layout: page title: Appendix III permalink: /appendix3/
Responsibilities for Protecting Federal Information Resources
Agencies of the Federal Government depend on the secure acquisition, processing, storage, transmission, and disposition of information to carry out their core missions and business functions. This allows diverse information resources ranging from large enterprise information systems (or systems of systems) to small mobile computing devices to collect, process, store, maintain, transmit, and disseminate this information. The information relied upon is subject to a range of threats that could potentially harm or adversely affect organizational operations (e.g., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. These threats include environmental disruptions, purposeful attacks, structural failures, human errors, and other threats that can compromise the confidentiality, integrity, or availability of information. Leaders at all levels of the Federal Government must understand their responsibilities and be held accountable for managing information security and protecting privacy.
Federal agencies must implement information security programs and privacy programs with the flexibility to meet current and future information management needs and the sufficiency to comply with Federal requirements. Emerging technologies and services may continue to shift the ways in which agencies acquire, develop, manage, and use information and technology. As technologies and services continue to change, so will the threat environment. Agency programs must have the capability to identify, respond to, and recover from current threats while protecting their information resources and the privacy of the individuals whose information they maintain. The programs must also have the capability to address new and emerging threats. To be effective, information security and privacy considerations must be part of the day-to-day operations of agencies. This is best accomplished by planning for the requisite security and privacy capabilities as an integral part of the agency strategic planning and risk management processes, not as a separate activity. This includes, but is not limited to, the integration of Federal information security and privacy requirements (and security and privacy controls) into the enterprise architecture, system development life cycle activities, systems engineering processes, and acquisition processes.
To ensure that Federal agencies can successfully carry out their assigned missions and business operations in an environment of sophisticated and complex threats, they must deploy systems that are both trustworthy and resilient. To increase the level of trustworthiness and resilience of Federal information systems, the systems should employ technologies that can significantly increase the built-in protection capability of those systems and make them inherently less vulnerable. This can require a significant investment in security architectures, and the application of systems security engineering concepts and principles in the design of Federal information systems.
As Federal agencies take advantage of emerging information technologies and services to obtain more effective mission and operational capabilities, achieve greater efficiencies, and reduce costs, they must also apply the principles and practices of risk management, information security, and privacy to the acquisition and use of those technologies and services. While there are certain security requirements and associated controls that are mandatory, agencies are required to employ risk-based approaches and decision-making to ensure that security capabilities are sufficient to protect agency assets, operations, and individuals. Such risk-based approaches involve framing, assessing, responding to, and monitoring security risks on an ongoing basis. Risk-based approaches can also support potential performance improvements and cost savings when agencies make decisions about maintaining, modernizing, or replacing existing information technologies and services or implementing new technologies and services that leverage internal, other government, or private sector innovative and market-driven solutions. These responsibilities extend to the creation, collection, processing, storage, transmission, dissemination, and disposal of Federal information when such information is hosted by non-Federal entities on behalf of the Federal Government. Ultimately, agency heads remain responsible and accountable for ensuring that information management practices comply with all Federal requirements, and that Federal information is adequately protected commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information.
This Appendix establishes minimum requirements for Federal information security programs, assigns Federal agency responsibilities for the security of information and information systems, and links agency information security programs and agency management control systems established in accordance with OMB Circular No. A-123, Management's Responsibility for Internal Control. This Appendix also establishes requirements for Federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies should take a coordinated approach to implementing information security and privacy controls.58 This Appendix revises requirements contained in previous versions of Appendix III to OMB Circular No. A-130, and incorporates requirements of the Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35), the E-Government Act of 2002 (44 U.S.C. chapters 35 and 36), and responsibilities assigned in Executive Orders and Presidential Directives.
a. Agencies shall ensure the requirements of the Federal Information Technology Acquisition Act (FITARA) are considered in establishing the responsibilities and accountability for the implementation of information and information security programs.
b. Agencies shall develop, implement, document, maintain, and oversee agency-wide information security and privacy programs including people, processes, and technologies to:
c. Agencies shall protect Controlled Unclassified Information (CUI) in accordance with requirements set forth by the National Archives and Records Administration.
d. Agencies shall limit the disclosure of proprietary information to that which is legally authorized, and impose appropriate conditions on use where a continuing obligation to ensure the confidentiality of the information exists.
e. Agencies shall implement security and privacy policies issued by the Office of Management and Budget (OMB), and the Office of Personnel Management, as well as requirements issued by Department of Commerce, Department of Homeland Security, and General Services Administration. This includes applying the standards and guidelines contained in National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), NIST (800-series) Special Publications, and, where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).
f. Agencies shall ensure that all contracts, and other third-party agreements for services, incorporate all relevant information security and privacy requirements outlined in statute, OMB policy, Executive Orders, and Presidential Directives.
