1 / 9

Jim Craft USAID ISSO

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls. Jim Craft USAID ISSO. NMS Security Requirements FFMIA Report and OMB Circular A-130. Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB

ceallach
Download Presentation

Jim Craft USAID ISSO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NMS Certification and Accreditation (C&A)Removal of Material Weakness forNMS Security and Access Controls Jim Craft USAID ISSO

  2. NMS Security RequirementsFFMIA Report and OMB Circular A-130 Federal Financial Management Improvement Act (FFMIA) Report to the President and OMB USAID identified 10 material weaknesses, including NMS security and access controls, in its CY-1997 Report. The Agency CFO indicated remedial actions would be completed within 3 years (by FY-2001). “ The material weakness resulted from the level at which controls are implemented in the system, the design of access controls implemented in the system, audit trails of system activity, user identification and password administration, and access to sensitive Privacy Act information.” OMB Circular A-130, Appendix III: Security of Federal Automated Information Resources "Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications." OMB Circular A-130 defines 4 new Federal agency requirements for managing and protecting their information resources: • Assigning responsibility for security • Completing security plans for general support systems and major applications • Periodically reviewing security controls • Authorizing processing

  3. NMS C&A Tasks 1. Conduct Risk Assessment 2. Technical Fixes 3. NMS Security Plan Actions 4. Certification and Accreditation (C&A) Policy Approved 5. Certification and Accreditation (C&A) Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training (Users, Administrators, and Managers) 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness)

  4. Certification and Accreditation Tasks 1 - 3 1. Conduct Risk Assessment • NMS Security Team (TAC 22) assisted by the ISS Team (TAC 07) • Establish risks for NMS operations at USAID/W, progressively including • PRIME, T-Hub • Beltsville • 81 Foreign Missions • Communications with foreign missions via DTS-PO, VSAT, and Internet • Deliver report on risk assessment and recommendations - Could be done as part of Certification Report 2. Technical Fixes • 5 Key Security Vulnerabilities • Build Test Scenarios/Scripts - Certification 3. NMS Security Plan Actions • Review and approve remaining NMS Security Plan action items for implementation to bring NMS into compliance with security requirements from ADS, OMB A-130, FISCAM, and OIG Audit Reports. Initial action items include: • Implement NMS audit trails • Implement Operational and Management Change Procedures

  5. Certification and Accreditation Tasks 4 - 8 4. C&A Policy Approved • Approve C&A Policy for NMS 5. C&A Plan • C&A Plan • C&A Definition • C&A Verification • C&A Validation • Prepare Certification Report and Accreditation Recommendation for ISSO and IRM director approval • C&A Post Accreditation Support 6. Roles & Responsibilities Approved • Delegate accreditation authority for core financial systems to the CFO • Assign the accreditation of general support systems to the CIO • Assign responsibility to the Director, IRM, for ISSPP and general support systems • Assign authority and responsibility to the USAID ISSO for ISSPP implementation 7. Delegate Systems Security Manager • Designate a security official to implement NMS C&A 8. NMS Security Training • Provide security input into current NMS training for users, administrators, and managers

  6. Certification and Accreditation Tasks 9 - 12 9. Certification by IV&V Contractor • CFO selects IV&V contractor • CFO reviews and accepts IV&V contractor 10. Security Accreditation of NMS by CFO • Authorize NMS for processing 11. Audit by OIG • Verify substantial removal of the NMS security and access controls material weakness 12. Executive Brief and Close NMS Security Material Weakness • Include removal of NMS Security material weakness in the FFMIA annual report.

  7. Certification and AccreditationImplementation Schedule 2000 Feb Mar Apr May Jun Jul Aug Sep 1. Conduct Risk Assessment 2. Technical Fixes 3. NMS Security Plan Actions 4. C&A Policy Approved 5. C&A Plan 6. Roles and Responsibilities Approved 7. Delegation of Systems Security Manager 8. NMS Security Training 9. Certification by IV&V Contractor 10. Security Accreditation of NMS by CFO 11. Audit by OIG 12. Executive Brief (Close NMS Security Material Weakness) NMS 4.82 NMS 4.81

  8. Next Step: Implement Similar Processfor IFMS Authorization to Process O.k. ADS Policy C&A Implementation of NMS Sec. Plan OIG IV&V Cairo & San Salvador FFMIA IFMS AWACS Momentum AID/W NMS NMS 02-01 05-01 07-01 10-01 03-31 2001 2000

  9. Goal: Favorable OIG Audits and Reports to Congress Confirmation of substantial removal of security material weakness by the Inspector General’s Office to the Administrator FFMIA 2000 Report by the CFO to OMB asserting the removal of the security material weakness from 1997 Semiannual Report to Congress by the OIG confirming substantial removal of security material weakness

More Related