Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To ensure that all configuration changes to the District of Columbia Government ("District”) owned information assets and resources are done with management’s knowledge and consent, appropriately tested, and does not introduce security weaknesses to the District’s Information system.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
This document provides requirements for the configuration and change management process that provides assurance that information systems are designed and configured using controls that safeguard the District information systems. Failure to protect network infrastructures against threats can result in the loss of data integrity, unavailability of data, and/or unauthorized use of data or information systems of which the District is considered the owner.
4.1 Baseline Configuration
District agencies must provide common security configurations that provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources. This requirement will allow the District agencies to improve information system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of the District data.
4.2 Security and Privacy Impact Analysis
All the District agencies must implement a Security and Privacy Impact Analysis Program that ensures significant changes are planned for a system. The system owners or business owners will conduct a security and privacy impact analysis to determine which controls will be assessed for proper implementation and operation. Security and privacy impact analysis may include, for example, reviewing system plans to understand security and privacy control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls.
4.3 Access Restrictions For Change
All the District agencies must define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. Only qualified and authorized District workforce members can be granted access to the system to initiate changes, including upgrades and modifications.
4.4 Configuration Settings
All District agencies must:
- Establish and document configuration settings for information technology products employed within the information system in accordance with CIS benchmarks for its servers and network devices as part of VMware configuration files that reflect the most restrictive mode consistent with operational requirements;
- Implement the configuration settings
- Identify, document, and approve any deviations from established configuration settings for information systems based on Nessus CIS benchmarking of information systems
- Monitor and control changes to the configuration settings in accordance with District agencies policies and procedures.
4.5 Least Functionality
All District agencies must configure information systems to provide only essential capabilities and prohibit the use of functions, ports, protocols, and/or services that are not required for the business function of the information system.
4.6 Information System Component Inventory
All District agencies must:
- Develop and document an inventory of information system components that:
- Accurately reflects the current information system.
- Includes all components within the authorization boundary.
- Is at the level of granularity deemed necessary for tracking and reporting; and
- Includes an information system component inventory for servers, workstations, network devices, and peripheral devices maintained and monitored through the enterprise hardware/software asset management tool.
- Reviews and updates the information system component inventory annually and as required.
4.7 Software Usage Restrictions
All District agencies are required to:
- Use software and associated documentation per contract agreements and copyright laws.
- Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.
- Control and document the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
4.8 User Installed Software
All District agencies must:
- Establish the policies governing the installation of software by users.
- Enforce software installation policies through the IT Asset Management process.
- Monitor policy compliance annually.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.