a. Security Categorization
Agencies shall:
b. Planning, Budgeting, and Enterprise Architecture
Agencies shall:
c. Plans, Controls, and Assessments
Agencies shall:
d.Authorization and Continuous Monitoring
Agencies shall:
Establish and maintain an ISCM program that:
a. Provides an understanding of agency risk tolerance and helps officials set priorities and manage information security risk consistently throughout the agency;
b. Includes metrics that provide meaningful indications of security status at all organizational risk management tiers;
c. Ensures the continued effectiveness of all security controls selected and implementedby monitoring controls with the frequencies specified in the ISCM strategy;
d. Verifies compliance with information security requirements derived from missions/business functions, Federal statutes, directives, instructions, regulations, policies, and standards/guidelines;
e. Is informed by all applicable agency IT assets to help maintain visibility into the security of those assets;
f. Ensures knowledge and control of changes to information systems and environments of operation; and
g. Maintains awareness of threats and vulnerabilities;
Establish and maintain a PCM program that:
a. Ensures continued compliance with all applicable privacy requirements;
b. Verifies the continued effectiveness of all Federal privacy controls selected and implemented across all organizational risk management tiers;
c. Includes metrics to monitor the effective implementation of privacy requirements and privacy controls across all organizational risk management tiers;
d. Monitors changes to information systems and environments of operation that collect, process, store, maintain, use, or disseminate PII; and
e. Maintains adequate awareness of any threats and vulnerabilities that may affect PII and impact individual privacy;
Ensure that a robust ISCM program and PCM program are in place before agency information systems or common controls are eligible for ongoing authorization; and
Leverage available Federal shared services, where practicable and appropriate.
e. Privacy Controls for Federal Information Systems and Organizations
The senior agency official for privacy (SAOP) has overall agency-wide responsibility and accountability for developing, implementing, and maintaining an agency-wide governance and privacy program to ensure compliance with all applicable statutes, regulations, and policies regarding the collection, use, maintenance, dissemination, and disposal of PII by programs and information systems. The SAOP shall:
f. Incident Detection, Response and Recovery
After agencies have selected and implemented the necessary security controls to protect their information and systems consistent with their understanding of agency operations and assets and management of information security risk, agencies shall subsequently ensure they can react appropriately to information security incidents.
Agencies shall:64
g. Contingency Planning
Agencies shall:
Develop contingency plans65 for information systems that:
a. Identify essential missions and business functions and associated contingency requirements;
b. Provide recovery objectives, restoration priorities, and metrics;
c. Address contingency roles and responsibilities; and
d. Address maintaining essential missions and business functions despite a disruption, compromise, or failure of information systems; and
Provide for the recovery and reconstitution of information systems to a known state after a disruption, compromise, or failure.
h. Awareness and Training
Agencies shall:
i. Specific Safeguarding Measures to Reinforce the Protection of Federal Information and Information Systems66
Agencies shall:
j. Contracts and Agreements
Organizations that collect or maintain information on behalf of a Federal agency or that operate or use information systems on behalf of a Federal agency, must comply with the requirements in the FISMA and OMB policies. Agencies shall ensure that terms and conditions in contracts, and other agreements involving the processing, storage, transmission, and destruction of Federal information, are sufficient to enable agencies to meet necessary security and privacy requirements concerning Federal information. For additional information and associated requirements pertaining to information technology acquisitions, refer to the Federal Acquisition Regulation.
k. Oversight of Non-Federal Entities
Agencies shall:
Provide oversight of information systems used or operated by contractors or other entities on behalf of the Federal government or that collect or maintain Federal information on behalf of the Federal government, to include:
a. Documenting and implementing policies and procedures for information security and privacy oversight, to include ensuring appropriate vetting and access control processes for contractors and others with access to systems containing Federal information;
b. Ensuring that security and privacy controls of such information systems and services are effectively implemented and comply with NIST standards and guidelines and agency requirements;
c. Maintaining and continuously updating an inventory of information systems and system components using automated reporting, cataloguing, and inventory tools;
d. Ensuring that the inventory identifies interfaces between these systems and organization-operated systems;
e. Ensuring that procedures are in place for incident response for these systems including timelines for breach notification;
f. Requiring agreements (e.g., Memorandum of Understandings, Interconnection Security Agreements, contracts) for interfaces between these systems and agency-owned and operated systems; and
g. Implementing policies, procedures, and verification methods to ensure, within the risk tolerance of the agency, that systems that are owned or operated by contractors or entities that contain Federal information are compliant with FISMA requirements, OMB policies, and applicable NIST standards and guidelines;
Collaborate with non-Federal entities and other agencies as appropriate to ensure that security and privacy requirements pertaining to these non-Federal entities, such as State, local, tribal, and territorial governments, are consistent to the greatest extent possible; and
Ensure that non-Federal entities protect CUI in accordance with NARA requirements and any associated NIST standards and guidelines.
l. Mitigation of Deficiencies and Issuance of Status Reports
Agencies must correct deficiencies that are identified through information security and privacy assessments, ISCM and PCM programs, or internal/external audits and reviews, to include OMB reviews. OMB Circular No. A-123, Management's Responsibility for Internal Control, provides guidance to determine whether a deficiency in controls is material when so judged by the agency head against other agency deficiencies. Material deficiencies must be included in the annual Federal Managers Financial Integrity Act (FMFIA) report, and remediation tracked and managed through the agency's POA&M process. Less significant deficiencies need not be included in the FMFIA report, but must be tracked and managed through the agency's POA&M process.
