C&A of Core Financial System

1.0 Identification Data
1.1 BSP Number
0014
1.2 BSP Title/Name
USAID Certification and Accreditation of Its Core Financial System
1.3 Version Number
1.0
1.4 Adoption Date
February 5, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
United States Agency for International Development (USAID), Bureau for Management, Information Resources Management (M/IRM), Information Systems Security Team
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
In the BSP Security Process Framework (SPF): Security Subprocess 9, Certification & Accreditation (C&A).

In the SSE CMM Framework: BP.06.

1.9 Reserved
Not to be completed by the drafter
1.10 Points of Contact
Government BSP Owner:
  • James P. Craft, CISSP
    USAID Information Systems Security Officer
    1300 Pennsylvania Ave., Suite 2.12-032
    Washington, DC 20523-2120
    Telephone: 202-712-5460
    Fax: 202-216-3053
    E-mail: jcraft@usaid.gov or cassistance@usaid.gov

Vendor Partner:

2.0 What This BSP Does
2.1 BSP's Purpose
This BSP describes the successful process the U.S. Agency for International Development (USAID) employed to certify and accredit its core financial system.
2.2 Requirements for this BSP
  • Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires "that a management official authorizes in writing use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations."
  • Public Law 97-255, Federal Managers’ Financial Integrity Act of 1982, requires agency heads to annually evaluate and report to Congress on the control and financial systems that protect the integrity of Federal programs.

USAID Automated Directives Service (ADS), Chapter 545, Automated Information Systems Security, provides agency-wide information systems security policy.

2.3 Success Stories
USAID removed the material weakness from the Agency's New Management System (NMS) core financial system 18 months earlier than originally programmed. Additionally, the experience gained from the NMS C&A effort greatly prepared the team members to conduct a C&A of the Agency's newly implemented, JFMIP compliant, core financial system, Phoenix.
3.0 What This BSP Is
3.1 Description of BSP
The New Management System (NMS) is the core financial system of the United States Agency for International Development (USAID). In 1997, NMS Security and Access Controls were identified by the Agency's Office of Inspector General (OIG) as constituting a "material weakness" under the Federal Manager’s Financial Integrity Act (FMFIA). As a major step toward remedying this issue, the USAID Chief Financial Officer (CFO) and the USAID Information Systems Security Officer (ISSO) determined that the NMS would be taken through formal Security Certification and Accreditation (C&A). Two parallel developments were initiated: 1) Plan and execute the C&A of the NMS and 2) Build a general methodology to guide future C&A efforts within USAID. This BSP illustrates a typical utilization of that general methodology, now called USAIDCAP, applied to the NMS effort.
3.1.1

Inputs

  • Specific groups of 31 Management Controls, 46 Operational Controls and 59 Technical Controls derived from the Requirements in Section 2.2, above, and from the New Management System (NMS) Security Plan. These inputs were summarized in a Requirements Traceability Matrix contained in Appendix C of an overall NMS C&A Plan.
  • USAID's policy for IT security C&A.
  • Personnel very familiar with the subject system.
3.1.2 General

USAID's general C&A methodology, now called USAIDCAP, consists of four phases and hinges on a System Security Authorization Agreement (SSAA) package. USAIDCAP remains under development at the time of this BSP's creation.

