Transcription
TRANSPORTATION SECURITY ADMINISTRATIONINFORMATION TECHNOLOGYINFORMATION ASSURANCE AND CYBERSECURITY DIVISIONTSA Information AssuranceHandbookAttachment 1 to TSA MD 1400.3 IT SecurityDate Signed: 07/27/2018Paul D. Morris (Executive Director, CISO)Version 14.0Records Disposition Schedule (RDS)Policy Records Code and Item: 2000.4.1PERMANENT: Cut off at the end of calendar year in which superseded or obsolete. Transfer toNARA 10 years after cut off. [Authority N1-560-04-10, Item 5b]
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKThis Page Intentionally Left BlankPage 2 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKTable of ContentsTSA Information Assurance Handbook . 1Table of Contents . 31.Purpose . 42.Scope . 43.Policy . 74.Roles and Responsibilities. 2265.Definitions . 2446.Abbreviations . 2557.Acknowledgements . 2618.Authorities . 2629.Document Change History . 26410.Document Control Information . 26511.Effective Date and Implementation . 26512.Appendix A - References (Federal Information Assurance (IA) Policy Mandate -- TopDown Alignment Diagram and Detailed Authorities): . 266Page 3 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK1.PurposeThis handbook implements the policies and requirements of the Transportation SecurityAdministration (TSA) Management Directive (MD) 1400.3, Information Technology Security byestablishing guidance applicable to the use, development, and maintenance of TSA InformationTechnology (IT) assets, networks, and systems. The guidance contained herein is designed to ensurethe Confidentiality, Integrity, Availability, and overall assurance of TSA information. Thishandbook is supplemented by published extension documents, TSA Technical Standards (TSs), andStandard Operating Procedures (SOPs). The IA HB, TSs, SOPs and other relevant documents arepublished in the IA Policy Outreach page. This document is used to identify responsibilities byeducating and increasing awareness of TSA information assurance (IA) policy. An accountabilitymatrix containing roles and responsibilities of key personnel mentioned in this Handbook can befound in an Information Assurance (IA) Roles and Responsibilities spreadsheet located in our IAPolicy Outreach site. References to the specific areas and authorities to enable successful executionof tasks and job requirements are identified herein. Appendix A (References) located in the back ofthis Handbook contains a Figure 1 diagram, which illustrates a top-down approval and alignmentorder as derived IAW federal policy mandates.2.ScopeThe policies within this handbook apply to all TSA employees, contractors, vendors, detailees, othersworking on behalf of TSA, and to non-TSA individuals authorized to access TSA informationsystems, software and/or applications. It also applies to all TSA information systems, softwareand/or applications that collect, generate, process, store, display, transmit, or receive TSA data,including prototypes and telecommunications systems, in all phases of the Systems Engineering LifeCycle (SELC) unless an approved waiver has been granted using the proper waiver form. The aboveassets shall be collectively referred to as "IT assets" throughout the document. As required by theDepartment of Homeland Security (DHS), the Federal Chief Information Officer (CIO) and Office ofManagement and Budget (OMB) guidance, program and project managers shall be provided withguidance to support the implementation of Agile Information Technology (IT) Development.Requirements shall reference the DHS “Carwash” User Guide, the DHS Directive SystemInstruction Number 102-01-004: Agile Development and Delivery for Information Technologyand the DHS Agile Center of Excellence - Tools. These guides enhance understanding as to whyAgile is a preferred approach to federal IT development, how it provides a starting point forincreasing DHS-wide application of Agile methodologies, and helps managers and other keystakeholders identify options for tailoring the SELC for Agile. The private sector uses Agile as aneffective and efficient method to deliver software faster, better, and cheaper compared to othermethods. Important note for System Owners (SOs) and Information Systems Security Officers(ISSOs) – In the context of this IA Handbook, the term “System” is synonymous with“Application” and “Software”, and the expectation for adherence is the same.The structure of this document is based on the controls contained in National Institute of Standardsand Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controlsfor Federal Information Systems and Organizations. Information