m. Reporting
Agencies shall provide FISMA reports in accordance with processes established by OMB and DHS in accordance with the Federal Information Security Modernization Act of 2014.
n. Cybersecurity Framework
The Cybersecurity Framework was developed by NIST in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The Framework describes five core cybersecurity functions (i.e., Identify, Protect, Detect, Respond, and Recover) that may be helpful in raising awareness and facilitating communication among agency stakeholders, including executive leadership. The Cybersecurity Framework may also be helpful in improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. The Framework is not intended to duplicate the current information security and risk management practices in place within the Federal Government. However, in the course of managing information security risk using the established NIST Risk Management Framework and associated security standards and guidelines required by FISMA, agencies can leverage the Cybersecurity Framework to complement their current information security programs. NIST will provide additional guidance on how agencies can use the Cybersecurity Framework and in particular, how the two frameworks can work together to help agencies develop, implement, and continuously improve their information security programs.
o. Independent Evaluations
Agencies shall:
Perform an independent evaluation of the information security programs and practices to determine the effectiveness of such programs and practices. The evaluation may include an evaluation of their privacy program and practices, as appropriate. Each evaluation must include:
a. Testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency's information systems;
b. An assessment of the effectiveness of the information security policies, procedures, and practices of the agency; and
c. Separate presentations, as appropriate, regarding information security relating to national security systems.
For each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section must be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency. For agencies in which the Inspector General Act of 1978 does not apply, the head of the agency shall engage an independent external auditor to perform the evaluation.
5. Government-wide Responsibilities
a. Department of Commerce
The Secretary of Commerce shall:
b. Department of Homeland Security
The Secretary of Homeland Security shall:74
Develop and oversee the implementation of binding operational directives that reinforce the policies, principles, standards, and guidelines developed by OMB, that focus on:
a. Requirements for the mitigation of exigent risks to information systems;
b. Requirements for the mitigation of known or reasonably suspected information security threats, vulnerabilities, and risks;
c. Requirements for reporting incidents to the Federal information security incident center; and
d. Other operational requirements, as deemed necessary by OMB;
Coordinate the development of binding operational directives and the oversight of the implementation of such directives with OMB and NIST to ensure consistency with OMB policies and NIST standards and guidelines;
Consult with the Director of NIST regarding any binding operational directives that implement or affect the standards and guidelines developed by NIST;
Convene meetings with senior agency officials to help ensure the effective implementation of information security policies and procedures;
Coordinate government-wide efforts on information security policies and practices, including consultation with the CIO Council and NIST;
Manage government-wide information security programs and provide and operate Federal information security shared services, as directed by OMB;
Provide operational and technical assistance to agencies in implementing policies, principles, standards, and guidelines on information security. This includes:
a. Operating the Federal information security incident center;
b. Deploying technology to assist agencies to continuously diagnose and mitigate cyber threats and vulnerabilities, with or without reimbursement and at the request of the agency;
c. Compiling and analyzing data on agency information security; and d. Developing and conducting targeted operational evaluations, including threat and vulnerability assessments, on information systems;
c. Department of Defense
The Secretary of Defense shall:
d. General Services Administration
The Administrator of General Services shall:
e. Office of Personnel Management
The Director of the Office of Personnel Management shall determine the minimum investigative requirements for Federal employees and contractors requiring access to Federal facilities, information, and/or information systems.
Discussion of the Major Provisions in the Appendix
1. NIST Standards and Guidelines
NIST standards and guidelines associate each information system with an impact level. The standards and guidelines also provide a corresponding starting set of baseline security controls and tailoring guidance to ensure that the set of security controls in the security plan (approved by the authorizing official) and privacy controls in the privacy plan (approved by the SAOP), satisfy the information security, privacy, and mission/business protection needs of the agency.
For non-national security programs and information systems, agencies must apply NIST guidelines unless otherwise stated by OMB. Federal Information Processing Standards (FIPS) are mandatory. There is flexibility within NIST's guidelines (specifically in the 800-series) in how agencies apply those guidelines. Unless specified by additional implementing policy by OMB, the concepts and principles described in NIST guidelines must be applied. However, NIST guidelines generally allow agencies latitude in their application. Consequently, the application of NIST guidelines by agencies can result in different security solutions that are equally acceptable and compliant with the guidelines.
For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.
2. Risk Management Framework
The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. The RMF requires agencies to categorize each information system and the information processed, stored, and transmitted by that system based on a mission/business impact analysis. Agencies select an initial set of baseline security controls for the information system based on the security categorization and then tailor the security control baseline as needed, based on an organizational assessment of risk and local conditions. After implementing the security controls, agencies assess the controls using appropriate assessment methods as described in NIST Special Publication 800-53A to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
The authorization to operate the system is based on a determination of the risk to agency operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the system and the decision by the authorizing official, that this risk is acceptable. Subsequent to the authorization decision and as part of an information security continuous monitoring strategy and program, agencies monitor the security controls in the system on an ongoing basis. Monitoring includes, but is not limited to, assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated agency officials on an ongoing basis.
