5 FAM 840
MANAGING SYSTEMS
(CT:IM-251; 11-21-2018)
(Office of Origin: IRM/BMP/GRP)
5 FAM 841 SYSTEMS AUTHORIZATION PROCESS
(CT:IM-89; 05-30-2007)
a. In accordance with OMB Circular A-130, the
Department is required to make a security determination, called authorization,
to permit placing IT systems into operation. In order for officials to make
fully advised risk-based decisions, they must conduct a security evaluation
known as certification of the IT system.
b. All IT systems must complete the systems
authorization process before becoming operational. (See 5 FAM 1060 and 5 FAM 611.)
5 FAM 842 INFORMATION TECHNOLOGY
SECURITY PLANS
(CT:IM-251; 11-21-2018)
a. The Federal Information Security Modernization Act (FISMA) of 2014 and OMB Circular A-130 require all major
applications and support systems to have a security plan. The system security
plan provides all the information necessary to secure an IT system throughout
the systems lifecycle.
b. See Information Assurance for the available tool.
5 FAM 843 INFORMATION QUALITY
(CT:IM-144; 07-12-2013)
OMB requires each agency to establish guidelines on
ensuring the integrity of the information it maintains. Department guidelines
state that each post and bureau is responsible and accountable for the
integrity of information maintained on its IT systems. Information management
officers (IMOs), information systems officers (ISOs), and system owners must
carry out these responsibilities.
5 FAM 844 media and esoc
5 FAM 844.1 Storing, Handling, and
Destroying Media
(CT:IM-175; 03-15-2016)
To protect information from loss, damage, or compromise,
the ISO/system administrators and information systems security officer (ISSO)
must verify destruction of media. For further guidance, see 12 FAH-10 H-260 for unclassified/SBU media and 12 FAM 632.1-6 and 12 FAM 632.1-9 for classified media.
5 FAM 844.2 ESOC: Enterprise
Server Operations Center/IT Consolidation
(CT:IM-251; 11-21-2018)
a. This section addresses the handling,
maintenance, storing, and viewing of information residing on the Enterprise IT
Consolidated (ITC) Storage Area Network (SAN). This policy applies to all
personnel requiring access to the information contained within the system.
ESOC provides:
(1) Access to the information on the ITC SAN is
strictly controlled on a need-to-know basis via Active Directory (AD) security
groups;
(2) The AD security group controlling ESOC
Administrator and Backup/Archive Service account access to the ITC SAN
infrastructure and root shares are controlled by the ESOC in compliance with
the Bureau of Diplomatic Security and IA security in 5 FAM and 12 FAM;
(3) The AD security group(s) controlling other IRM
administrator (i.e., Desktop Support Division (DSD), Operational Support
Division (OSD), IT Service Center (ITSC), or consolidated bureau user access to
stored information is controlled by the domestic information security officer
(DISSO) and/or the DSD based on the access request procedures (reference OSD
for further guidance); and
(4) Maintenance of the information stored on the ITC
SAN is the responsibility of the consolidated bureau.
b. The domestic information security officer (DISSO)
responsibilities are briefly described below and also in 5 FAM 824.1,
12 FAH-10, and 1 FAM 276.4-3:
(1) All ISSO responsibilities and functions relating
to the information stored on the ITC SAN are to be directed to the OSD domestic
information security officer (DISSO) for guidance; and
(2) The ESOC has supplied the OSD DISSOs with the
necessary access to any logging information required and will assist upon
request to supply any supplementary information.
c. The transference of system level Plan of Actions
& Milestones (POA&M) supporting the in-scope server ITC functions are
described below:
(1) The ESOC scope in ITC is limited to servers
supporting in-scope ITC functions;
(2) Consolidated bureaus retain responsibility for all
physical asset management pertaining to in-scope servers and their associated
lifecycle and hardware support;
(3) Server operating system vulnerabilities and
remediation of in-scope systems are now the responsibility of the ESOC;
(4) Server vulnerabilities and remediation related to
facility management continue to be the responsibility of the consolidated
bureau; and
(5) All in-scope systems supporting ITC functions will
have their functions centralized onto IRM resources and will then be
decommissioned.
5 FAM 845 SECURITY AWARENESS, TRAINING,
AND EDUCATION
(CT:IM-175; 03-15-2016)
a. The Department is required by the Federal
Information Security Act (FISMA) 2002 to conduct computer security training to
ensure the confidentiality, integrity, and availability of its computer-based
information. See 12 FAH-10 H-210.
b. DS/T/TPS/SECD implements the Departments
Information Assurance (IA) role-based training program. The Diplomatic
Security Training Center (DSTC) suite of security role-based training courses
is valid for 3 years. IRM/IA has responsibility for ensuring that Departments
IA training program complies with Federal guidelines. For courses offered, see
DS Training and Information Assurance.
c. DS/IS/CSD initiates, develops, and provides annual
IT security awareness briefings for users. The CISO also may authorize others
to conduct the briefing.
d. 12 FAH-10 H-210
requires the ISSOs, IMOs, and system administrators to ensure that all users
receive appropriate security training. COTRs/contracting officer
representatives (CORs) are responsible for their contract employees, and must
ensure that all contracted employees receive appropriate systems security
training before accessing any bureau or post system.
5 FAM 846 ANTI-VIRUS
(CT:IM-175; 03-15-2016)
All IMOs/ISOs/system administrators for classified and
unclassified systems are required to implement virus protection and detection
programs for all systems connected to the Departments network, per 12 FAH-10
H-292.2-1, Malicious Code Protection.
5 FAM 847 FIREWALLS
(CT:IM-144; 07-12-2013)
a. The Department uses firewall technology to provide
protection for network resources at all points where the internal networks
connect with non-Department networks.
b. The Departments Firewall Advisory Board, chaired by
the Perimeter Security Division (IRM/OPS/ENM/PSD), ensures consistency of
protection worldwide by establishing a baseline configuration for each of the
Department firewalls.
c. IMOs/ISOs/system administrators must comply with
all guidance provided by the Firewall Advisory Board.
5 FAM 848 REMOTE ACCESS
(CT:IM-175; 03-15-2016)
Domestically, the Department is able to provide employees
with secure dial-up access to Department resources by using secure domestic
dial-in (SDDI) to access their Sensitive but Unclassified (SBU) email accounts
and the Departments Intranet from locations outside of their normal office.
Information on SAFENET is found on the Encryptions Programs and Product List. See
12 FAH-10
H-173.
5 FAM 849 AUDIT TRAILS
(CT:IM-175; 03-15-2016)
ISSO is responsible for coordinating with IMOs/ISOs/system
administrators to monitor, investigate, log, and report system events and
activities resulting from unauthorized access and modifications of sensitive
critical files. See 12 FAH-10 H-120
and 12 FAM 637
for further guidance.