on privacy controls and relatedprivacy overlays can be found here. Furthermore, the controls identified are mapped to FederalPage 4 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKInformation Processing Standards (FIPS) Publication 199, Standards for Security Categorization ofFederal Information and Information Systems, which establishes the foundation for categorizingsystems based on three security objectives: Confidentiality, Integrity, and Availability (C, I, A).These publications, and other relevant NIST guidance, are available online at http://csrc.nist.gov/.Security objectives are assigned a potential impact level, also known as “impact level” throughoutthis handbook, of Low, Moderate, or High. Within the tables of requirements in this document, theapplicability of each control statement is provided in the “Category” column with the followingabbreviations: Low (L), Moderate (M), High (H), Privacy System (P), or Chief Financial Officer(CFO) Designated Financial System (F).Definitions for terms are located in Section 5 Definitions. For definitions not identified, the NISTGlossary of Key Information Security Terms shall be used as a baseline for reference.The DHS Sensitive Systems Policy Directive 4300A, and its supporting Handbook, shall takeprecedence in instances where there is conflict with TSA MD 1400.3 ITS and this supportinghandbook, unless otherwise identified in TSA policy.With the DHS Trusted Internet Connection (TIC) infrastructure initiative as mandated by OMB M08-05, this TSA IA Handbook and its extension documents shall address the expansion in scope froma current TSA-only management service function to a DHS entity entrusted in providing a morecentrally managed Semi-Trusted/DMZ environment. The overall purpose of the DHS TIC effort is tooptimize and standardize the security of individual external network connections (extranet services)currently in use by the TSA and other agencies.Regarding vulnerabilities, weaknesses and mitigations, POA&Ms shall not exceed the maximumduration for closure based on FIPS 199 impact levels for the system: 45 days (for high), 60 days (formoderate), and 90 days (for low). NOTE: Based on directions from the DHS USM Memo titled“Strengthening DHS Cyber Defenses” (July 22, 2015), a unique type of “High” impact levelcategory classified as “Critical” may be used under certain circumstances and in response toescalation in cyber related attacks. Weaknesses or vulnerabilities identified as Critical by theNational Cybersecurity Assessment and Technical Services (NCATS) must be mitigated within 30days. This newly created Critical impact is also supported by the Binding Operational Directive(BOD) 15-01: “Critical Vulnerability Mitigation Requirement for Federal Civilian Executive BranchDepartments’ and Agencies’ Internet-Accessible Systems”. In these special cases, subsequentinstructions shall be forthcoming by the TSA Authorizing Official (AO). Those systems not incompliance with this 30-day mitigation requirement risks being shut down or removed from thenetwork at the discretion of the AO.The CISO has the flexibility and the resources to work with DHS with the presumption that TSA hasthe full and complete trust in DHS from an architectural perspective to serve as the provider andmanagement of TSA’s current Semi-Trusted zone. Additional details may be found in the TSA TICMigration Plan of Action and Milestones Agreement and Approval document, dated August 31,Page 5 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK2011, under VPN Service (p. 7) in that, “DHS OneNet network infrastructure is a Departmentmanaged service to the DHS Component and should be considered trusted.”In cases where current TSA policy is conflicting, the policy identified in this Handbook shall takeprecedence. The TSA Chief Information Security Officer (CISO) shall make the final arbitrationdecision in the case of any conflicting guidance in policy documents. In addition, in cases where thishandbook conflicts with SSI Program Office or Privacy Office policy and procedures, the appropriateSSI and Privacy office’s guidance shall take precedence.Page 6 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK3.Policy3.1 Access Control (AC)The implementation of proper access control is a critical element of the information assurance (IA)solution. TSA and DHS-trusted IT related assets provide an environment that allows active networkuse by authorized individuals in the performance of their assigned tasks, while also ensuringappropriate measures are in place to maintain the integrity of network information through