Phase I: Initial Actions

  • A high-level summary of the proposed USAID IT Security Certification and Accreditation Process was developed and forwarded to senior USAID management for approval. The package was a compendium of the planning, investigation, and remedial activities necessary to produce formal certification and of the NMS (in the USAIDCAP this package is called a System Security Authorization Agreement (SSAA)). Areas previously addressed to sufficient levels, for instance, contingency planning in the NMS Security Plan, were not subjected to explicit effort as part of this C&A task.
  • The major planning activities in support of NMS Certification and Accreditation were captured in a C&A Plan.
  • Five major technical fixes were identified in support of NMS security requirements prior to development of the NMS Security Plan. The C&A Team tracked the status of these fixes and served as the application engineers in support of associated software Problem Reports (PRs).
  • Security roles and responsibilities, specifically for NMS Systems Security Managers, were documented and signed by USAID management.
  • NMS-specific security training was incorporated into the ongoing NMS training program. The C&A Team evaluated the status of ongoing NMS security training and made improvement recommendations. In addition, user roles and responsibilities were identified.
  • Select, high-priority action items from the existing NMS Security Plan were considered for implementation prior to beginning the C&A effort. These action items were selected to meet requirements of OMB Circular A-130 and to address the material weakness of NMS Security and Access Controls.
  • As added assurance for the Certification Authority, the contents of the Requirements Traceability Matrix (see C&A Plan, Appendix C) were subjected to an independent verification and validation (IV&V) review.
  • The C&A Security Test Plan presented the details of who would perform each test, how those tests would be conducted, where in the system the tests would be applied, and when in the testing sequence they would be used, for testing and evaluating the security requirements of the NMS in Certifying the system. The scope of NMS security testing was comprehensive. This Test Plan called for testing and evaluating the management, operational and technical control requirements, to include personnel and physical aspects, identified in the NMS Security Plan. Special attention was given to those aspects of NMS security and access controls that were reported as an Agency material weakness.
  • The C&A Test Procedures presented test cases and procedures for validation testing and evaluation of the NMS, leading to findings that were formally presented to the Designated Accrediting Authority.
  • The Security Test and Evaluation Report addresses the disposition of the NMS with respect to federal management, operational, and technical control requirements, as well as personnel and physical requirements identified in the NMS Security Plan.
  • Each of the requirements in the NMS Security Plan was evaluated and the amount of residual risk identified in a Risk Assessment report. For the assessment of NMS technical controls, this risk assessment relied heavily upon the results of security penetration testing performed as part of the NMS C&A process.

Phase II: Verification

The results of the Security Test and Evaluation Report and risk assessments were analyzed and reported in the Report of Findings.

Phase III: Certify & Accredit

The total package was then assembled into an Approval Package. This package formed the basis for both the certification and accreditation statements, and issuance of the formal Authority to Operate certificate.

Phase IV: Post C&A

Following C&A, the OIG conducted an audit to verify that the material weakness of NMS Security and Access Controls warranted removal. The USAID ISSO then briefed senior USAID management on the Agency’s readiness to remove the material weakness of NMS Security and Access Controls.

3.1.3

Outputs

  • The significant outputs of the NMS C&A effort were the signed certification and accreditation statements. They are provided here for reference (sensitive information has been removed).
  • USAID's C&A process is in its final stages of development. Called USAIDCAP, the four-phase, System Security Authorization Agreement-based process will serve as the Agency's overarching certification and accreditation guideline.
3.2 Relationship to Other BSPs
BSP00006, How to Accredit Information Systems for Operation.
4.0 How To Use This BSP
4.1 Implementation Guidance
  • The C&A concept was unfamiliar to most managers at USAID when the NMS C&A effort commenced. Because of this, it was very important to keep a realistic set of expectations in the minds of all the stakeholders in the process, and to take care that requirements-creep was carefully controlled as the effort unfolded. To avoid a problem with continuously expanding goals for the project, all stakeholders were involved during the planning stage and throughout project execution. This practice assured everyone that their concerns were being addressed. Frequent briefings on progress and findings helped to keep expectations properly calibrated.
  • Manage individual component activities in the context of their contribution to the overall objective, vice perfecting each deliverable in isolation.
4.2 Implementation Resource Estimates
An NMS Security Plan was already in place before the NMS C&A effort was initiated. Given this resource, and the fact that all team members were very familiar with the system being certified, a technical team of three (3) contractor personnel finished the C&A effort in four (4) months, i.e., 12 person-months of effort. If team members must first learn the system, all would require about one (1) additional month per person to finish the job.