An effective implementation of the RMF ensures that managing information system-related security risks is consistent with the agency's mission/business objectives and overall risk management strategy, and risk tolerance established by the senior leadership through the risk executive function75 as discussed in NIST Special Publication 800-37. It also ensures that the requisite security requirements and controls are integrated into the agency's enterprise architecture and system development life cycle processes. Finally, the RMF supports consistent, well-informed, and ongoing security authorization decisions, transparency of security and risk management information, reciprocity, and information sharing.
3. Security Control Baselines
It is important to achieve adequate security for Federal information and information systems and a consistent level of protection for such information and systems government-wide. To meet this objective, agencies must select an appropriate set of security controls for their information systems that satisfy the minimum security requirements set forth in FIPS Publication 200. The security controls must include one of the three security control baselines from NIST Special Publication 800-53 that are associated with the designated impact levels of their information systems. The security control baselines define the set of minimum security controls for a low-impact, moderate-impact, or high-impact information system and provide a starting point for the tailoring process. Agencies are required to tailor the security control baselines to customize their safeguarding measures for specific missions, business lines, and operational environments—and to do so in a cost-effective, risk-based manner. Tailoring allows agencies to designate common controls; apply scoping considerations; select compensating controls; assign specific values to agency-defined control parameters; supplement baselines with additional controls when necessary; and provide additional specification information for control implementation. Agencies must provide a justification for any tailoring actions that result in changes to the initial security control baselines. Agencies are not permitted to make changes to security control baselines when such changes result in control selections that are inconsistent with security requirements set forth in Federal statutes, Executive Orders, regulations, directives, or policies.
Agencies may also develop overlays as part of the security control selection process. Overlays provide a specification of security and/or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple systems. All selected security controls must be documented in a security plan and implemented. Agencies can use the priority code designations associated with each security control in NIST Special Publication 800-53 to assist in making sequencing decisions for control implementation. This prioritization helps to ensure that the foundational security controls upon which other controls depend are implemented first, thus enabling agencies to deploy controls in a more structured and timely manner in accordance with available resources. Independent evaluations, when conducted, should focus on the effectiveness of the security controls selected and implemented (as documented in agency security plans after all tailoring actions have been completed on the security control baselines) and the justification for any decisions to change the control baselines.
4. Security and Privacy Assessments
Agencies must ensure that periodic testing and evaluation of the effectiveness of information security and privacy policies, procedures, and practices are performed with a frequency depending on risk, but at least annually. This general requirement to test and evaluate the effectiveness of information security and privacy policies, procedures, and practices does not imply that agencies must assess every selected and implemented security and privacy control at least annually. Rather, agencies must continuously monitor all implemented security and privacy controls (i.e., system-specific, hybrid, and common controls) with a frequency determined by the agency in accordance with the ISCM and PCM strategies. These strategies will define the specific security and privacy controls selected for assessment during any one-year period (i.e., the annual assessment window) with the understanding that all controls may not be formally assessed every year. Rotational assessment of security and privacy controls is consistent with the transition to ongoing authorization and assumes the information system has completed an initial authorization where all controls were formally assessed for effectiveness.
Security and privacy control assessments should ensure that security and privacy controls selected by agencies are implemented correctly, operating as intended, and effective in satisfying security and privacy requirements. The security of information may change over time based on changes in the threat, agency missions/business functions, personnel, technology, or environments of operation. Consequently, maintaining a capability for real-time or near real-time analysis of the threat environment and situational awareness following an information security incident is paramount. The type, rigor, and frequency of control assessments should be commensurate with the level of awareness necessary for effectively determining information security risk that is established by the agency's risk tolerance and risk management strategy. Technical security tools such as malicious code scanners, vulnerability assessment products (which look for known security weaknesses, configuration errors, and the installation of the latest patches), and penetration testing can assist in the ongoing assessment of information systems.
5. Authorizing Official
The authorizing official is a senior agency official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations and assets, individuals, other organizations, and the Nation. Authorizing officials have budgetary oversight for an information system or are responsible for the mission or business operations supported by the system. Through the authorization process, authorizing officials are responsible and accountable for the security risks associated with information system operations. Because information security is closely related to the individual privacy protections required for PII (see Fair Information Practice Principles), authorizing officials are also responsible and accountable for the privacy-related risks that arise from the operation of an information system.Accordingly, authorizing officials must be in management positions with a level of authority commensurate with understanding and accepting such information system-related security and privacy risks. Since the SAOP is the senior official, designated by the head of each agency, who has overall agency-wide responsibility for information privacy, agencies must consider inputs and recommendations submitted by the SAOP in the authorization decision.Additionally, the SAOP has responsibility for reviewing the authorization package to ensure that privacy risks are addressed prior to system authorization. In situations where the authorizing official and SAOP cannot reach a final resolution regarding the appropriate protection for the agency information and information system, the head of the agency must review the associated risks and requirements and make a final determination regarding the issuance of the authorization to operate.76
Agencies can choose from several different approaches when planning for and conducting authorizations. These include an authorization with a single authorizing official, an authorization with multiple authorizing officials, or leveraging an existing authorization (see Section 8, Joint and Leveraged Authorizations). Agencies can, at their discretion, include the CIO or the SAOP as co-authorizing officials with other senior agency officials responsible for the mission or line of business supported by the system being authorized for operation. Regardless of the approach used, the role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.
