Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Transcription

1 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP) Network Services and Network Management Systems in accordance with (IAW) C (NIST FIPS 199 High-Impact Baseline) Version 1.0 November 4, 2016 Prepared by Qwest Government Services, Inc. dba CenturyLink QGS 4250 North Fairfax Drive Arlington, VA SFA# /NSP# i RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

2 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TABLE OF CONTENTS Revision History... iii Step 1 Define the Security System... 1 Task 1-1 Security Categorization... 1 Information System Owner... 3 Task 1-2 Information System Description... 4 System Environment... 7 Task 1-3 Information System Registration Step 2 Select Security Controls Task 2-1 Common Control Identification Overall CenturyLink Infrastructure Task 2-2 Security Control Selection Task 2-3 Monitoring Strategy Access Monitoring File Integrity and Configuration Monitoring Network Monitoring Automated Inventory Monitoring Real-Time Alerts Security Vulnerability Scanning Security Penetration Testing (C (20, 22)) Task 2-4 Security Plan Approval Step 3 Implement Security Controls Task 3-1 Security Control Implementation Task 3-2 Security Control Documentation Step 4 Assess Security Controls Task 4-1 Assessment Preparation Task 4-2 Security Control Assessment Task 4-3 Security Assessment Report (C (19)) Task 4-4 Remediation Actions Step 5 Authorize Information System Task 5-1 Plan of Action and Milestones Task 5-2 Security Authorization Package (C , C (1 through 27)) Task 5-3 Risk Determination Task 5-4 Risk Acceptance Step 6 Monitor Security Controls Task 6-1 Information System and Environment Changes Task 6-2 Ongoing Security Control Assessments Task 6-3 Ongoing Remediation Actions (C (24)) Task 6-4 Key Updates Task 6-5 Security Status Reporting Task 6-6 Ongoing Risk Determination and Acceptance Task 6-7 Information System Removal and Decommissioning SFA# /NSP# i RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

3 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan LIST OF FIGURES Figure 1. MTIPS 2.0 Standard Portal A&A Boundary... 7 Figure 2. MTIPS 2.0 Augment Portal A&A Boundary... 8 Figure 3. MTIPS 2.0 Standard Portal Traffic Flow Figure 4. MTIPS 2.0 Augment Portal Traffic Flow Figure 5. SOC Site 1 Logical Detail (San Diego) Figure 6. SOC Site 2 Logical Detail (Columbia, MD) Figure 7. Site Physical Detail San Diego Figure 8. Site Physical Detail Columbia, MD LIST OF TABLES Table 1. MTIPS Information Type Categorization... 2 SFA# /NSP# ii RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

4 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan REVISION HISTORY Revision Revision Description Authors Approval Date 1.0 Original Release Robert Ellis Peggy Macdonald 02/22/2016 SFA# /NSP# iii RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

5 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan STEP 1 DEFINE THE SECURITY SYSTEM TASK 1-1 SECURITY CATEGORIZATION The General Services Administration (GSA) assigned an information sensitivity category for Managed Trusted Internet Protocol Service (MTIPS) based on the federal government requirement and Federal Information Processing Standard (FIPS) 199. FIPS 199 requires MTIPS security to safeguard data and information from unauthorized disclosure, protect data from unauthorized modification, and ensure that services are available to meet mission requirements. Protection ratings are determined for each of these three categories: Confidentiality: MTIPS contains information that requires protection from unauthorized disclosure Integrity: MTIPS contains information that must be protected from unauthorized, unanticipated, or unintentional modification Availability: MTIPS contains information or provides services that must be available on a timely basis to meet mission requirements, or to avoid substantial losses MTIPS is rated as one of the following: High: the loss of confidentiality, integrity, or availability could expect to have a severe or catastrophic adverse effect on organization operations, organizational assets, or individuals Moderate: the loss of confidentiality, integrity, or availability could expect to have a serious adverse effect on organizational operations, organizational assets, or individuals Low: the loss of confidentiality, integrity, or availability could expect to have limited adverse effect on organizational operations, organizational assets, or individuals To determine the information types that MTIPS will potentially handle, GSA used National Institute of Standards and Technology (NIST) Special Publication (SP) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