The Team members' skill levels consisted of one (1) senior security test engineer, one (1) senior systems security analyst, and one (1) senior security project manager.

4.3 Performance Goals and Indicators (Metrics)
Besides comparing actual task execution to a standard project time-line plan, an Earned Value Analysis (EVA) was performed at the completion of each major milestone. EVA is generalized performance management technique employed by USAID on its PRIME contract.
4.4 Tools
The standard MS-OFFICE suite was very useful, particularly the MS-PROJECT and MS-WORD applications.
4.5 Training Materials
The NMS C&A team members were technically competent at the task's initiation. No specialized skill training was required.

The NMS C&A team members participated in the NMS Overview Training Class at the commencement of the effort. This training permitted the team members to both learn about the major application as well as observe the quality of training imparted to all users.

At the end of the NMS C&A effort, 3 slides were added to the standard "New-NMS User" briefing materials, to familiarize users with the additional tasks involved in secure system operations.

Appendices
A Executive Overview and Briefing
An example management briefing used to kick-off the NMS C&A effort.
B Reference List
  1. Clinger-Cohen Act of 1996.
  2. Department of Defense Instruction No. 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP), December 30, 1997.
  3. General Accounting Office "Federal Information System Control Audit Manual" (FISCAM).
  4. International Standard 15408, Common Criteria, Version 2.0, May 1998.
  5. National Computer Security Center (NCSC) NCSC-TG-027, Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992.
  6. National Computer Security Center (NCSC) NCSC-TG-028, Assessing Controlled Access Protection, May 1992.
  7. National Computer Security Center (NCSC) NCSC-TG-029, Introduction to Certification and Accreditation, January 1994.
  8. National Computer Security Center (NCSC) NCSC-TG-031, Certification and Accreditation Process Handbook for Certifiers, July 1996.
  9. National Computer Security Center (NCSC) NCSC-TG-032, Accreditor’s Guideline, July 1997.
  10. National Institute of Standards and Technology (NIST) Special Publication 800-12, Introduction to Computer Security, the NIST Handbook, October 1995.
  11. National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996.
  12. National Institute of Standards and Technology (NIST) Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998.
  13. Federal Information Processing Standards (FIPS) Publication 102, Guideline for Computer Security Certification and Accreditation, September 1983.
  14. Federal Information Processing Standards (FIPS) Publication 191, Guideline for the Analysis of Local Area Network Security, November 1994.
  15. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) , April 2000.
  16. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, National Information systems Security (INFOSEC) Glossary, January 1999.
  17. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4012, National Training Standard for Designated Approving Authority (DAA).
  18. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4013, National Training Standard for System Administrators in Information Systems Security (INFOSEC) , August 1997.
  19. National Security Agency (NSA), National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4014, National Training Standard for Information Systems Security officers (ISSO, August 1997).
  20. Office of Management and Budget (OMB) Memorandum 99-05, Instructions on Complying with President’s Memorandum of May 14, 1998, Privacy and Personal Information in Federal Records.
  21. Office of Management and Budget (OMB) Memorandum 00-13, Policies and Data Collection on Federal Web Sites.
  22. Office of Management and Budget (OMB) Memorandum 99-18, Privacy Policies on Federal Web Sites.
  23. Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources.
  24. Office of Management and Budget (OMB) Circular A-123, Management Accountability and Control Paperwork Reduction Act of  1995, June 21, 1995.
  25. Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government.
  26. Public Law 100-235, Computer Security Act of 1987.
C Procurement Information
The USAID has contracted for general IRM support with CSC under the Agency's Principal Resource for Information Management Enterprise-wide (PRIME) contract (GS00K96AJD0012) with FEDSIM. USAID obtains its information system security support from CSC under the PRIME contract using the Performance Work Statement (PWS) at Appendix C *.doc.
D Evaluation Information
Not to be completed by the drafter
E Recommended Changes
Not to be completed by the drafter
F Glossary
None applicable