Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Specify the requirements for the protection of the District of Columbia Government (“District”) information systems and the secure processing, and transmission of data within the District network.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all the District information systems, workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.
4. Policy
All the District agencies and departments must develop or adhere to a program plan which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy:
4.1. Denial of Service Protection
The District agencies must protect systems against, or limit the effects of, denial of service attacks by employing controls to guard against, limit, and reduce the system’s susceptibility to DoS attacks and improve the ability to detect such attacks.
4.2. Boundary Protection
The District agencies must:
4.2.1. Monitor and control communications at the external boundary of the system and key internal boundaries within the system.
4.2.2. Implement subnetworks for publicly accessible system components that are logically separated from internal organizational networks.
4.2.3. Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged per an organizational security architecture.
4.3. Cryptographic Key Establishment and Management
The District agencies establish and manage cryptographic keys for required cryptography employed within the information system per FIPS 140-3 and NIST SP 800-57.
4.4. Cryptographic Protection
The District agencies system implement required cryptographic protections using cryptographic modules that are validated by FIPS, per applicable federal laws, Mayor Executive Orders, directives, policies, regulations, and standards.
4.5. Collaborative Computing Devices
The District agencies must:
4.5.1. Prohibit remote activation of collaborative computing devices unless approved by the agency’s management.
4.5.2. Provide an explicit indication of use to users physically present at the devices.
4.6. Secure Name / Address Resolution Service (Authoritative Source)
The District agencies must:
4.6.1. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns, in response to external name/address resolution queries.
4.6.2. Provide the means to indicate the security status of child zones (if the child supports secure resolution services), to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed and hierarchical namespace.
4.7. Secure Name / Address Resolution Service (Recursive or Caching Resolver)
District agencies must ensure that information systems request and perform data origin authentication and integrity verification, on the name/address resolution responses the system receives from authoritative sources.
4.8. Architecture and Provisioning for Name / Address Resolution Service
District agencies must ensure that systems that collectively provide name/address resolution service for the District agencies are fault-tolerant and implement internal/external role separation.
4.9. Process Isolation
District agencies must ensure that systems maintain a separate execution domain for each executing process.
5. Exemptions
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”).
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.