6 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, and Volume 2 Revision 1, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. Following the Office of Management and Budget s (OMB) Federal Enterprise Architecture (FEA) Business Reference Model (BRM), GSA determined that the MTIPS business areas will deliver services and manage resources, serving in a supportive role to an agency s mission but not directly processing any agency mission-based information types. The information types that MTIPS will potentially handle with associated provisional impact levels, due to loss of any of the three security objectives (confidentiality, integrity, and availability), are shown in Table 1. The high watermark method was used to determine the overall information categorization. Table 1. MTIPS Information Type Categorization Information Type Confidentiality Integrity Availability Contingency planning Low Low High Continuity of operations Low Low High Service recovery Low Low High Goods acquisition Low Moderate Low Inventory control Low Moderate Low Logistics management Low Moderate Low Services acquisition Moderate Moderate Low System development Moderate Moderate Low Life cycle/change management Low Moderate Moderate System maintenance High Moderate Moderate Information technology (IT) infrastructure maintenance High High High MTIPS security Moderate Moderate High Record retention Moderate High Low Information management Moderate Moderate Moderate System and network monitoring High High High Information sharing Moderate Moderate Moderate Overall information categorization High High High As part of the MTIPS system development life cycle (SDLC) and security assessment and authorization (A&A) processes, CenturyLink periodically reviews the list of information types to add and remove data types, as necessary, and update the impact to the above security objectives. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

7 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan In summary, the MTIPS overall sensitivity rating is high based on the following: Requirements for confidentiality, integrity, and availability protections Related level of sensitivity Highest magnitude of harm directly resulting from loss, misuse, modification to, or unauthorized access to information on MTIPS Information System Owner GSA Name: Title: Agency: Kevin Gallo GSA System Owner GSA Address: 1800 F Street NW, Washington, DC Address: kevin.gallo@gsa.gov Phone Number: CenturyLink Name: Title: Agency: Tim Meehan Vice President Qwest Government Services, Inc. dba CenturyLink QGS Address: 4250 N Fairfax Drive, Arlington, VA Address: Timothy.Meehan@centurylink.com Phone Number: SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

8

9

10

11 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan System Environment Figure 1. MTIPS 2.0 Standard Portal A&A Boundary SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

12 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 2. MTIPS 2.0 Augment Portal A&A Boundary SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

13 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 3. MTIPS 2.0 Standard Portal Traffic Flow. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

14 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Figure 4. MTIPS 2.0 Augment Portal Traffic Flow SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

15

16

17

18

19

20

21

22 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TASK 1-3 INFORMATION SYSTEM REGISTRATION The registration process will begin with the definition of the A&A (or authorization) boundary in the Security Assessment Boundary and Scope Document (BSD), as referenced in RFP Section C (2). This section identifies the information system and subsystems in the system inventory and establishes a relationship between the information system and the parent or governing organization that owns, manages, and/or controls the system. The information system owner has primary responsibility for registering each EIS information system that supports network services and network management systems. Primary Responsibility: CenturyLink Information System Owner Name: Title: Agency: Tim Meehan Vice President Qwest Government Services, Inc. dba CenturyLink QGS Address: 4250 N Fairfax Drive, Arlington, VA Address: Timothy.Meehan@centurylink.com Phone Number: Supporting Roles: CenturyLink Information Systems Security Officer (ISSO) Name: Title: Agency: Robert Ellis Information System Security Officer (ISSO) Qwest Government Services, Inc. dba CenturyLink QGS Address: th Street, Suite 1000B, Denver, CO Address: rob.ellis@centurylink.com Phone Number: GSA Information System Security Manager (ISSM) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

