10.14 Acquisition and External Processing Requirements
10.14 Acquisition and External Processing Requirements
Copyright(c), 1995 - Management Analytics - All Rights Reserved
The federal IT security policies are applicable for IT systems
regardless of whether the services are performed within DOC, by another
Government agency, or by a non- Government agency. However, in the
latter two situations, the agency would not be under the operational
management control of DOC and must be treated somewhat differently.
Procurement or other documents used to acquire or operate IT
installations, equipment, software, and related resources or services
shall contain specifications to assure that appropriate technical,
administrative, personnel and physical security requirements are
included. The specified security requirements will be reviewed and
approved by the appropriate ITSSO who must certify that the specified
security requirements are reasonably sufficient for the intended use,
and that they satisfy current federal, DOC laws, regulations and
policies.
Processing by Another Government Agency - All Government agencies
are required to adhere to the IT security policies contained in the
"Computer Security Act," P.L. 100-235 and OMB Circular A-130, unless
more stringent policies or regulations apply. Other federal agencies
may implement these requirements somewhat differently than Commerce, but
they must adhere to the policy that sensitive applications will only be
processed on IT systems having appropriate security protection, after
the systems have been certified and accredited by senior officials of
the organization. When DOC processing is done by another agency, the
sensitivity of the data and application will be determined by a DOC
official. The certification of the application is the responsibility of
the agency owning the application. If the application is not a DOC
application, the owning agency must provide a copy of the certification
to the Department. In such a case, compliance with the federal IT
security policies will be accomplished as follows:
-
1. The DOC data or application owner is responsible for
determining the sensitivity of the data and/or
application and making this known to the servicing
agency.
-
2. The servicing agency personnel who will have access to
the sensitive DOC resources must be screened in
accordance with the Federal Personnel Manual and the
servicing agency equivalent to the "DOC Personnel
Security Manual." Servicing agreements will specify
that personnel will be screened and appropriate
clearances granted before allowing access to DOC
sensitive resources.
-
3. The DOC senior official empowered to certify the
sensitive application, if it belonges to DOC, will
request the servicing agency to provide the
certification and backup documentation. Based on the
information provided, the official may choose to
certify, not certify, or certify for operation under
certain specified conditions.
- 4. The servicing agreement must state clearly that the
application or system has been certified and that the
servicing organization has achieved, and will maintain,
a level of security commensurate with the sensitivity
of the data being processed for the DOC.
-
5. The agreement must state that the application or system
must be recertified every three years or earlier if
substantial modifications have been made to the
application or system. A copy of the recertification
will be provided to the DOC data or application owner.
-
6. The agreement must specify that the servicing
organization will develop and maintain a Disaster
Recovery Plan which includes sensitive DOC applications
and data.
Processing by a Non-Government Agency - When a contractor or other
non-Government organization is processing DOC work, the contract must
specify adherence to DOC IT security policies and the National
Industrial Security Program as outlined in Executive Order 12829 for
classified processing. In addition:
-
1. Before entering into an agreement to process sensitive
data or applications at a contractor facility, a risk
analysis must be performed, and approved by DOC
personnel. A new risk analysis must be performed
whenever significant changes to the system occur or
every three years, whichever occurs first.
-
2. DOC sensitive applications must be certified and
recertified, as specified in Section 3 above, for
operation at the contractor facility. Section 3 of the
"DOC IT Security Manual" identifies the required
actions in the certification process.
-
3. The servicing contract should specify that DOC reserves
the right to perform unannounced on-site inspections to
insure that an adequate level of security is being
maintained.
-
4. Monitoring contractor compliance will be the
responsibility of the DOC Contracting Officer's
Technical Representative (COTR), in coordination with
the appropriate procurement and IT security officers,
and the DOC owner of the data or application.
Section 14 of the "DOC IT Security Manual" contains specific
information and guidance concerning IT acquisition security requirements
and external IT processing services.