Office of the Chief Information Officer

United States Department of Agriculture

Departmental Regulation 3540-003

Author: 
Office of the Chief Information Officer – Agriculture Security Operations Center

Security Assessment and Authorization

1. PURPOSE

a. This Departmental Regulation (DR) establishes the Security Assessment and Authorization (A&A) policy of the United States Department of Agriculture (USDA or “Department”) for meeting the applicable laws, regulations, and standards of the Federal Government.

b. This DR addresses guidance issued by the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the Federal Information Security Management Act of 2002 (FISMA) requiring federal agencies to develop and implement policies, plans, and procedures to continually assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems.

c. This policy establishes formal, documented security assessment and authorization (A&A) policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Formal documented procedures facilitating the implementation of the security A&A policy controls are contained in the Agriculture Security Operations Center (ASOC) Oversight and Compliance Division (OCD) standard operating procedure (SOP) OCD-SOP-004, USDA Six Step Risk Management Framework (RMF) Process Guide (RMF Process Guide.)

d. It is the policy of USDA to comply with federal requirements to establish, implement, and support A&A to continually manage risk to USDA information systems.