limitedand controlled access. This control supports the logical access control measures of TSA and DHStrusted IT assets, and is applicable to all TSA IT assets whenever a claim of identity is made. Whereapplicable, specific detailed guidance of the information security requirements on access control iscontained in several TSs including: TS-001 Passwords/PINs, TS-002 Encryption, TS-003 Wi-Fi, TS008 End User Assets, TS-010 Network Interconnections, TS-012 Port Security, TS-015 NetworkLogical Access Control, TS-016 Remote Access, TS-023 Voice over Internet Protocol (VOIP), TS024 Radio Frequency Identification (RFID), TS-025 Virtual Private Networks (VPNs), TS-028 WebApplications, TS-030 Internet Site Access, TS-036 Infrastructure Asset Security, TS-037 ServerSecurity and TS-049 Information Systems Logging.Other guidance: OMB Memorandum 04-04, 08-05, and 08-27; FIPS Publications 140-2, 199, and201; NIST Special Publications 800-12, 800-16, 800-46, 800-48, 800-63, 800-73, 800-77, 800-78,800-98, 800-94, 800-100, 800-113, 800-114, 800-121, and 800-124.3.1.1 Access Control Policy and Procedures (AC-1)PolicyID1.1.11.1.2Policy StatementsThe CISO shall develop, disseminate, and annuallyreview/update a formal, documented access control policythat addresses purpose, scope, roles, responsibilities,management commitment, and coordination among TSAand DHS trusted entities. The CISO shall also ensuredocumented procedures are established at the system leveland each system needs to develop their own procedures inorder to facilitate the implementation of access controlpolicies and associated controls that provide protectionfrom unauthorized alteration, loss, unavailability, ordisclosure of information.The System Owner (SO) shall be responsible for themanagement of access controls for IT assets for theinformation system, including oversight and agreements asneeded for IT assets outside of direct control by TSApersonnel.Page 7 of 00-53AC-1LMHFAC-1AC-2LMHF
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK1.1.31.1.41.1.51.1.61.1.7For the purpose of maintenance, a cleared and authorizedvendor/ individual shall sign-in, provide credentials, andbe escorted for access to a designated area for the purposeof maintaining TSA or DHS equipment; an authorizedfederal manager or designee with knowledge of themaintenance task shall be present to escort and monitor theindividual at all times.ReservedAll privileged access control shall be in compliance withthe TSA policy.In the very rare instance where emergency access isneeded to an account by an authorized individual otherthan the account owner, this shall be strictly controlled andapproved by the CISO, Deputy CISO, or other designeeprior to being granted. This type of access is normally on atemporary basis and whose time frame is determined bythe authorized individual or designee.The ISSO shall provide on-going supervision and reviewof the actions of personnel who enforce access controlsand those who are subject to this -1LMHFAC-1AC-21.1.8The ISSO shall ensure the SOC routinely reviews activitylogs for signs of inappropriate actions and response actionshall be taken as required.5.2.a5.4.3.aAC-1LMHF1.1.9Changes to user access rights shall be regularly reviewed,at least quarterly, by the user’s supervisor independent ofthe information security function.5.2.a5.4.3.aAC-1LMHF1.1.10The user’s supervisor shall notify the system ISSO of anyabnormal activity and support investigation activities uponrequest.5.2.a5.4.3.aAC-1LMHF3.1.2 Account Management (AC-2)General user accounts are established by the TSA after the completion of the TSA Form 1403,Computer and Personal Electronic Device Access Agreement (CAA), available via the OnlineLearning Center (OLC). The data and applications available to the specific user are defined by anevaluation of that user’s needs to perform his or her duties. A properly completed TSA Form 1403 isused to identify the user and the user’s privileges, in order to create a profile. Account managementis a critical element in the defense-in-depth approach and provides protection from unauthorizedsystem access. All data, applications, and IT assets of the TSA network are accessed through definedaccounts. The establishment of these accounts is rigorously controlled throughout the life cycle.Page 8 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKPolicyIDPolicy Statements1.2.1The SO shall be responsible for management and oversightof all accounts used to access the information system.1.2.2The ISSO shall support the SO in account management by:a. Identifying account types (to include