System and Services Acquisition Policy

System and Services Acquisition Policy

Netspective Unified Process
 

This System and Services Acquisition Policy ensure that the information systems mission and business objectives meet security requirements when acquiring Information Technology (IT) resources and information systems. [FII-SCF-024-TDA-01]

ALLOCATION OF RESOURCES

  • The IT Department, under the direct guidance and association of the information system owner, shall determine the information security requirements for the information system or information system service during mission/business process planning.
  • The IT Department, under the direct guidance and association of the information system owner, shall determine, document, and allocate the resources required to protect the information system or information system service as part of its capital planning and investment control process.
  • The IT Department shall establish a discrete line item for information security in organizational programming and budgeting documentation.

SYSTEM DEVELOPMENT LIFE CYCLE

  • Under the direct guidance and association of the information system owner, the IT Department shall develop a contingency plan for the information system that manages the information system by incorporating information security considerations throughout the system development life cycle.
  • The IT Department, under the direct guidance and association of the information system owner, shall define and document information security roles and responsibilities throughout the system development life cycle for the contingency plan.
  • The IT Department, under the direct guidance and association of the information system owner, shall identify individuals having information security roles and responsibilities for the contingency plan.
  • The IT Department, under the direct guidance and association of the information system owner, shall integrate the information security risk management process into system development life cycle activities for the contingency plan.

ACQUISITION PROCESS

  • IT shall explicitly or by reference include the following requirements, descriptions, and criteria in the acquisition contract for the information system, system component, or information system service, in accordance with applicable federal, state, and local laws, Executive Orders, directives, policies, regulations, standards, guidelines, and mission and business needs:
    • Security functional requirements.
    • Security strength requirements.
    • Security assurance requirements.
    • Security-related documentation requirements.
    • Requirements for protecting security-related documentation.
    • Description of the information system development environment and environment in which the system is intended to operate.
    • Acceptance criteria.

SECURITY CONTROLS

  • IT shall require the information system, system component, or information system service to describe the functional properties of the security controls that will be employed, security-relevant external system interfaces, high-level design, low-level design, source code, or hardware schematics that meet the business requirements.
  • IT shall require the identification of functions, ports, protocols, and services intended for organizational use early in the system development life cycle.
  • IT shall require the use of only information technology products on the FIPS 201-approved products list for implementing Personal Identity Verification (PIV) capability within information systems.

INFORMATION SYSTEM DOCUMENTATION

IT Department shall

  • Obtain administrator documentation for the information system, system component, or information system service that describes the secure configuration, installation, and operation of the system, component, or service, effective use and maintenance of security functions/mechanisms, and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
  • Obtain user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms, methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner, and user responsibilities in maintaining the security of the system, component, or service.
  • Document attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent, and define organization’s actions in response.
  • Protect documentation as required, in accordance with the risk management strategy, and distribute documentation to only authorized persons or entities.

SECURITY ENGINEERING PRINCIPLES

IT Department shall:

  • Apply industry standard information system security engineering principles to specify, design, develop, implement, and modify the information system.

EXTERNAL INFORMATION SYSTEM SERVICES

IT Department shall:

  • Require external information system service providers to comply with organizational information security requirements and employ security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
  • Define and document government oversight and user roles and responsibilities regarding external information system services.
  • Monitor security control compliance by external service providers on an ongoing basis using processes, methods, and techniques.
  • Require external information system service providers to identify the functions, ports, protocols, and other services required for the use of such services.

DEVELOPER CONFIGURATION MANAGEMENT

The IT Department shall ensure that developers of the information system, system components or information system service:

  • Perform configuration management during system, component, or service design; development, implementation, and/or operation.
  • Document, manage, and control the integrity of changes to configuration items under configuration management.
  • Implement only organization-approved changes to the system, component, or service.
  • Document approved changes to the system, component, or service and the potential security impacts of such changes.
  • Track security flaws and flaw resolution within the system, component, or service and report findings to authorized personnel and/or business units Require the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.
  • Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
  • Require the developer of the information system, system component, or information system service to enable integrity verification of hardware components.
  • Require the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.
  • Require the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
  • Require the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

DEVELOPER SECURITY TESTING AND EVALUATION

The developer of the information system, system component, or information system service shall:

  • Create and implement a security assessment plan.
  • Perform unit; integration; system; regression testing/evaluation.
  • Produce evidence of the execution of the security assessment plan and the
  • results of the security testing/evaluation.
  • Implement a verifiable flaw remediation process.
  • Correct flaws identified during security testing/evaluation.
  • Perform threat and vulnerability analyses and subsequent testing/evaluation of
  • the as-built system, component, or service, as required by the IT department.

INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE

IT Department shall:

  • Require an independent agent to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.
  • Ensure that the IT Department provides the independent agent with sufficient information to complete the verification process or grant the agent the authority to obtain such information.
  • Perform a manual code review of defined processes, procedures, and/or techniques.
  • Perform penetration testing.
  • Verify that the security testing/evaluation provides complete coverage of required security controls.
  • Employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
Approved by
Ajay Kumaran Nair on June 13, 2023 |
Last Updated by
Sreejith K on June 13, 2023