NMS Certification and Accreditation CA Removal of Material

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO

NMS Security Requirements FFMIA Report and OMB Circular A-130 Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB USAID identified 10 material weaknesses, including NMS security and access controls, in its CY-1997 Report. The Agency CFO indicated remedial actions would be completed within 3 years (by FY-2001). “ The material weakness resulted from the level at which controls are implemented in the system, the design of access controls implemented in the system, audit trails of system activity, user identification and password administration, and access to sensitive Privacy Act information. ” OMB Circular A-130, Appendix III: Security of Federal Automated Information Resources "Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications. " OMB Circular A-130 defines 4 new Federal agency requirements for managing and protecting their information resources: · Assigning responsibility for security · Completing security plans for general support systems and major applications · Periodically reviewing security controls · Authorizing processing 2

NMS C&A Tasks 1. Conduct Risk Assessment 2. Technical Fixes 3. NMS Security Plan Actions 4. Certification and Accreditation (C&A) Policy Approved 5. Certification and Accreditation (C&A) Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training (Users, Administrators, and Managers) 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness) 3

Certification and Accreditation Tasks 1 - 3 1. Conduct Risk Assessment NMS Security Team (TAC 22) assisted by the ISS Team (TAC 07) Establish risks for NMS operations at USAID/W, progressively including – – PRIME, T-Hub Beltsville 81 Foreign Missions Communications with foreign missions via DTS-PO, VSAT, and Internet Deliver report on risk assessment and recommendations - Could be done as part of Certification Report 2. Technical Fixes 5 Key Security Vulnerabilities Build Test Scenarios/Scripts - Certification 3. NMS Security Plan Actions Review and approve remaining NMS Security Plan action items for implementation to bring NMS into compliance with security requirements from ADS, OMB A-130, FISCAM, and OIG Audit Reports. Initial action items include: – Implement NMS audit trails – Implement Operational and Management Change Procedures 4

Certification and Accreditation Tasks 4 - 8 4. C&A Policy Approved Approve C&A Policy for NMS 5. C&A Plan C&A Definition C&A Verification C&A Validation Prepare Certification Report and Accreditation Recommendation for ISSO and IRM director approval C&A Post Accreditation Support 6. Roles & Responsibilities Approved Delegate accreditation authority for core financial systems to the CFO Assign the accreditation of general support systems to the CIO Assign responsibility to the Director, IRM, for ISSPP and general support systems Assign authority and responsibility to the USAID ISSO for ISSPP implementation 7. Delegate Systems Security Manager Designate a security official to implement NMS C&A 8. NMS Security Training Provide security input into current NMS training for users, administrators, and managers 5

Certification and Accreditation Tasks 9 - 12 9. Certification by IV&V Contractor CFO selects IV&V contractor CFO reviews and accepts IV&V contractor 10. Security Accreditation of NMS by CFO Authorize NMS for processing 11. Audit by OIG Verify substantial removal of the NMS security and access controls material weakness 12. Executive Brief and Close NMS Security Material Weakness Include removal of NMS Security material weakness in the FFMIA annual report. 6

Certification and Accreditation Implementation Schedule 1. Conduct Risk Assessment 2000 Feb 2. Technical Fixes Mar Apr NMS 4. 81 May Jun Jul Aug Sep NMS 4. 82 3. NMS Security Plan Actions 4. C&A Policy Approved 5. C&A Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness) 7

Next Step: Implement Similar Process for IFMS Authorization to Process O. k. ADS Policy C&A Implementation of NMS Sec. Plan OIG IV&V FFMIA AWACS NMS 02 -01 05 -01 Cairo & San Salvador Momentum AID/W IFMS NMS 07 -01 2000 10 -01 03 -31 2001 8

Goal: Favorable OIG Audits and Reports to Congress Confirmation of substantial removal of security material weakness by the Inspector General’s Office to the Administrator FFMIA 2000 Report by the CFO to OMB asserting the removal of the security material weakness from 1997 Semiannual Report to Congress by the OIG confirming substantial removal of security material weakness 9