Office of the Chief Information Officer

United States Department of Agriculture

Departmental Regulation 3545-003

Author: 
Office of the Chief Information Officer

Suitability Requirements Permitting Personnel Access to Information Systems

PURPOSE

a.    This Departmental Regulation (DR):

(1)    Is the United States Department of Agriculture (USDA) policy for assessing the suitability of personnel to access USDA information resources;

(2)    Sets the criteria for personnel to gain and maintain access to USDA information and information systems; and

(3)    Defines the standards by which personnel establish and maintain a level of trust (e.g., suitability, fitness, and credentialing).

b.    This DR serves as the foundation for Mission Areas, agencies, and staff offices to develop and implement their own personnel security procedures.

c.    This DR meets the requirements of:

(1)    The Federal Information Security Modernization Act of 2014 (FISMA), 44 United States Code (U.S.C.) § 3551, et seq.;

(2)    The Office of Management and Budget (OMB), Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Memorandum M-16-17;

(3)    OMB Circular A-130, Managing Information as a Strategic Resource;

(4)    The National Institutes of Standards and Technology (NIST) Federal Information Processing Standards Publication (FIPS PUB) 200, Minimum Security Requirements for Federal Information and Information Systems; and

(5)    The personnel security family of controls in NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.

d.    The USDA:

(1)    Complies with Federal requirements to assess suitability and fitness of USDA personnel to access USDA information and information systems;

(2)    Confirms its management commitment to comply with the authorities governing USDA personnel security for access to information and information systems;

(3)    Supports personnel security activities for protecting USDA information and information systems; and

(4)    Continually manages risks to those systems.

Downloads: 
AttachmentSize
PDF icon DR3545-003.pdf469.12 KB