Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls

Section 5: IT Security Controls In Systems This section addresses several security controls that can be considered during the preparation of the Statement Of Work (SOW) during the acquisition planning and acquisition phases of a procurement. The controls presented in this section are not exhaustive as there are many different controls that can be applied; but, for many systems, a combination of features will be used. The suggested language or the applicable IT security or policy document may be used in the SOW, as appropriate.

Section 5 cont’d: IT Security Controls In Systems Identification and Authentication (This control is used to enforce accountability and access control. All users or authorized groups must have a unique identifier identify and use individual passwords compliant with the DOC Policy on Password Management to authenticate themselves to the system.) Suggested SOW language… The system shall: –Include a mechanism to require users to uniquely identify themselves to the system before beginning to perform any other actions that the system is expected to mediate. –Be able to maintain authentication data that includes information for verifying the identity of individual users (e.g., passwords) –Protect authentication data so that it cannot be accessed by any unauthorized user. –Be able to enforce individual accountability by providing the capability to uniquely identify each individual computer system user. –Raise alarms when attempts are made to guess the authentication data either inadvertently or deliberately (based on a number of incorrect password attempts). See U.S. Department of Commerce IT Security Program Policy Section: 3.15

Section 5 cont’d: IT Security Controls In Systems Access Control (Access control is used to ensure that all access to IT resources is authorized at the level of least privilege where necessary. Access control protects confidentiality and integrity and supports the principles of legitimate use, least privilege, and separation of duty.) Suggested SOW language… The system shall use identification and authorization data to determine user access to information. The system shall be able to define and control access between subjects and objects in the computer system. The enforcement mechanism (e.g., self/group public controls, access control lists, roles) shall allow users to specify and control sharing of those objects by other users, or defined groups of users, or by both, and shall provide controls to limit propagation of access rights. The discretionary access control mechanism shall, either by explicit user action or by default, provide that objects are protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user. Access permission to an object by users not already possessing access permission shall be assigned by only authorized users. For further information see U.S. Department of Commerce IT Security Program Policy Section: 3.16

Section 5 cont’d: IT Security Controls In Systems Auditing (Auditing is used to provide protection by enabling organizations to record meaningful actions within the system and to hold the user accountable for each action.) Suggested SOW language… The system shall be able to create, maintain, and protect from modification or unauthorized access or destruction of an audit trail of accesses to the objects it protects. The audit data shall be protected so that read access to it is limited to those who are authorized. The system shall be able to record the following types of events: use of identification and authentication mechanisms, introduction of objects into a user's address space (e.g., file open, program initiation), deletion of objects, and actions taken by computer operators and system administrators and other security relevant events. The system shall also be able to audit any override of human-readable output markings. For each recorded event, the audit record shall be able to identify the date and time of the event, user, type of event, and success or failure of the event. For identification and authentication events, the origin of request (e.g., terminal ID) shall be included in the audit record. For events that introduce an object into a user's address space and for object deletion events, the audit record shall include the name of the object and the object's label. The system administrator shall be able to selectively audit the actions of any one or more users based on individual identity and/or object label. For further information see U.S. Department of Commerce IT Security Program Policy Section: 3.17

Section 5 cont’d: IT Security Controls In Systems Cryptography (Cryptography is a type of control for protecting sensitive unclassified information. The NIST Special Publication , Guideline for Implementing Cryptography in the Federal Government provides a comprehensive reference for government use of cryptography.) Suggested SOW language… The cryptographic module and algorithm shall be validated by a Cryptographic Module Testing laboratory through the NIST Cryptographic Module Validation Program. For further information see U.S. Department of Commerce IT Security Program Policy Section: 3.17 Digital Signature (A digital signature can be used to detect unauthorized modifications to data and to authenticate the identity of the signatory. This capability can be used in IT systems anywhere a signature is required.) Suggested SOW language… The FIPS-approved public key-based digital signature capability provided by shall be validated by the NIST Cryptographic Module Validation Program.

Section 6: Key Security Specifications & Clauses Suggested language for integrating key IT security specifications into offer or quotation documentation can be found in Appendix B of NIST : Some areas covered in the NIST publication are: (a) Control of Hardware and Software (b) Contract Administration (c) Contract/Task Closeout (d) Security Documentation

Section 6 cont’d: Key Security Specifications & Clauses Federal Acquisition Regulation (FAR) Clauses FAR , prescribes FAR , Privacy or Security Safeguards or a clause substantially the same as the clause at , Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services. For a full text version of the clause see

Section 6 cont’d: Key Security Specifications & Clauses Commerce Acquisition Regulation (CAR) Clauses As prescribed in (CAR ), the Contracting Officer shall insert CAR SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY RESOURCES or a clause substantially the same as it in all DOC solicitations and contracts for services. As prescribed in (CAR ), the Contracting Officer shall insert CAR SECURITY PROCESSING REQUIREMENTS FOR CONTRACTORS/SUBCONTRACTOR PERSONNEL FOR ACCESSING DOC INFORMATION TECHNOLOGY SYSTEMS or a clause substantially the same as it in all DOC solicitations and contracts for services.

Module 3 Review Summary IT Security Controls In Systems Identification and Authentication Access Control Auditing Cryptography Digital Signature Key Security Specifications & Clauses Federal Acquisition Regulations (FAR) Commerce Acquisition Regulations (CAR)