octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

Security Assessment and Authorization Policy


Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021

 

1.    Purpose

Ensure that risks from inadequate security assessment, authorization, and continuous monitoring of the District of Columbia Government (“District”) information assets and their respective security controls are identified and mitigated.

2.    Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.

3.    Applicability

This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.

4.    Policy

All District agencies must implement a process that ensures compliance with the District information security policies and minimize the threat of breaches. Security assessments must be conducted to determine the extent to which the District information security controls are implemented correctly, operating as intended, and producing the desired outcome concerning meeting the security requirements for the information system. Authorization is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period.

All the District agencies shall develop respective Security Assessment and Authorization procedures in support of this policy based on the requirements defined below:
 
4.1.    Security Controls Assessments

District agencies must:  
4.1.1    Develop a security assessment plan that describes the scope of the assessment including:     
4.1.1.1    Security and privacy controls and control enhancements under assessment.     
4.1.1.2    Assessment procedures for determining security and privacy control effectiveness.      
4.1.1.3    Assessment environment, assessment team, and assessment roles and responsibilities.
4.1.1.4    Assess the security controls in the systems and the environments of operation annually, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome concerning meeting established security requirements.
4.1.2    Produce a security assessment report that documents the assessment results.  
4.1.3    Provide the results of the security control assessment to District agencies Information System Owner (“ISO”) and the Authorizing Official (“AO”).
 
4.2.    System Interconnections
District agencies must:  
4.2.1    Authorize connections from the system to other systems through the use of Interconnection Security Agreements.
4.2.2    Document for each interconnection the interface characteristics, security requirements, and the nature of the information communicated.
4.2.3    Review and update Interconnection Security Agreements annually or when required.
 
4.3.    Plan of Action and Milestones  
District agencies must:  
4.3.1    Develop a plan of action and milestones for the systems to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
4.3.2    Update the existing plan of action and milestones monthly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
 
4.4.    Security Authorization  
District agencies must:  
4.4.1    Assign a senior-level executive or manager as the authorizing official for any information system being deployed to the District Prod environment.
4.4.2    Ensure that the authorizing official authorizes the system for processing and authorizes the common controls inherited by the system before commencing operations.  
4.4.3    Update the security authorization at least every three years or when a significant change occurs.
 
4.5.    Continuous Monitoring  
District agencies must develop a continuous monitoring strategy and implements a continuous monitoring program that includes:
4.5.1    Establishment of defined metrics to be monitored.
4.5.2    Establishment of weekly monitoring and annual reviews/assessments supporting such monitoring.
4.5.3    Ongoing security control assessments per the organizational continuous monitoring strategy.
4.5.4    Ongoing security status monitoring of organization-defined metrics per the organizational continuous monitoring strategy.
4.5.5    Correlation and analysis of security-related information generated by assessments and monitoring.
4.5.6    Response actions to address results of the analysis of security-related information.  
4.5.7    Monthly Reporting of the security status of the organization and the information system to the District agency’s CISO.
 
4.6.    Continuous Monitoring | Risk Monitoring
District agencies must ensure that risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
4.6.1    Controls effectiveness monitoring.
4.6.2    Compliance monitoring.
4.6.3    System change monitoring.
 
4.7.    Internal System Connections  
District agencies must:  
4.7.1    Authorize internal connections between District agencies' information systems.
4.7.2    Document the interface characteristics, security requirements, and the nature of the information communicated for each internal connection.

5.    Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.    Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.