GSA IT Resources - Policies and Procedures
GSA IT Resources - We all have an important role, and a duty to protect our systems from hackers and other cyber attacks. All staff, including employees and contractors, must be aware of GSA's IT security policies and understand their personal responsibilities for safeguarding our IT assets and the potential consequences of breaching IT security policies. The following resources will help you understand what is required.
Key NIST Publications
Governmentwide security guidelines applicable to all systems requiring a risk management framework.
NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
FIPS 199: Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
NIST SP 800-60 Vol. 2: Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 100-819: Guidelines for the Secure Deployment of IPv6
OMB M-21-31: Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents
LATEST! NIST SP 800-53 Rev 5: Security and Privacy Controls for Federal Information Systems and Organizations
Additional information on several critical publications is provided in the dropdowns below.
High-Level Overview
The recent SolarWinds incident has underscored the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is critical to supporting forensic intel gathering, investigation, and remediation of cyber threats.
Executive Order 14028, Improving the Nation's Cybersecurity, directs all Federal Agencies to take decisive actions in improving the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise at GSA.
Event Logging Maturity Model
The maturity model for the four Event Logging tiers established by OMB as part of this mandate are shown below.
Tier EL0 - Not Effective
The agency or one or more of its components have not implemented the following requirement:
- Ensuring that the Required Logs categorized as Criticality Level 0 are retained in acceptable formats for specified timeframes
The agency and all of its components meet the following requirements:
- Basic Logging Categories
- Minimum Logging Data
- Time Standard
- Event Forwarding
- Protecting and Validating Log Information
- Passive DNS
- Cybersecurity Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) Access Requirements
- Logging Orchestration, Automation, and Response – Planning
- User Behavior Monitoring – Planning
- Basic Centralized Access
The agency and all of its components meet the following requirements:
- Meeting EL1 maturity level
- Intermediate Logging Categories
- Publication of Standardized Log Structure
- Inspection of Encrypted Data
- Intermediate Centralized Access
The agency and all of its components meet the following requirements:
- Meeting EL2 maturity level
- Advanced Logging Categories
- Logging Orchestration, Automation, and Response – Finalizing Implementation
- User Behavior Monitoring – Finalizing Implementation
- Application Container Security, Operations, and Management
- Advanced Centralized Access
FAS-IT is currently working with our Office of the CISO to meet the requirements of this memorandum. Specifically:
- Within 60 calendar days of the date of this memorandum, assess their maturity against the maturity model in this memorandum and identify resourcing and implementation gaps associated with completing each of the requirements listed below. Agencies will provide their plans and estimates to their OMB Resource Management Office (RMO) and Office of the Federal Chief Information Officer (OFCIO) desk officer.
- Within one year of the date of this memorandum, reach EL1 maturity.
- Within 18 months of the date of this memorandum, achieve EL2 maturity.
- Within two years of the date of this memorandum, achieve EL3 maturity.
- Provide, upon request and to the extent consistent with applicable law, relevant logs to the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI). This sharing of information is critical to defend Federal information systems.
- Share log information, as needed and appropriate, with other Federal agencies to address cybersecurity risks or incidents.
High-Level Overview
The Federal agency-wide migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not backwards compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely. For more information on IPv6, visit Guidelines for Secure Deployment of IPv6.
Potential Deployment Challenges
FAS-IT anticipates security challenges throughout the deployment process, including:
- An attacker community that most likely has more experience and comfort with IPv6 than an organization in the early stages of deployment
- Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks
- Added complexity while operating IPv4 and IPv6 in parallel
- Lack of IPv6 maturity in security products when compared to IPv4 capabilities
- Proliferation of transition-driven IPv6 (or IPv4) tunnels, which complicate defenses at network boundaries even if properly authorized, and can completely circumvent those defenses if unauthorized (e.g. host-based tunnels initiated by end users)
FAS-IT solution delivery teams planning the deployment of IPv6 should consider the following during the planning process:
- IPv6 is a new protocol that is not backward compatible with IPv4
- In most cases IPv4 will still be a component of IT (Information Technology) infrastructure. As such, even after the deployment of IPv6, organizations will require mechanisms for IPv6 and IPv4 coexistence.
