies and procedures;
o Assist in the determination of an appropriate level of security commensurate with the level of impact;
o Monitor the system to ensure that adequate security levels are properly maintained;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained; and
o Assist in incident response activities in cooperation with and under direction of the SO, OU ITSO and NIST ITSO/SAISO (or delegate).

The CA may be referred to as security control assessors.  CAs are responsible for the following:
 

DOC ITSPP: The CA, as defined by NIST SP 800-37, is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The CA also provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system. Prior to initiating the security assessment activities that are a part of the certification process, the CA provides an independent assessment of the SSP to ensure the plan provides a set of security controls for the information system that is adequate to meet all applicable security requirements.

o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained.

To ensure continuous collaboration and communication at multiple levels, the following organizations/positions contribute to IT security. Depending on the current NIST security posture, environment, or architecture, other forums, groups or roles are established to address or review a specific issue or subject area.  NIST defines the following additional roles and assigns responsibilities to the individuals processing these roles:

11.02.07m - Acquisition Management Division (AMD) - Bureau Procurement Office (BPO)

DOC ITSPP: Each OU consults with its BPO during the development of IT system security acquisitions. Development of acquisition requirements is integral to the lifecycle process. The BPO obtains the OU’s requirements in the areas of technical features (e.g., access controls); personnel security (e.g., background checks for system developers); and operational practices (e.g., awareness and training) in the form of a statement of work prepared by the OU. After the OU has determined security features and requirements, and provided the Special Projects Office (SPO) with its Statement of Work (SOW), the SPO CO works with the Acquisition Team to ensure both the solicitation and contract award include the security requirements.

DOC ITSPP: COs are responsible for managing contracts/acquisitions. This includes overseeing their implementation, working in partnership with the SAISO to ensure that contracting policies adequately address the information and technology security requirements, and collaborating with the Contracting Officer's Technical Representatives (COTRs) to monitor contract performance for compliance with DOC, OU, and application specific information security policies. COs shall ensure that: • The DOC Information Security in Acquisitions Checklist is followed for new contracts within their responsibility. • Any security clauses are developed and used in accordance with Departmental procurement policy, the Commerce Acquisition Regulation (CAR) and Federal Acquisition Regulation (FAR).

DOC ITSPP: The COTRs, also known as CORs, are responsible for collaborating with the COs in evaluating the need for access to DOC information and/or technological resources, ensuring appropriate background investigation clearances prior to access, and monitoring such access throughout the contract term. Specifically, the COTRs/CORs shall: • Ensure foreign nationals will only be granted access to or perform duties on IT systems in accordance with the DOC Security Manual and DAO 207-12; • Notify SOs of new users and notify them to revoke access privileges in a timely manner when a user under their supervision or oversight no longer requires access privileges or he/she fails to comply with this policy; and, • Authorize remote access privileges for personnel and review remote access user security agreements on an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement (e.g., systems authorized for access, and type and version of antivirus software and personal firewall).

o Define the official position risk designations for NIST contractors according to DOC ITSPP, DOC OSY, and NIST IT security requirements and guidance;
o Coordinate, as necessary, with OSY to ensure that contracts have appropriate IT security risk designations and contractors have appropriate background investigations;
o Include appropriate IT security requirements within relevant contract statements;
o Coordinate, as necessary, the completion of the Information Security in Acquisitions Checklist; and
o Coordinate obtaining all IT security related documentation for information systems developed, managed, or hosted at non-NIST facilities.

DOC ITSPP: The responsibilities of a Supervisor encompass the management of subordinate users, which includes assessing, authorizing, and managing the need for access to the DOC information and/or technological resources, and taking immediate action if misuse is suspected or confirmed as defined under user responsibilities and OU and/or application specific agreements. Specifically, Supervisors shall: • Ensure foreign nationals will only be granted access to or perform duties on IT systems in accordance with the DOC Security Manual and DAO-207-12; • Notify SOs of new users and notify them to revoke access privileges in a timely manner when a user under their supervision or oversight no longer requires access privileges or he/she fails to comply with this policy; and, • Authorize remote access privileges for personnel and review remote access user security agreements on an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement (e.g., systems authorized for access, and type and version of antivirus software and personal firewall).

o Assign and document official position risk/sensitivity designations for NIST employees according to DOC ITSPP, DOC OSY, and NIST IT security and other relevant requirements and guidance.

DOC ITSPP: Account, Application, Database, Network and System Administrators, under the Supervisor/SO direction and specifications, are responsible for implementing IT security controls, OU-specific and application-specific policies, which minimally includes involvement of Developers and Programmers for routine testing.

o Assist the SO and ISSO with maintaining asset inventories, testing for contingencies, implementing security controls, performing continuous monitoring, and implementing system-specific policies and procedures;
o Monitor information systems to ensure that adequate security levels are properly maintained;
o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained;
o Assist in incident response activities in cooperation with and under direction of the SO, ISSO, OU ITSO and NIST ITSO/SAISO (or delegate);
and,
o Assist in the development and maintenance of required security documentation and related activities (e.g., system administration and operational procedures/manuals).