23 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Name: Title: Agency: David Trzcinski Information Systems Security Manager GSA Address: 1800 F Street, NW, Washington, DC Address: david.trzcinski@gsa.gov Phone Number: GSA ISSO Name: Title: Agency: William Olson Systems and Security Program Manager GSA Address: 1800 F Street, NW, Washington, DC Address: william.olson@gsa.gov Phone Number: GSA personnel have performed the security categorization of the MTIPS information systems, which are determined to be FIPS 199 high impact. STEP 2 SELECT SECURITY CONTROLS TASK 2-1 COMMON CONTROL IDENTIFICATION Common controls inherited within the MTIPS system authorization boundary will include Physical security controls Environmental controls Centralized authentication mechanisms SecurID Active directory Continuous monitoring systems SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan Control Tailoring Workbook (CTW) (C (4)) Control Summary Table (C (5)) System Inventory (hardware, software, and related information) (C (7)) Security Incident Response Plan (IRP) (C (15)) Security Incident Response Test Plan Security Incident Response Test Report (C (16)) Supply Chain Risk Management (SCRM) Plan ((C (17)) Contingency Plan (CP), including the Disaster Recovery Plan (DRP) and Business Impact Assessment (BIA) (C (8)) Contingency Plan Test Plan (CPTP) (C (9)) Contingency Plan Test Report (CPTPR) (C (10)) Interconnection Security Agreements (ISA) (C (3)) Configuration Management Plan (CMP) (C (12)) Systems Baseline Configuration Standard Document (C (13)) Audit Monitoring Program Continuous Monitoring Program (security risk mitigation) (C (18)) Access monitoring Configuration Monitoring Vulnerability Monitoring (Scanning) Third-Party Penetration Test Report Automated reporting to customer (if customer is prepared for it) Continuous Monitoring Plan e-authentication documents e-authentication Executive Summary e-authentication Detail Report e-authentication Risk and Requirements Assessment Tool (database file) Independent External Penetration Test and Report (C (20)) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

44 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan User Access Authorization and Management Process Personnel Security Procedures Suitability Report (employee background investigation report) Security Test and Evaluation Plan (ST&E Plan) Security Test and Evaluation Report (ST&E Report) or Security Assessment Report (SAR) (C (6)) Annual FISMA Assessment (conducted per GSA CIO IT Security Procedural Guide 04-26, FISMA Implementation. ) (C (25)) In addition to the items above that are already included in our security A&A package or as deliverables, CenturyLink will include the following in its EIS MTIPS security A&A package or provide as deliverables: Code Review Report (if applicable) (C (21)) Monthly Reports on SCAP Common Configuration Enumerations (CCE) (NIST SP R4: CM-6) (C (26)) Monthly Reports on SCAP Common Platform Enumeration (CPE) (NIST SP R4: CM-8) (C (26)) Monthly Reports on SCAP Common Vulnerabilities and Exposures (CVE) (NIST SP R4: CM-8) (C (26)) Independent Internal Penetration Test and Report (C (20)) Document Management (C (27)) CenturyLink develops and maintains all current policy and procedure documents, as outlined in the specified NIST documents and applicable GSA IT Security Procedural Guides. For EIS, they will be verified and reviewed during the initial security assessment, and updates will be provided to the GSA Contracting Officer's Representative (COR)/ISSO/ISSM biennially to include the following. Access Control Policy and Procedures (NIST SP R4: AC-1) Security Awareness and Training Policy and Procedures (NIST SP R4: AT-1) SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

45

46

47

48

49 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS MTIPS Risk Management Framework Plan TASK 6-7 INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING CenturyLink follows a system-removal and decommissioning policy and procedures that ensure all data are securely erased or destroyed before storage elements leave CenturyLink premises. SFA# /NSP# RFP No.: QTA0015THA3003 SENSITIVE BUT UNCLASSIFIED Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016