individual,group, system, application, service, guest/anonymous,and temporary); see TS-033 Application/ServiceAccounts for additional information and guidance;b. Establishing conditions for group membership;c. Enacting processes to identify authorized users of theinformation system and specify access privileges;d. Requiring appropriate approvals for requests toestablish accounts;e. Enacting processes to establish, activate, modify,disable, and remove accounts;f. Enacting processes to specifically authorize andmonitor the use of guest/anonymous or temporaryaccounts;g. Notifying account managers when temporary accountsare no longer required and when information systemusers are terminated, transferred, or have theirinformation system usage or need to know/need toshare status change;h. Enacting processes to deactivate temporary accountsthat are no longer required and the accounts ofterminated or transferred users;i. Enacting processes to grant access to the system basedon a valid access authorization, intended system usage,and other attributes as required by the TSA orassociated missions’/business functions;j. Ensuring/confirming the use of unique group access,which shall be approved by the appropriate AO, islimited to situations dictated by operational necessityor criticality for mission accomplishment. Shared andgroup accounts are prohibited for all systemscategorized as High Value Assets (HVAs); andk. Enacting processes to review accounts on an annualbasis.Page 9 of 3AC-2LMHFAC-2LMHF
INFORMATION TECHNOLOGYINFORMATION ASSURANCE 9Policy StatementsThe ISSO shall ensure that access control implementationsfollow the principles of least privilege and separation ofduties and shall require users to use unique identifiers.Privileged users shall have separate accounts from theirgeneral user accounts in order to perform privilegedaccess. Privileged users are authorized and therefore,trusted to perform security-relevant functions that generalusers are not authorized to perform.Social Security Numbers (SSN) shall not be used as logonIDs.The Authorizing Official (AO) or the CISO shall review,delegate and approve in writing an individual requiringadministrator privileges. This individual may be anappropriate SO, IAD SME or Program Manager.ReservedSystems that are part of the Critical DHS Assets Programshall have provisions to allow the CISO to approve newuser accounts as part of a Continuity of Operations(COOP) scenario.The SO shall ensure that the duties and responsibilities ofcritical information system functions are divided amongdifferent individuals to minimize the possibility that anyone individual would have the necessary authority orsystem access to be able to engage in fraudulent orcriminal activity.ReservedDHS4300A4.1.4.c5.2.b5.2.bAC-2LMH 2AC-5LMHFAC-2IA-4AC-2LMHFLMHF1.2.10The SO shall implement procedures to ensure systemaccess is suspended for personnel on extended absences.4.1.6.c1.2.11General user accounts shall require a TSA Form 1403Computer and Personal Electronic Device AccessAgreement (CAA) to be completed by the user prior togranting the user access.NotDefinedPage 10 of 273NISTCategorySP800-53AC-2LMHF
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKPolicyID1.2.12Policy StatementsDHS4300ANISTCategorySP800-53AC-2LMHFData and applications assigned and available to eachspecific user are defined by an evaluation of that user’sneeds to perform his or her duties and approved by the SOin accordance with the approved TSA application catalogor repository.All data, applications, and IT assets of the TSA networkshall be accessed through defined user accounts.5.1.a5.2.eAC-21.2.14User assets shall be locked out after fifteen (15) minutes ofinactivity.4.8.1.aAC-21.2.15Users shall lock end user assets when not in use andstepping away from the asset.4.8.1.cAC-21.2.16Automated mechanisms shall be implemented by the ISSOto support the management of information systemaccounts.The SO shall ensure the system is programmed toautomatically terminate emergency accounts within anapproved and specified time DefinedAC-2(2)MHFNotDefinedAC-2(4)MHF1.2.20The SO shall ensure the system automatically auditsaccount creation, modification, disabling, and terminationand notify appropriate support and response personnel.Users shall log out of any system when no longer in use.4.8.1.cAC-2(5)LMHF1.2.21Reserved1.2.22The ISSO shall monitor for atypical account usage andreport such usage to the 5All email messages generated or forwarded by a TSA usershall have the user’s identity as the 3 Access Enforcement (AC-3)Access control policies (to include identity-based policies, role-based policies, and attribute-basedpolicies) and access enforcement mechanisms (to include access control lists [ACL], access controlPage 11 of 273
