1911 Security Assessment and Authorization Policy

Senior management, management, and all organization entities are required to coordinate and implement necessary controls for providing security assessment and authorization controls governing agency IT resources and information systems on the basis of business and security requirements.

Periodic reviews of this policy shall be performed and documented at least within every three years, or when there is a significant change.

Periodic review of security assessment and authorization procedures shall be performed at least annually.

DHS assesses security controls throughout the system development life cycle process, and at a minimum annually.

The agency has developed and executes a security assessment plan which addresses:

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy are performed at least annually in order to monitor and maintain minimum acceptable control implementation, intended operational status, and production of desired outcomes.

The agency’s security state of organization information systems is reported to appropriate organizational officials on an annual basis (i.e. senior management, Chief Information Security Officer, etc.).

A security assessment report is produced that documents the results of the assessment and the results of the security control assessment are provided to appropriate agency officials (i.e. senior management, Chief Information Security Officer, etc.).

DHS explicitly authorizes connections from the information to other information systems through use of the agency’s approved and executed Interconnection Security Agreements.

Annual review and update to the agency’s Interconnection Security Agreements is performed to ensure security requirements are adequately addressed within the agreement.

A deny-all and allow-by-exception policy is employed for allowing systems that receive, process, store, or transmit sensitive data to include, but is not limited to, Federal Tax Information (FTI), Social Security Administration data, Centers for Medicare and Medicaid Services (CMS) data, etc.

DHS maintains and updates an internal Plan of Action and Milestones (POA&M) in order to document the agency’s planned remedial actions for correcting weaknesses or deficiencies identified during the agency security controls assessments.

POA&M review is performed, at a minimum, on a quarterly basis.

An Authorizing Official, to include agency senior-level executive or manager, is assigned as the authorizing official for the agency’s information system.

The Authorizing Official is responsible for authorizing the information system for processing before commencing operations and before an authority to connect is granted.

Security authorizations are reviewed and updated, as necessary, every three years or when there is a significant change in data sensitivity, federal or legislation requirements, security violations, and prior to the previous security authorization.

DHS employs a service provider managed configuration management process for agency information system and components. Review of agency-defined metrics regarding the configuration management process and continuous monitoring program is performed on an annual basis.

Continuous security control assessments are performed, and a report of the agency’s security state is provided to the agency’s Authorizing Official on, at least, an annual basis.

Ongoing security monitoring of agency-defined metrics in accordance with the agency’s continuous monitoring strategy is performed continuously to ensure agency strategy is effective, maintained, and adhered to.