6. Authorization to Operate
The authorization to operate an information system and the authorization of agency-designated common controls granted by senior Federal officials provide an important quality control for agencies. The decision to authorize a system to operate should be based on a review of the authorization package and includes an assessment of compliance with applicable requirements and risk to agency operations and assets, individuals, other organizations, and the Nation. As stated above, the decision to authorize a system, or agency-defined common controls, should be made by the appropriate authorizing official – an agency official responsible for the associated missions, business functions, and/or supporting infrastructure. Since the security plan and privacy plan establish the security and privacy controls selected for implementation, those plans are a critical part of the authorization package and should form the basis for the authorization, supplemented by more specific information as needed.
7. Ongoing Authorization
Ongoing authorization 77 is a process whereby the authorizing official makes risk determination and risk acceptance decisions subsequent to the initial authorization, taken at agreed-upon and documented frequencies in accordance with the agency's risk tolerance and mission/business requirements. Ongoing authorization is a time-driven or event-driven authorization process whereby the authorizing official is provided with the necessary and sufficient information regarding the near real-time state of the information system and inherited common controls to determine whether or not all applicable security and privacy requirements have been satisfied and the mission/business risk is acceptable. Effective ongoing authorization requires robust ISCM and PCM strategies and effective operational ISCM and PCM programs. Agencies can move from a static, point-in-time authorization process to a dynamic, near real-time ongoing authorization process for information systems and common controls after having satisfied two conditions: the system and/or common controls have been granted an initial authorization to operate by the designated authorizing official; and ISCM and PCM programs are in place to monitor all implemented security and privacy controls with the appropriate degree of rigor and at the appropriate frequencies in accordance with applicable ISCM and PCM strategies, OMB guidance and NIST guidelines.
Agencies must define and implement a process to specifically designate information systems and/or common controls that have satisfied the two conditions noted in the previous paragraph and have been transitioned to ongoing authorization. The process includes the means for the authorizing official to formally acknowledge that the information system and/or common controls are being managed under an ongoing authorization process and accept the responsibility for ensuring all necessary activities associated with the ongoing authorization process are performed. Until a formal approval is obtained from the authorizing official to transition to ongoing authorization, information systems (and common controls) remain under a static authorization process with specific authorization termination dates enforced by the agency.
8. Reauthorization
Reauthorization consists of a review of the information system similar to the review carried out during the initial authorization but conducted during the operations/maintenance phase of the system development life cycle rather than prior to that phase. In general, reauthorization actions may be time-driven or event-driven. However, under ongoing authorization, reauthorization is typically an event-driven action initiated by the authorizing official or directed by the Risk Executive (function) in response to an event that increases information security risk above the previously agreed-upon agency risk tolerance. Event-driven reauthorization triggers can include, for example: new threat, vulnerability, or impact information; an increased number of findings, weaknesses, or deficiencies from continuous monitoring programs; new missions or business functions; new or modified security requirements; changes in authorizing officials; significant changes in risk assessment findings; significant changes to information systems, common controls, or environments of operation; exceeding agency-designated thresholds; and changes in Federal statutes, OMB policies, or NIST standards and guidelines. A significant change is defined as a change that is likely to affect the security state of an information system.
The reauthorization process differs from the initial authorization inasmuch as the authorizing official can initiate: a complete zero-base review of the information system or common controls; or a targeted review based on the type of event that triggered the reauthorization, the assessment of risk related to the event, the risk response of the agency, and the agency risk tolerance. Reauthorization is a separate activity from the ongoing authorization process, though security- and privacy-related information from the agency's ISCM and PCM programs may still be leveraged to support reauthorization. Note also that reauthorization actions may necessitate a review of and changes to the ISCM or PCM strategy, which may in turn affect ongoing authorization.
9. Joint and Leveraged Authorizations
Agencies are encouraged to use joint and leveraged authorizations whenever practicable.78 Joint authorizations can be used when multiple agency officials either from the same agency or different agencies, have a shared interest in authorizing an information system or common controls. The participating officials are collectively responsible and accountable for the system and the common controls and jointly accept the information security risks that may adversely impact agency operations and assets, individuals, other organizations, and the Nation. Agencies choosing a joint authorization approach should work together on the planning and the execution of the Risk Management Framework tasks described in NIST Special Publication 800-37 and document their agreement and progress in implementing the tasks. The specific terms and conditions of the joint authorization are established by the participating parties in the joint authorization including, for example, the process for ongoing determination and acceptance of risk. The joint authorization remains in effect only as long as there is mutual agreement among authorizing officials and the authorization meets the requirements established by Federal and/or agency policies.
