CHAPTER 5 - PART 1
USDA INTERNET ACCESS SECURITY FOR
PRIVATE INTERNET SERVICE PROVIDERS
USDA DR 3300-1, Telecommunications, Appendix I, authorizes use of the Internet to support Departmental and agencies missions and responsibilities through the access and use of authorized remote information systems. When agency or staff office Internet requirements cannot be met through use of the USDA Internet Access Network, a technical exception must be obtained from the Office of the Chief Information Officer (OCIO), Office of Cyber Security, for access to a private Internet Service Provider. The Office of the Inspector General (OIG) performed an audit of Information Resources Management controls in the use of the Internet and found potential vulnerabilities to the Department and recommended security provisions to protect USDA data. This chapter responds to security issues identified in Audit Report 50099-7-FM, USDA Access to the Internet and Audit Report 23099-1-FM, OCIO Security Over Data Transmission in the Department Needs Improvement.
a Mandatory Use of USDA Internet Access It is USDA policy that agencies and staff offices will use only the USDA Internet Access Network for entry to the Internet. In the past, agencies were granted exceptions to use private Internet Service Providers (ISP) based on the limited scope of the USDA Internet Access Network. Since that time, the department has greatly expanded the scope of Internet access provisioning and can satisfy most of USDA’s current requirements. Therefore, all existing exceptions for the use of private Internet Service Providers are rescinded upon issuance of this policy.
b International Internet Access It is policy that USDA agencies located in overseas facilities should make every reasonable effort to obtain Internet access from private Internet Service Providers that can meet the security requirements of this policy. Activities that are co-located with State Department Embassies should explore obtaining Internet service using their government-wide contracts or other Federal agencies International Service contracts. In any case, the need for security should be based on the following factors:
· Sensitivity of data transmitted;
· The potential harm that might result from hackers using agency facilities as a back door to gain access to USDA networks.
If the Internet is used to research information required by the agency, every effort should be made to ensure that the device used to access the Internet is a stand-alone machine or using a proxy server, not part of any USDA network.
All ISP exceptions are to be submitted to the Office of Cyber Security through the OCIO, Office of Information Resources Management.
c Policy Exception Requirements – Agencies will submit all policy exception requests directly to the ACIO for Cyber Security. Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy. Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer durations will be renewed on an annual basis with a updated timeline for completion. CS will monitor all approved exceptions.
a The Associate CIO for Cyber Security will:
(1) Provide customer support to agencies and staff
offices regarding exceptions to the use of the USDA Internet Access Network;
(2) Analyze and review exception documentation that includes obtaining technical assurances from the Office of Telecommunications Services (TSO) that this location cannot be feasibly served. Sites using private ISPs that have had previous IT Security Incidents will be subject to especially close scrutiny;
(3) Review security documentation to ensure that agency verification of security controls provided by the private ISP is strong in terms of meeting
(5) Maintain a database of approved private ISPs used by the agencies/staff offices in lieu of the USDA Internet Access Network; and annually review the database for possible migration candidates to the USDA Internet Access Network.
b The Associate CIO for the Office of Telecommunications Services will:
Review all ISP exceptions and provide assurances that the USDA Internet Access Network cannot technically provide the capability requested and that the network will not be negatively affected if a private ISP is used.
c The Associate CIO for Information Resources Management (IRM) will:
(1) Support the policy and procedures contained in
this manual to ensure that appropriate security
protection is provided to all USDA managed networks, systems and servers; and
(2) Receive, review, and coordinate a response with the Associate CIO for Cyber Security to any
exception requests to this policy.
d Agency Chief Information Officer will:
(1) Designate an appropriate Senior Level Manager (who may be the CIO or other designated official) to be the Certifying Official (CO) for all private Internet Service Providers provisioned;
(2) Require the CO to certify on behalf of the
agency/staff office compliance with all requirements of this Departmental Manual for use of newly approved private ISPs;
(3) Notify the Office of Cyber Security in writing of all existing uses of private ISPs. The list, signed by the CO within 60 days of this notice, will include the agency name (including subunit name, if appropriate), location, supplier of existing internet access, and an agency Point of Contact (including name and telephone number) at every location.
(4) Review all existing private ISP provisioning within the agency and forward exception requests signed by the CO for those locations that cannot be technically provisioned under the USDA Internet Access Network.
(5) Provide a compelling technical justification for the continued use of a private ISP to include language concerning the provider’s ability to provide strong security safeguards and privacy protection measures. All exception packages should include the following security information:
(a) A description of security controls in place
protecting USDA information systems and
data against unauthorized intrusion for each site;
(b) Documentation, including the Agency Annual Cyber Security Plan, which defines security features available from each provider as well as a list of security features implemented;
(c) Documentation which specifically details each site’s compliance with DR 3140-2; National Institute of Standards and Technology (NIST) Special Publications 800-12, An Introduction to Computer Security, and 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; and Office of Management and Budget (OMB) Circular A-130, Appendix III.
(6) Modify the provisioning arrangements for any site technically feasible location to the USDA Internet Access Network within 30 days of this policy issuance;
(7) Each agency CO will certify that all newly approved private ISPs comply with OMB Privacy and Data Collection Policies for each entry point. This includes privacy posting that is clearly labeled and easily accessed when someone visits a web site. In addition, private ISPs will not use persistent “cookies” at Federal web sites they maintain unless there is a clear and compelling need as defined in OMB Memo M-00-13 and other OMB and CS guidance on Privacy.
(8) Each agency will use department recommended encryption methods to protect data transferred over any private ISP to and from the USDA Internet Access Network.