Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Ensure that risks from inadequate security assessment, authorization, and continuous monitoring of the District of Columbia Government (“District”) information assets and their respective security controls are identified and mitigated.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.
4. Policy
District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.
The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements:
4.1. Security Controls Assessments
District agencies must:
4.1.1. Develop a security assessment plan that describes the scope of the assessment including:
- Security and privacy controls and control enhancements under assessment.
- Assessment procedures for determining security and privacy control effectiveness.
- Assessment environment, assessment team, and assessment roles and responsibilities.
- Assess the security controls in the systems and the environments of operation annually, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome concerning meeting established security requirements.
4.1.2. Produce a security assessment report that documents the assessment results.
4.1.3. Provide the results of the security control assessment to District agencies Information System Owner (“ISO”) and the Authorizing Official (“AO”).
4.2. System Interconnections
District agencies must:
4.2.1. Authorize connections from the system to other systems through the use of Interconnection Security Agreements (ISA).
4.2.2. Document for each interconnection the interface characteristics, security requirements, and the nature of the information communicated.
4.2.3. Review and update Interconnection Security Agreements annually or when required.
4.2.4. The organization also considers the following actions:
- Obtain written authorization from management (e.g., AO or designated representative) before connecting to other information systems.
- Consider that the terms and conditions of an ISA or data sharing agreement do not conflict with or otherwise contradict Department IT security and privacy policies, procedures, controls, and standards; applicable legislation, regulation, or guidance; or other contractual obligations.
- Ensure that system interconnection channels are securely configured commensurate with the confidentiality and integrity of the data being exchanged.
- Obtain authorization from the external System Owner if the Department intends to use, modify, or disclose the external system’s information in a manner not authorized by the agreement.
4.3. Plan of Action and Milestones (POA&M)
District agencies must:
4.3.1. Develop a plan of action and milestones for the systems to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
4.3.2. Update the existing plan of action and milestones monthly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
4.4. Security Authorization
District agencies must:
4.4.1. Assign a senior-level executive or manager as the authorizing official for any information system being deployed to the District Prod environment.
4.4.2. Ensure that the authorizing official authorizes the system for processing and authorizes the common controls inherited by the system before commencing operations.
4.4.3. Update the security authorization at least every three years or when a significant change occurs.
4.5. Continuous Monitoring
District agencies must develop a continuous monitoring strategy and implements a continuous monitoring program that includes:
4.5.1. Establishment of defined metrics to be monitored.
4.5.2. Establishment of weekly monitoring and annual reviews/assessments supporting such monitoring.
4.5.3. Ongoing security control assessments per the organizational continuous monitoring strategy.
4.5.4. Ongoing security status monitoring of organization-defined metrics per the organizational continuous monitoring strategy.
4.5.5. Correlation and analysis of security-related information generated by assessments and monitoring.
4.5.6. Response actions to address results of the analysis of security-related information.
4.5.7. Monthly Reporting of the security status of the organization and the information system to the District agency’s CISO.
4.6. Continuous Monitoring | Risk Monitoring
District agencies must ensure that risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
4.6.1. Controls effectiveness monitoring.
4.6.2. Compliance monitoring.
4.6.3. System change monitoring.
4.7. Internal System Connections
District agencies must:
4.7.1. Authorize internal connections between District agencies' information systems.
4.7.2. Document the interface characteristics, security requirements, and the nature of the information communicated for each internal connection.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.