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOKmatrices, and cryptography) are employed by TSA to control access between users or processesacting on behalf of users and objects (to include devices, files, records, processes, programs, anddomains) in the information system. In addition to enforcing authorized access at the informationsystem level, access enforcement mechanisms are employed at the application level, when necessary,to provide increased information security for TSA. Consideration is given to the implementation ofan audited, explicit override of automated mechanisms in the event of emergencies or other seriousevents. Encryption of stored information shall be FIPS 140-2 (as amended) compliant. Forinformation, the cryptography used is dependent on the Security level of the information.Mechanisms implemented by AC-3 are configured to enforce authorizations determined by othersecurity controls.PolicyID1.3.11.3.21.3.31.3.41.3.5Policy StatementsAccess control policies and access enforcementmechanisms shall be employed by TSA systems to controlaccess between users (or processes acting on behalf ofusers) and objects (to include devices, files, records,processes, programs, and domains) in the system.The SO shall ensure the system enforces approvedauthorizations for logical access to the system incompliance with applicable policy.Reserved.The ISSO shall implement controls to ensure that onlyauthorized individuals are able to participate invideoconferences.Physical and logical access to TSA IT assets shall belimited to individuals on the asset’s ACL by the ISSO.Page 12 of HFP
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK1.3.61.3.71.3.81.3.91.3.10The SO shall ensure that all data-at-rest, particularly in aFederal Risk and Authorization Management Program(FedRAMP)-compliant cloud or other virtualenvironments, preserves its identification and accessrequirements; anyone with access to data storagecontaining more than one type of information must havespecific access authorization for every type of data in thestorage. See TS-049 Information System Audit Loggingand the IT Cloud Computing Security Handbook foradditional information. This Handbook provides guidanceregarding cloud implementation and services used to hostTSA IT systems to process, store, and transmit TSAinformation. Other related service models, on which cloudenvironments are based, addresses Platform-as-a-Service(PaaS), Software-as-a-Service (SaaS), and Infrastructureas-a-Service (IaaS).The SO shall ensure that information systems/applicationsutilizing cloud computing services are secured incompliance with the IT Cloud Computing SecurityHandbook, TS-072 Cloud Computing and Virtualizationand TS-049 Information System Audit Logging.TSA data hosted on a shared service environment/cloudservice provider shall go through an approved TIC.For non-web facing systems, TIC inspection is notrequired but is still recommended. For web-facingsystems, the connection must traverse through the DHSTIC or Managed Trusted Internet Protocol Service(MTIPS ). See DHS CISO Memo dated July 22, 2016,Subject: Policy on TIC Inspection of Cloud Services.For non-TIC connections, if TSA is already migrating tothe Verizon MTIPS, proceed with the same. Once theDHS MTIPS is available, TSA shall work with OneNettowards migrating to the DHS MTIPS . If TSA alreadymigrated to a non-Verizon MTIPS solutions (ex.: AT&TMTIPS) or is in the process of doing so, an approvedwaiver is needed. See DHS CISO Memo dated July 22,2016, Subject: MTIPS Policy.3.1.4 Information Flow Enforcement (AC-4)Page 13 of dAC-3LMHFPLMHFPNotDefinedAC-3LMHFP
INFORMATION TECHNOLOGYINFORMATION ASSURANCE 7Policy StatementsDHS4300AThe ISSO shall ensure the information system enforcesapproved authorizations for controlling the flow ofinformation within the system and between interconnectedsystems, in compliance with TSA and DHS policy and asdocumented in the Security Plan (SP).TSA email systems shall provide for securitycommensurate with the risk and magnitude of the harmresulting from the loss, misuse, or unauthorized access to(or modification of) information contained in the emailsystem.TSA users shall not perform actions to bypass emailscreening tools (to include renaming file extensions, etc.).5.4.1.bIf SSI or Sensitive Personally Identifiable Information(SPII) is sent by email, users shall encrypt the informationin compliance with TS-002 Encryption policy. Foradditional