Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Information Security Program Management Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1. Purpose

Program management ensures that security considerations are planned for early and handled consistently in the project lifecycle. The Government of the District of Columbia (“District”) has established an integrated enterprise-wide decision structure for cybersecurity risk management that includes cybersecurity requirements for Districts information technologies.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at:

3. Applicability

This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.

4. Policy

District agencies that fall under the authority of the Mayor of the District, must protect and control electronic and physical data while at rest and in transit. The District agency will take appropriate safeguards for protecting the District’s data to limit potential mishandling or loss while being stored, accessed, or transported. The District must assess any inadvertent or inappropriate data disclosure and/or use must be reported to the concerned agency’s Information Security Officer (“ISO”), SOC, and OCTO. All the District agencies must develop or adopt OCTO’s Procedures that must define requirements for the secure handling, transporting, and storing media. The following requirements must be defined in the procedure.

4.1 Information Security Program Plan

District agency must:

4.1.1. Develop and disseminate an organization-wide information security program plan that:

  • Provides an overview of the security program requirements, a description of the security program management controls, and common controls in place or plan for meeting those requirements.
  • Include the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Reflect coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
  • Ensure the Program is approved by District’s agencies’ Director with a clear definition of roles, responsibility, and accountability for the risk being incurred to the agency’s operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

4.1.2.  Annually review and update when organizational changes occur.

4.1.3.  Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.

4.1.4   Protects the information security program plan from unauthorized disclosure and modification.

4.2. Senior Information Security Officer

The District agency appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

4.3. Information Security Resources

District agency must:

4.3.1. Ensure that capital planning and investment requests include the resources needed to implement the information security program and document all exceptions to this requirement.

4.3.2. Employs a business case to record the resources required.

4.3.3. Ensures that information security resources are available for expenditure.

4.4. Plan of Action and Milestones (POA&M) Process

District agency must:

4.4.1. Implement a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:

  • Are developed and maintained.
  • Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.
  • Are reported per OMB FISMA reporting requirements.

4.4.1. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

4.5. Information System Inventory

District agencies must develop and maintain an inventory of their information systems.

4.6. Information Security Measures of Performance

District agencies must develop, monitor, and report on the results of information security measures of performance.

4.7. Enterprise Architecture

District agencies must develop an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

4.8. Critical Infrastructure Plan

The District addresses information security issues in the development, documentation, and updating of critical infrastructure and key resources protection plans.

4.9. Risk Management Strategy

District agency must:

4.9.1. Develop a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.

4.9.2. Implement the risk management strategy consistently across the organization.

4.9.3. Review and update the risk management strategy annually or as required to address organizational changes.

4.10. Security Authorization Process

District agency must:

4.10.1. Manage (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments, in which those systems operate through security authorization processe

4.10.2. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process.

4.10.3. Fully integrate the security authorization processes into an organization-wide risk management program.

4.11. Mission/Business Process Definition

District agency must:

4.11.1. Define mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

4.11.2.  Determine information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are met.

4.12. Insider Threat Program

District agencies must implement an insider threat program that includes a cross-discipline insider threat incident handling team.

4.13. Information Security Workforce

District agencies must establish an information security workforce development and improvement program.

4.14. Testing, Training, and Monitoring Security Workforce

District agencies must:

4.14.1. Implement a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

  • Are developed and maintained.
  • Continue to be executed promptly.

4.14.2. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy.

4.15.  Contacts with Security Groups And Associations

District agency must establish and institutionalize contact with selected groups and associations within the security community:

4.15.1. Facilitate ongoing security education and training for organizational personnel.

4.15.2. Maintain currency with recommended security practices, techniques, and technologies.

4.15.3. Share current security-related information including threats, vulnerabilities, and incidents.

4.16.  Threat Awareness Program

District agencies must implement a threat awareness program that includes a cross-organization information-sharing capability.

5. Exemptions

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.