Transcript No Slide Title

NMS Certification and Accreditation (C&A)
Removal of Material Weakness for
NMS Security and Access Controls
Jim Craft
USAID ISSO
NMS Security Requirements
FFMIA Report and OMB Circular A-130
Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB
USAID identified 10 material weaknesses, including NMS security and access controls, in its CY-1997
Report.
The Agency CFO indicated remedial actions would be completed within 3 years (by FY-2001).
“ The material weakness resulted from the level at which controls are implemented in the system, the design
of access controls implemented in the system, audit trails of system activity, user identification and password
administration, and access to sensitive Privacy Act information.”
OMB Circular A-130, Appendix III: Security of Federal Automated Information Resources
"Agencies shall implement and maintain a program to assure that adequate security is provided for all agency
information collected, processed, transmitted, stored, or disseminated in general support systems and major
applications."
OMB Circular A-130 defines 4 new Federal agency requirements for managing and protecting their information
resources:
 Assigning responsibility for security
 Completing security plans for general support systems and major applications
 Periodically reviewing security controls
 Authorizing processing
2
NMS C&A Tasks
1. Conduct Risk Assessment
2. Technical Fixes
3. NMS Security Plan Actions
4. Certification and Accreditation (C&A) Policy Approved
5. Certification and Accreditation (C&A) Plan
6. Roles and Responsibilities Approved
7. Delegation of Systems Security Manager
8. NMS Security Training (Users, Administrators, and Managers)
9. Certification by IV&V Contractor
10. Security Accreditation of NMS by CFO
11. Audit by OIG
12. Executive Brief (Close NMS Security Material Weakness)
3
Certification and Accreditation
Tasks 1 - 3
1. Conduct Risk Assessment


NMS Security Team (TAC 22) assisted by the ISS Team (TAC 07)
Establish risks for NMS operations at USAID/W, progressively including
–
–
–
–

PRIME, T-Hub
Beltsville
81 Foreign Missions
Communications with foreign missions via DTS-PO, VSAT, and Internet
Deliver report on risk assessment and recommendations - Could be done as part of Certification Report
2. Technical Fixes


5 Key Security Vulnerabilities
Build Test Scenarios/Scripts - Certification
3. NMS Security Plan Actions

Review and approve remaining NMS Security Plan action items for implementation to bring NMS into compliance with
security requirements from ADS, OMB A-130, FISCAM, and OIG Audit Reports. Initial action items include:
– Implement NMS audit trails
– Implement Operational and Management Change Procedures
4
Certification and Accreditation
Tasks 4 - 8
4. C&A Policy Approved

Approve C&A Policy for NMS
5. C&A Plan






C&A Plan
C&A Definition
C&A Verification
C&A Validation
Prepare Certification Report and Accreditation Recommendation for ISSO and IRM director approval
C&A Post Accreditation Support
6. Roles & Responsibilities Approved




Delegate accreditation authority for core financial systems to the CFO
Assign the accreditation of general support systems to the CIO
Assign responsibility to the Director, IRM, for ISSPP and general support systems
Assign authority and responsibility to the USAID ISSO for ISSPP implementation
7. Delegate Systems Security Manager

Designate a security official to implement NMS C&A
8. NMS Security Training

Provide security input into current NMS training for users, administrators, and managers
5
Certification and Accreditation
Tasks 9 - 12
9. Certification by IV&V Contractor


CFO selects IV&V contractor
CFO reviews and accepts IV&V contractor
10. Security Accreditation of NMS by CFO

Authorize NMS for processing
11. Audit by OIG

Verify substantial removal of the NMS security and access controls material weakness
12. Executive Brief and Close NMS Security Material Weakness

Include removal of NMS Security material weakness in the FFMIA annual report.
6
Certification and Accreditation
Implementation Schedule
2000
Feb
1. Conduct Risk Assessment
2. Technical Fixes
Mar
Apr
NMS 4.81
May
Jun
Jul
Aug
Sep
NMS 4.82
3. NMS Security Plan Actions
4. C&A Policy Approved
5. C&A Plan
6. Roles and Responsibilities Approved
7. Delegation of Systems Security Manager
8. NMS Security Training
9. Certification by IV&V Contractor
10. Security Accreditation of NMS by CFO
11. Audit by OIG
12. Executive Brief (Close NMS Security Material Weakness)
7
Next Step: Implement Similar Process
for IFMS Authorization to Process
O.k.
ADS
Policy
C&A
Implementation of
NMS Sec. Plan
OIG
IV&V
FFMIA
AWACS
Cairo & San Salvador
Momentum AID/W
NMS
02-01
05-01
IFMS
NMS
07-01
2000
10-01
03-31
2001
8
Goal: Favorable OIG Audits
and Reports to Congress
Confirmation of substantial removal of security material weakness
by the Inspector General’s Office to the Administrator
FFMIA 2000 Report by the CFO to OMB
asserting the removal of the security material weakness from 1997
Semiannual Report to Congress by the OIG
confirming substantial removal of security material weakness
9