information on SPII, see TSA MD 3700.4Handling Sensitive Personally Identifiable Information(SPII), Appendix “TSA Sensitive PII (SPII) HandlingRequirements.” To send SSI via email, the user shall referto the SSI Policies and Procedures Handbook, Attachmentto TSA MD 2810.1.Appropriate transmission protections, commensurate withthe highest sensitivity of information to be discussed overthe video or teleconference, shall be in compliance withTSA and DHS policies and shall be in place prior toinitiating a teleconference.In non-operational or non-production environments (toinclude training laboratories, development environments,and test environments) where non-TSA personnel havephysical access, connectivity to TSA productionnetwork(s) are prohibited. TSA operational or productiondata or information cannot reside in any developmentenvironments.Prior to posting sensitive content on TSA web sites, bothinternal and external, established data redaction processesshall be followed to include independent review wherenecessary.Page 14 of NotDefinedAC-4MHFPNotDefinedAC-4MHFP
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK1.4.8Content shall be posted to TSA web sites in compliancewith the Rules of Behavior (control PL-4) and all policiesset forth by the Office of Human Capital (OHC) in TSAMD 1100.73-5 Employee Responsibilities and Conductand DHS MD 4400.1 DHS Web (Internet, Intranet, andExtranet Information) and Information Systems.SSI, sensitive data, and information protected under thePrivacy Act shall be posted to TSA internal web sites onlyif access controls are in place and approved by IAD andthe content has been approved in advance by the SSIProgram Office and/or Privacy Office and the InformationOwner (IO) for posting.Information regarding TSA personnel or their families, (toinclude names, phone numbers, and addresses) assigned tounits that are sensitive, routinely deployable, or stationedin foreign territories shall not be released nor shall suchindividuals be identified in photographs or articlesincluding:a. Internal program agenda, correspondence, and memosnot appropriate for general distribution.b. Information that is procurement or acquisitionsensitive.c. Operations Security (OPSEC) and InformationSecurity (INFOSEC) material.d. Other sensitive information, which, by statute, TSA isnot required to encrypt, but shall only be posted whenauthorized by the Information Owner (IO). Thisincludes “Law Enforcement Sensitive (LES)” or “ForOfficial Use Only (FOUO)” information.The ISSO shall ensure fax servers are configured so thatincoming communications lines cannot be used to accessthe network or any data on fax servers.The ISSO shall ensure data communication connectionsvia modems are limited and are tightly DefinedAC-4MHFP4.5.2.bAC-4LMHFP5.4.1.a1.4.13Data communication connections via modems are notallowed, unless they have been authorized by the CISO.5.4.1.a1.4.14Remote access to DHS networks shall be approved andonly be accomplished through equipment specificallyapproved for that purpose.Tethering through wireless mobile devices is prohibitedwithout the prior written consent of the e 15 of 2734.6.2.b5.4.1.a
INFORMATION TECHNOLOGYINFORMATION ASSURANCE HANDBOOK1.4.161.4.171.4.181.4.19Remote access of PII shall comply with all TSArequirements for sensitive systems, including strongauthentication. Secure communication shall beaccomplished via VPN or equivalent encryption and twofactor authentication. The Security Plan (SP) shalldocument any remote access of PII, and the remote accessshall be approved by the AO prior to implementation.Auto-forwarding of TSA email to addresses outside of the.gov or .mil domain is prohibited and shall not be used.Users may manually forward individual messages afterdetermining that the risks or consequences are minimal.Only Government email accounts shall be used to performGovernment .lAC-4On the use of approved domains, TSA shall only use a.gov or .mil domain for its official public-facing websites.See OMB M-17-06 Policies for Federal Agency PublicWebsites and Digital Services for additional information.NotDefinedAC-4LMHFPLMHFP3.1.5 Separation of Duties (AC-5)PolicyID1.5.11.5.21.5.31.5.4Policy StatementsThe ISSO shall document the separation of duties withinthe SP and the implementation of separation of dutiesthrough assig
INFORMATION ASSURANCE HANDBOOK . Page 6 of 273 . 2011, under . VPN Service (p. 7) in that, “DHS OneNet network infrastructure is a Department managed service to the DHS Component and should be considered trusted.” In cases where current TSA policy is conflicting, the policy identified
