NMS Certification and Accreditation C

1
NMS Certification and Accreditation (CA)
Removal of Material Weakness forNMS Security
and Access Controls
Jim Craft USAID ISSO
2
NMS Security RequirementsFFMIA Report and OMB
Circular A-130

• Federal Financial Management Improvement Act
  (FFMIA) Report to the President and OMB
• USAID identified 10 material weaknesses,
  including NMS security and access controls, in
  its CY-1997 Report.
• The Agency CFO indicated remedial actions would
  be completed within 3 years (by FY-2001).
• The material weakness resulted from the level
  at which controls are implemented in the system,
  the design of access controls implemented in the
  system, audit trails of system activity, user
  identification and password administration, and
  access to sensitive Privacy Act information.
• OMB Circular A-130, Appendix III Security of
  Federal Automated Information Resources
• "Agencies shall implement and maintain a program
  to assure that adequate security is provided for
  all agency information collected, processed,
  transmitted, stored, or disseminated in general
  support systems and major applications."
• OMB Circular A-130 defines 4 new Federal agency
  requirements for managing and protecting their
  information resources
• Assigning responsibility for security
• Completing security plans for general support
  systems and major applications
• Periodically reviewing security controls
• Authorizing processing

3
NMS CA Tasks
1. Conduct Risk Assessment 2. Technical
Fixes 3. NMS Security Plan Actions 4.
Certification and Accreditation (CA) Policy
Approved 5. Certification and
Accreditation (CA) Plan 6. Roles and
Responsibilities Approved 7.
Delegation of Systems Security Manager
8. NMS Security Training (Users,
Administrators, and Managers) 9.
Certification by IVV Contractor
10. Security Accreditation of NMS by CFO
11. Audit by OIG
12. Executive Brief (Close NMS Security
Material Weakness)
4
Certification and Accreditation Tasks 1 - 3

• 1. Conduct Risk Assessment
• NMS Security Team (TAC 22) assisted by the ISS
  Team (TAC 07)
• Establish risks for NMS operations at USAID/W,
  progressively including
• PRIME, T-Hub
• Beltsville
• 81 Foreign Missions
• Communications with foreign missions via DTS-PO,
  VSAT, and Internet
• Deliver report on risk assessment and
  recommendations - Could be done as part of
  Certification Report
• 2. Technical Fixes
• 5 Key Security Vulnerabilities
• Build Test Scenarios/Scripts - Certification
• 3. NMS Security Plan Actions
• Review and approve remaining NMS Security Plan
  action items for implementation to bring NMS into
  compliance with security requirements from ADS,
  OMB A-130, FISCAM, and OIG Audit Reports.
  Initial action items include
• Implement NMS audit trails
• Implement Operational and Management Change
  Procedures

5
Certification and Accreditation Tasks 4 - 8

• 4. CA Policy Approved
• Approve CA Policy for NMS
• 5. CA Plan
• CA Plan
• CA Definition
• CA Verification
• CA Validation
• Prepare Certification Report and Accreditation
  Recommendation for ISSO and IRM director approval
  
• CA Post Accreditation Support
• 6. Roles Responsibilities Approved
• Delegate accreditation authority for core
  financial systems to the CFO
• Assign the accreditation of general support
  systems to the CIO
• Assign responsibility to the Director, IRM, for
  ISSPP and general support systems
• Assign authority and responsibility to the USAID
  ISSO for ISSPP implementation
• 7. Delegate Systems Security Manager
• Designate a security official to implement NMS
  CA
• 8. NMS Security Training
• Provide security input into current NMS training
  for users, administrators, and managers

6
Certification and Accreditation Tasks 9 - 12

• 9. Certification by IVV Contractor
• CFO selects IVV contractor
• CFO reviews and accepts IVV contractor
• 10. Security Accreditation of NMS by CFO
• Authorize NMS for processing
• 11. Audit by OIG
• Verify substantial removal of the NMS security
  and access controls material weakness
• 12. Executive Brief and Close NMS Security
  Material Weakness
• Include removal of NMS Security material weakness
  in the FFMIA annual report.

7
Certification and AccreditationImplementation
Schedule
2000
Feb Mar Apr May Jun
Jul Aug Sep
1. Conduct Risk Assessment 2. Technical
Fixes 3. NMS Security Plan Actions 4. CA
Policy Approved 5. CA Plan 6. Roles and
Responsibilities Approved 7. Delegation of
Systems Security Manager 8. NMS Security
Training 9. Certification by IVV Contractor 10.
Security Accreditation of NMS by CFO 11. Audit
by OIG 12. Executive Brief (Close NMS Security
Material Weakness)
NMS 4.82
NMS 4.81
8
Next Step Implement Similar Processfor IFMS
Authorization to Process

O.k.
ADS
Policy
CA
Implementation of NMS Sec. Plan
OIG
IVV
Cairo San Salvador
FFMIA
IFMS
AWACS
Momentum AID/W
NMS
NMS
03-31
10-01
07-01
02-01
05-01
2001
2000
9
Goal Favorable OIG Audits and Reports to
Congress
Confirmation of substantial removal of security
material weakness by the Inspector Generals
Office to the Administrator FFMIA 2000 Report
by the CFO to OMB asserting the removal of the
security material weakness from 1997 Semiannual
Report to Congress by the OIG confirming
substantial removal of security material weakness