- IPv6 can be deployed just as securely as IPv4, although it should be expected that vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial increase in IPv6-based vulnerabilities. As a successor to IPv4, IPv6 does incorporate many of the lessons learned by the Internet Engineering Task Force (IETF) for IPv4.
- IPv6 has already been deployed and is currently in operation in large networks globally.
To overcome possible obstacles associated with deploying IPv6, FAS-IT solution delivery teams should consider the following recommendations:
- Encourage staff to increase their knowledge of IPv6 to a level comparable with their current understanding of IPv4
- Plan a phased IPv6 deployment utilizing appropriate transition mechanisms to support business needs; don’t deploy more transition mechanisms than necessary
- Plan for a long transition period with dual IPv4/IPv6 coexistence
FAS-IT solution delivery teams that are not yet deploying IPv6 globally should implement the following recommendations:
- Block all IPv6 traffic, native and tunneled, at the organization's firewall. Both incoming and outgoing traffic should be blocked.
- Disable all IPv6-compatible ports, protocols and services on all software and hardware.
- Begin to acquire familiarity and expertise with IPv6, through laboratory experimentation and/or limited pilot deployments.
- Make organization web servers, located outside of the organizational firewall, accessible via IPv6 connections. This will enable IPv6-only users to access the servers and aid the organization in acquiring familiarity with some aspects of IPv6 deployment.
FAS-IT solution delivery teams that are deploying IPv6 should implement the following recommendations to mitigate IPv6 threats:
- Apply an appropriate mix of different types of IPv6 addressing (privacy addressing, unique local addressing, sparse allocation, etc) to limit access and knowledge of IPv6-addressed environments.
- Use automated address management tools to avoid manual entry of IPv6 addresses, which is prone to error because of their length.
- Develop a granular ICMPv6 (Internet Control Protocol for IPv6) filtering policy for the enterprise. Ensure that ICMPv6 messages that are essential to IPv6 operation are allowed, but others are blocked.
- Use IPsec (Internet Protocol Security) to authenticate and provide confidentiality to assets that can be tied to a scalable trust model (an example is access to Human Resources assets by internal employees that make use of an organization’s Public Key Infrastructure (PKI) to establish trust).
- Identify capabilities and weaknesses of network protection devices in an IPv6 environment.
- Enable controls that might not have been used in IPv4 due to a lower threat level during initial deployment (implementing default deny access control policies, implementing routing protocol security, etc).
- Pay close attention to the security aspects of transition mechanisms such as tunneling protocols.
- Ensure that IPv6 routers, packet filters, firewalls, and tunnel endpoints enforce multicast scope boundaries and make sure that Multicast Listener Discovery (MLD) packets are not inappropriately routable.
- Be aware that switching from an environment in which NAT (Network Address Translation) provides IP (Internet Protocol) addresses to unique global IPv6 addresses could trigger a change in the FISMA (Federal Information Security Management Act) system boundaries.
What to expect in the recently released NIST 800-53 Rev 5:
- Controls for information systems and security controls are integrated into a seamless catalog for information systems and organizations. Privacy elements are now included as part of the unified catalog and integrated throughout 86 controls.
- New Supply Chain Risk Management (SCRM) control family, with integrations throughout NIST 800 53 Rev 5.
- Security and Privacy controls have become more outcome-based.
- Clarifications of language between requirements as well as the relationship between security and privacy controls
- Separation of control selection processes and actual controls, making them more accessible to other teams across GSA.
- New state-of-the-practice controls based on threat intelligence and industry data to support cyber resilience, secure system design, and governance models.
- Promotion of Integrated Risk Management and cybersecurity best practices (like the NIST CSF), allowing Rev 5 to be scalable and applicable to multiple avenues like large scale IT, cloud-based infrastructure, mobile devices, and IoT devices.
Newly developed systems are highly encouraged to adopt NIST 800-53 Rev 5 Control catalog as opposed to the now withdrawn Rev. 4; this significantly contributes the overall future proofing of a system's ATO procedure and likelihood for AO approval.
On-Premise Systems
The embedded spreadsheet provides a list of General GSA-IT Resources on the first tab and On-Premise Specific Resources on the second tab located at the bottom (see below).
Cloud-based Systems
FAS Cloud Services (FCS) requires tenants to complete specific forms and templates necessary to document security needs.