DOC ITSPP: Developers and Programmers must implement IT security controls in systems and system components (including software) as specified by the Supervisor/SO to ensure compliance with IT security controls, OU-specific, and application-specific policies. This minimally includes involvement with User Representatives and in system certification activities, such as documentation of new system components and vulnerability testing, as well as adhering to change management guidelines.

o Develop in a secure manner through all phases of development following a method consistent with SP 800-64, “Security Considerations in the System Development Life Cycle” and SP 800-27, “Engineering Principles for Information Technology Security (A Baseline for Achieving Security)”; and
o Coordinate development activities with SO and ISSO to ensure required security capabilities are implemented and documented.

DOC ITSPP: Key contingency roles, such as those defined in COOP, Disaster Recovery, and IT Contingency Plans, have responsibilities to ensure that the respective plan is maintained, tested, integrated with other plans, is adequate in scope, and is relevant.

o Complete specialized training annually, or maintain relevant, approved professional certification to ensure the requisite skills, knowledge, and abilities are maintained.

DOC ITSPP: Users are defined as individuals having non-public access to DOC information and/or technological resources. This scope includes those who may only have physical access within DOC facilities, or those who may only have access to shared technological resources. All users must read, understand, and acknowledge understanding of OU and applicable application-specific policies. At a minimum, users shall: • Complete IT Security refresher training annually; • Understand OU property (or assets) for which they are responsible (i.e., printer, desktop, etc.); • Know the type of information handled, and understand measures to protect; • Understand and be proactive in management of Federal electronic records, which extends to assurance of appropriate backups of user data; • Cooperate with designated personnel during the investigation of incidents, compliance reviews, audits, and/or surveys regarding the security posture of the OU; • Report suspected or confirmed security incidents (e.g., loss of Personally Identifiable Information (PII), virus or malicious code attacks) as procedurally defined by the OU; • Obey copyrights and do not download, install, or access Peer-to-Peer (P2P) file sharing software; • Understand only SO-approved individuals are allowed to download and install OU-approved applications onto DOC IT resources; • Understand the consequences of actions of misuse; and, • Understand that all use and content of IT systems, including computers, may be monitored, and reviewed for security purposes.

o Use NIST IT systems in a secure, responsible, and ethical manner;
o Abide by all applicable DOC, NIST, OU, and information system-specific IT security policies and procedures, including the NIST Policy on Information Technology Resources Access and Use; and
o Report incidents to their OU ITSO and the NIST ITSO/SAISO using the online web form located on the NIST IT Security Web page, http://www-i.nist.gov/cio/itsd/pp_nist/proc/proc_incidents.html.

The ITSWG is a sub-committee of the IT Planning Board (ITPB) with the following responsibilities:

o Participate in the development and review of NIST IT security policies and procedures;
o Disseminate and discuss the status of current DOC and NIST IT security policies, procedures, services, and practices;
o Disseminate and discuss information on current threats and vulnerabilities; and
o Advise the NIST ITSO/SAISO on IT security related issues.

DOC ITSPP: OSY is responsible for identifying, assessing, and managing mission-critical threats and providing guidance and services regarding the physical and environmental security controls that protect the DOC’s information system assets. Facility security and access are maintained by this office. These controls include ensuring the COOP development and continuity of government programs, security clearance management, and physical access control mechanisms. The OSY is responsible for: • Physical security of facilities and equipment external to computers or telecommunication lines; • Protection of national security information; • Personnel security, including performance of background checks and security clearance investigations of personnel; • Coordinating with the DOC CIPM on the physical security aspect of critical infrastructure protection; • Emergency planning; and, • Conducting investigations to identify and/or assess threats to the Department’s mission, operations, or activities and protect Department personnel, facilities, property, or assets including IT-related incidents with a counterintelligence, criminal intelligence, protective intelligence, or counterterrorism nexus. Further information is available in Manual of Security Policies and Procedures (Chapters 1 and 2), and the appropriate Departmental directives (i.e., the DAO 207 series, Security and Loyalty).

DOC ITSPP: The OGC reviews all policy, IT security requirements, and contract security clauses to ensure compliance with all applicable law and regulation. OGC helps by reviewing DOC IT security policies to ensure the policies are aligned with current legal requirements. OGC also reviews the legality of IT security contract clauses used by OAM in DOC contracts.

DOC ITSPP: Each OU Privacy Officer/FOIA Officer or equivalent is responsible for providing information on procedural issues involving the Privacy Act and addressing privacy concerns relative to their individual OU. The Office of General Counsel (OGC) provides guidance on all legal issues involving the Privacy Act.

o Provide information on policy and procedural issues involving the Privacy Act and address Privacy Act issues.