Leveraged authorizations can be used when an agency chooses to accept some or all of the information in an existing authorization package generated by another agency based on the need to use the same information resources (e.g., information system and/or services provided by the system). The leveraging agency reviews the owning agency's authorization package as the basis for determining risk to the leveraging agency. The leveraging agency considers risk factors such as the time elapsed since the authorization results were produced, differences in environments of operation (if applicable), the impact of the information to be processed, stored, or transmitted, and the overall risk tolerance of the leveraging agency. The leveraging agency may determine that additional security measures are needed and negotiate with the owning agency to provide such measures. To the extent that a leveraged authorization includes an information system that collects, processes, stores, maintains, transmits, or disseminates PII, leveraging agencies must consult their SAOP. The SAOP, may determine that additional measures are required to protect PII prior to leveraging the authorization.
10. Continuous Monitoring
Agencies must develop ISCM and PCM and implement ISCM and PCM activities in accordance with applicable statutes, directives, policies, instructions, regulations, standards, and guidelines. Agencies have the flexibility to develop an overarching ISCM and PCM strategy (e.g., at the agency, bureau, or component level) that address all information systems, or continuous monitoring strategies that address each agency information system individually. The ISCM and PCM strategies must address all security and privacy controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process. ISCM and PCM strategies, which must be approved by the SAOP and appropriate agency authorizing official, must also include all common controls inherited by agency information systems.
11. Critical Infrastructure
Agencies that operate information systems that are part of the critical infrastructure must conduct risk assessment to ensure that security controls for those systems are appropriately tailored (including the deployment of additional controls, when necessary), thus providing the required level of protection for critical Federal missions and business operations. In addition, agencies must ensure that the privacy controls assigned to critical infrastructure meet all applicable requirements and adequately protect individual privacy. This includes the ongoing monitoring of deployed security and privacy controls in critical infrastructure systems to determine the ongoing effectiveness of those controls against current threats; improving the effectiveness of those controls, when necessary; managing associated changes to the systems and environments of operation; and satisfying specific protection and compliance requirements in statutes, Executive Orders, directives, and policies required for critical infrastructure protection.
12. Encryption
When the assessed risk indicates the need, agencies must encrypt Federal information at rest and in transitunless otherwise protected by alternative physical and logical safeguards implemented at multiple layers, including networks, systems, applications, and data. Encrypting information at rest and in transit helps to protect the confidentiality, integrity, and availability of such information by making it less susceptible to unauthorized disclosure or modification. Agencies must apply encryption requirements to Federal information categorized as either moderate or high impact in accordance with FIPS Publication 199 unless encrypting such information is technically unfeasible or would demonstrably affect their ability to carry out their respective mission, functions, or operations. In situations where the use of encryption is technically infeasible, for example, due to an aging legacy system, agencies must initiate the appropriate system or system component upgrade or replacement actions at the earliest opportunity to be able to accommodate such safeguarding technologies. Authorizing officials who choose to operate information systems without the use of required encryption technologies must carefully assess the risk in doing so and they must receive written approval for the exception from the agency CIO. For high impact information, access to unencrypted content should be managed separately from access to the networks, systems, and applications where the encrypted data resides. Only FIPS-validated and NSA-approved cryptography are approved for use in Federal information systems.
13. Digital Signatures
Digital signatures can mitigate a variety of security vulnerabilities by providing authentication and non-repudiation capabilities, and ensuring the integrity of Federal information whether such information is used in day-to-day operations or archived for future use. Additionally, digital signatures can help agencies streamline mission/business processes and transition manual processes to more automated processes to include, for example, online transactions. Because of the advantages provided by this technology, OMB expects agencies to implement digital signature capabilities in accordance with Federal Public Key Infrastructure (PKI) policy, and NIST standards and guidelines. For employees and contractors, agencies must require the use of the digital signature capability of Personal Identity Verification (PIV) credentials when the capability is available.79 For individuals that fall outside the scope of PIV applicability, agencies should leverage approved Federal PKI credentials when using digital signatures.
14. Identity Assurance
To streamline the process of citizens, businesses, and other partners80 securely accessing government services online requires a risk-appropriate demand of identity assurance. Identity assurance, in an online context, is the ability of an agency to determine that a claim to a particular identity made by an individual can be trusted to actually be the individual's "true" identity. Citizens, businesses, and other partners that interact with the Federal Government need to have and be able to present electronic identity credentials to identify and authenticate themselves remotely and securely when accessing Federal information resources. An agency needs to be able to know, to a degree of certainty commensurate with the risk determination, that the presented electronic identity credential truly represents the individual presenting the credential before a transaction is authorized.81 To transform processes for citizens, businesses, and other partners accessing Federal services online, OMB expects agencies to use a standards-based federated identity management approach that enables security, privacy, ease-of-use, and interoperability among electronic authentication systems.