DOC ITSPP: The OIG provides independent oversight through audit and evaluation of the Department's IT Security Program, in accordance with the Inspector General Act of 1978 (Public Law 95-452). In this capacity, the OIG conducts audits of financial system controls, and evaluates the Department’s compliance with FISMA requirements. The OIG also assists in the investigation of computer incidents that require coordination with external law enforcement agencies. Policies relating to these areas can be found in appropriate Departmental directives, e.g., DAO 207-10, Inspector General Investigations. Each OU CIO or OU CISO/SAISO/ITSO should maintain cooperative relationships with the OIG, including specific agreements and procedures covering incident response and forensics investigations if applicable. Incidents involving suspected fraud, waste, or abuse of government resources should be reported to the OIG Fraud Hotline for investigation.

11.02.08
ENFORCEMENT
Any use or access to any government equipment, material, information or resources, including IT resources, that does not comply with DOC or NIST policy, is unauthorized and  prohibited.  Unauthorized use is punishable by disciplinary penalties as documented in the Department's Table of Offenses and Penalties noted by Department Administrative Order (DAO) 202-751.

Individuals involved with unauthorized use will also be subject to having all computer account access suspended or terminated at the discretion of their respective NIST management or the NIST CIO.
 

11.02.09
CONTENT OWNER
NIST, CIO, Division 180 – Office of the CIO
 

11.02.10
EFFECTIVE DATE
August 27, 2009
 

11.02.11
REFERENCES
Federal Information Processing Standard 140-2, Security Requirements for Cryptographic Modules;
Federal Information Processing Standard 199, Standards for Security Categorization of Federal Information and Information Systems;
Federal Information Processing Standard 200, Minimum Security Requirements for Federal Information and Information Systems;
Department of Commerce, Information Technology Security Program Policy;
Department of Commerce, Interim Technical Requirements;
Department of Commerce, Office of Security, Manual of Security Policies and Procedures;
NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security);
NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems;
NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations;
NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems;
NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories: Volume 1 - Guide, Volume 2 – Appendices;
NIST Special Publication 800-64, Security Considerations in the System Development Life Cycle ;
NIST Administrative Manual; and
NIST Information Technology Security Handbook
 

11.02.12
ACRONYMS
AMD - Acquisition Management Division
AO -  Authorizing Official
AODR -  Authorizing Official Designated Representative
ATO -  Authorization to Operate
BPO -  Bureau Procurement Office
C&A -  Certification and Accreditation
CA -  Certification Agent
CAR -  Commerce Acquisition Regulation
CFMO -  Chief Facilities Management Officer
CHCO -  Chief Human Capital Officer
CIO -  Chief Information Officer
CIPM -  Critical Infrastructure Protection Manager
CISO -  Chief Information Security Officer
CITR -  Commerce Interim Technical Requirement
CO -  Contracting Officer
Co-AO -  Co-Authorizing Official
COOP -  Continuity of Operations
COTR -  Contracting Officer Technical Representative
CP -  Contingency Plan
CRMO -  Compliance and Risk Management Officer
DATO -  Deny Authorization to Operate
DAO -  Department Administrative Order
DOC -  Department of Commerce
DOO -  Department Organization Order
DR -  Disaster Recovery
FAR -  Federal Acquisition Regulation
FedCIRT -  Federation of Computer Incident Response Teams
FIPS -  Federal Information Processing Standards
FISMA -  Federal Information Security Management Act
FOIA -  Freedom of Information Act
HRM -  Human Resources Management
IATO -  Interim Authorization to Operate
IG -  Inspector General
IO -  Information Officer
ISA -  Interconnection Security Agreement
ISSO -  Information System Security Officer
IT -  Information Technology
ITPB -  Information Technology Planning Board
ITSO -  Information Technology Security Officer
ITSCC -  Information Technology Security Coordinating Committee
ITSPP -  Information Technology Security Program Policy
ITSWG -  Information Technology Security Working Group
LO -  Line Office
MOA -  Memorandum of Agreement
NFC -  National Finance Center
NIST -  National Institute of Standards and Technology
OAM -  Office of Acquisition Management
OGC -  Office of General Council
OHRM -  Office of Human Resources Management
OIG -  Office of Inspector General
OITSIT -  Office of Information Technology Security, Infrastructure and Technology
OMB -  Office of Management and Budget
OSY -  Office of Security
OU -  Operating Unit
P2P -  Peer-to-Peer
PA -  Privacy Act
PIA -  Privacy Impact Assessment
PII -  Personally Identifiable Information
PIN -  Personal Identification Number
POA&M -  Plan of Action and Milestone
RoB -  Rules of Behavior
SA -  System Administrator
SAISO -  Senior Agency Information Security Officer
SAP -  Security Accreditation Package
SCI -  Sensitive Compartmented Information
SDLC -  System Development Life Cycle
SHRO -  Servicing Human Resources Office
SO -  System Owner
SOW -  Statement of Work
SP -  Special Publication
SPO -  Special Projects Office
SSP -  System Security Plan
TS -  Top Secret
US-CERT -  United States-Computer Emergency Readiness Team