15. Unsupported Information System Components
Unsupported information system components (e.g., when vendors are no longer providing critical software patches) provide a substantial opportunity for adversaries to exploit weaknesses discovered in the currently installed components. Prohibit the use of unsupported information systems and system components, and ensure that systems and components that cannot be appropriately protected or secured are given a high priority for upgrade or replacement. Exceptions to replacing unsupported system components may include, for example, systems that provide critical mission/business capability where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option. For such systems, agencies can establish in-house support, for example, by developing customized patches for critical software components or securing the services of external providers who through contractual relationships, provide ongoing support for the designated unsupported components. Such contractual relationships can include, for example, Open Source Software value-added vendors.
16. FISMA Applicability to Non-Federal Entities
FISMA describes Federal agency security responsibilities as including "information collected or maintained by or on behalf of an agency" and "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." FISMA requires each agency to provide information security for the information and "information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source." This includes services that are either fully or partially provided, including agency hosted, outsourced, and cloud-based solutions.
Additionally, because FISMA applies to Federal information and information systems, in certain circumstances, its requirements also apply to a specific class of information technology that the Clinger-Cohen Act of 1996 (40 U.S.C. § 1401(3)) did not include, i.e., "equipment that is acquired by a Federal contractor incidental to a Federal contract." Therefore, when Federal information is used within incidentally acquired equipment, the agency continues to be responsible and accountable for ensuring that FISMA requirements are met for such information.
17. Other Requirements
Agencies must adhere to all other applicable information requirements such as the privacy requirements in accordance with the Privacy Act of 1974 and OMB guidance, the Confidential Information Protection and Statistical Efficiency Act of 2002 and OMB guidance, and to statutes and regulations pertaining to management of Federal records, and other relevant statutes, Executive Orders, Presidential Directives, and policies.
18. Authorities and References82
a. Privacy Act of 1974 (5 U.S.C. § 552a), December 1974.
b. E-Government Act of 2002 (44 U.S.C. chapters 35 and 36), December 2002.
c. Federal Information Security Modernization Act of 2014 (44 U.S.C. chapter 35), December 2014.
d. Intelligence Reform and Terrorism Prevention Act of 2004 (50 U.S.C. § 401 note), December 2004.
e. Executive Order 13556, Controlled Unclassified Information, November 2010.
f. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.
g. Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014.
h. Homeland Security Presidential Directive 20 (National Security Presidential Directive 51), National Continuity Policy, May 2007.
i. Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and Requirements, February 2008.
j. National Communications System (NCS) Directive 3-10, Minimum Requirements for Continuity Communications Capabilities, July 2007.
k. National Institute of Standards and Technology Federal Information Processing Standards Publication 199 (as amended), Standards for Security Categorization of Federal Information and Information Systems.
l. National Institute of Standards and Technology Federal Information Processing Standards Publication 200 (as amended), Minimum Security Requirements for Federal Information and Information Systems.
m. National Institute of Standards and Technology Federal Information Processing Standards Publication 201 (as amended), Personal Identity Verification of Federal Employees and Contractors.
n. Committee on National Security Systems Instruction 1253 (as amended), Security Categorization and Control Selection for National Security Systems.
o. National Institute of Standards and Technology Special Publication 800-18 (as amended), Guide for Developing Security Plans for Federal Information Systems.
p. National Institute of Standards and Technology Special Publication 800-30 (as amended), Guide for Conducting Risk Assessments.
q. National Institute of Standards and Technology Special Publication 800-37 (as amended), Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
r. National Institute of Standards and Technology Special Publication 800-39 (as amended), Managing Information Security Risk: Organization, Mission, and Information System View.
s. National Institute of Standards and Technology Special Publication 800-47 (as amended), Security Guide for Interconnecting Information Technology Systems.
t. National Institute of Standards and Technology Special Publication 800-53 (as amended), Security and Privacy Controls for Federal Information Systems and Organizations.
u. National Institute of Standards and Technology Special Publication 800-53A (as amended), Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans.
v. National Institute of Standards and Technology Special Publication 800-59 (as amended), Guideline for Identifying an Information System as a National Security System.
w. National Institute of Standards and Technology Special Publication 800-60 (as amended), Guide for Mapping Types of Information and Information Systems to Security Categories.
x. National Institute of Standards and Technology Special Publication 800-63 (as amended), Electronic Authentication Guideline.
y. National Institute of Standards and Technology Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
z. National Institute of Standards and Technology Special Publication 800-137 (as amended), Information Security Continuous Monitoring for Federal Information Systems and Organizations.
aa. National Institute of Standards and Technology Special Publication 800-160 (as amended), Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.
bb. National Institute of Standards and Technology Special Publication 800-161 (as amended), Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
cc. National Institute of Standards and Technology Special Publication 800-162 (as amended), Guide to Attribute Based Access Control (ABAC) Definition and Considerations.
dd. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (as amended).
ee. National Institute of Standards and Technology Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management (as amended).
19. Definitions
a. The terms 'Agency', 'Executive Agency', 'Federal information,' 'Federal information system,' 'information resources management', 'information security,' 'personally identifiable information,' and 'senior agency official for privacy' are defined in the main body of this Circular.
b. 'Adequate security' means security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.
c. 'Authorization' means the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.
d. 'Authorization boundary' means all components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.83
e. 'Authorization official' means a senior Federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation.
f. 'Authorization package' means the essential information that an authorizing official uses to determine whether or not to authorize the operation of an information system or the use of a designated set of common controls. At a minimum, the authorization package includes the security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.
g. 'Breach' means the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
h. 'Common control' means a security or privacy control that is inherited by multiple information systems.
i. 'Controlled unclassified information' means information that requires safeguarding or dissemination controls pursuant to and consistent with statutes, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
j. 'Critical infrastructure' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health safety, or any combination of those matters (42 U.S.C. § 5195c(e)).
k. 'Environment of operation' means the physical, technical, and organizational setting in which an information system operates.
l. 'Hybrid control' means a control that is implemented in an information system in part as a common control and in part as a system-specific control.
m. 'Information security architecture' means an embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, information security systems, personnel, and organizational subunits, showing their alignment with the enterprise's mission and strategic plans.
n. 'Information security continuous monitoring' means maintaining ongoing awareness of information security, vulnerabilities, and threats to support agency risk management decisions.84
o. 'Information security program plan' means a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. The information security program plan and the privacy program plan may be integrated into one consolidated document.
p. 'Information system resilience' means the ability of an information system: to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and to recover to an effective operational posture in a time frame consistent with mission needs.
q. 'Initial authorization' means the initial (start-up) risk determination and risk acceptance decision based on a zero-base review of the information system conducted prior to its entering the operations/maintenance phase of the system development life cycle. The zero-base review includes an assessment of all security and privacy controls (i.e., system-specific, hybrid, and common controls) contained in a security plan or in a privacy plan and implemented within an information system or the environment in which the system operates.
r. 'National security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency: the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy (44 U.S.C. § 3552).
s. 'Ongoing authorization' means the risk determinations and risk acceptance decisions subsequent to the initial authorization, taken at agreed-upon and documented frequencies in accordance with the agency's mission/business requirements and agency risk tolerance. Ongoing authorization is a time-driven or event-driven authorization process whereby the authorizing official is provided with the necessary and sufficient information regarding the security and privacy state of the information system to determine whether or not the mission/business risk of continued system operation is acceptable.
t. 'Overlay' means a specification of security and/or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines.The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. (See "tailoring" definition.)
u. 'Privacy continuous monitoring' means maintaining ongoing awareness of privacy risks and assessing privacy controls at a frequency sufficient to ensure compliance with applicable requirements and to adequately protect personally identifiable information.
v. 'Privacy control' means the administrative, technical, and physical safeguards employed within agencies to protect and ensure the proper handling of personally identifiable information or prevent activities that create privacy risk.
w. 'Privacy control assessment' means the testing or evaluation of privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements for an information system or organization.
x. 'Privacy program plan' means a formal document that provides an overview of the privacy requirements for an agency-wide privacy program and describes the program management controls and common controls in place or planned for meeting those requirements. The privacy program plan and the information security program plan may be integrated into one consolidated document.
y. 'Privacy plan' means a formal document that provides an overview of the privacy requirements for an information system or program and describes the privacy controls in place or planned for meeting those requirements. The privacy plan and the security plan may be integrated into one consolidated document.
z. 'Reauthorization' means the risk determination and risk acceptance decision that occurs after an initial authorization. In general, reauthorization actions may be time-driven or event-driven; however, under ongoing authorization, reauthorization is typically an event-driven action initiated by the authorizing official or directed by the Risk Executive (function) in response to an event that drives information security or privacy risk above the previously agreed-upon agency risk tolerance.
aa. 'Resilience' means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
bb. 'Risk' means a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
cc. 'Risk management' means the program and supporting processes to manage information security and privacy risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.
dd. 'Risk response' means accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the Nation.
ee. 'Security category' means the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on agency operations, agency assets, individuals, other organizations, and the Nation.
ff. 'Security control' means the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
gg. 'Security control assessment' means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
hh. 'Security control baseline' means the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.
ii. 'Security plan' means a formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The security plan and the privacy plan may be integrated into one consolidated document.
jj. 'Supply chain' means a linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.
kk. 'Supply chain risk management' means the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of information and communications technology product and service supply chains.
ll. 'System-specific control' means a control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an information system.
mm. 'Systems security engineering' means a specialty engineering discipline of systems engineering. It applies scientific, mathematical, engineering, and measurement concepts, principles, and methods to deliver, consistent with defined constraints and necessary trade-offs, a trustworthy asset protection capability that: satisfies stakeholder requirements; is seamlessly integrated into the delivered system; and presents residual risk that is deemed acceptable and manageable to stakeholders.
nn. 'Tailoring' means the process by which security control baselines are modified by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning specific values to agency-defined control parameters; supplementing baselines with additional controls or control enhancements; and providing additional specification information for control implementation. The tailoring process may also be applied to privacy controls. (See "overlay" definition.)
oo. 'Trustworthiness' means the degree to which an information system can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across a full range of threats.
pp. 'Trustworthy information system' means a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.
###Footnotes