GSFC MOVE CA Lessons Learned: Accepted Risk and POAMs Goddard Space Flight Center Mission Operations Voice Enhancement

1. GSFC MOVE C&A Lessons Learned:Accepted Risk and POA&MsGoddard Space Flight CenterMission Operations Voice EnhancementCertification & Accreditation Katie Poole Juri Schauermann Fourteenth NISN Customers� Forum

2. GSFC MOVE Factors making GSFC MOVE C&A unique Stand Alone System Under Strict Vendor Configuration Control Follows IONet Mission Network Policies Categorized as a HIGH system Resultant Findings Mitigated with Residual Risks POA&M, Plan of Actions and Milestones Fourteenth NISN Customers� Forum 2

3. Accepted Risk: IA-02(2) IA-02(2), User Identification And Authentication Control: The information system uniquely identifies and authenticates users (or processes acting on behalf of users). (2) The information system employs multifactor authentication for local system access that is NIST Special Publication 800-63 Level 3 (Entrust) or Level 4 (RSA SecureID or PIV Card) compliant. GSFC MOVE This control is implemented through the use of username and passwords on a stand alone network. This meets NIST SP800-63 Level 2 compliance. Statement of Risk Acceptance/Mitigation: MOVE-GSFC uses usernames and passwords on a standalone network to mitigate this risk. Fourteenth NISN Customers� Forum 3

4. Accepted Risk: IA-05 IA-05, Authenticator Management For password-based authentication, the information system will require: A minimum number of 12 characters for the password. � GSFC MOVE The system implements an 8 character minimum password. Statement of Risk Acceptance/Mitigation As a stand alone network, MOVE-GSFC accepts the risk of requiring an 8 character minimum password. Fourteenth NISN Customers� Forum 4

5. Accepted Risk: IR-03(1) �IR-03(1), Incident Response Testing and Exercises The organization tests and/or exercises the incident response capability for the information system annually using applicable NASA incident response policies and guidance to determine the incident response effectiveness and documents the results. (1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability. GSFC MOVE The system does not employ automated mechanisms to test and/or exercise the incident response capability. Statement of Risk Acceptance/Mitigation GSFC-MOVE accepts the risk of not employing automated mechanisms to test and.or exercise the incident response capability. Fourteenth NISN Customers� Forum 5

6. Accepted Risk: PE-10(1) PE-10(1), Emergency Shutoff The organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. (1) The organization protects the emergency power-off capability from accidental or unauthorized activation. GSFC MOVE The newer Emergency Power Shutoff units do not have a protective cover; the few older units do have a protective cover that must be raised to activate the shutoff. �Statement of Risk Acceptance/Mitigation GSFC-MOVE accepts the risk that the newer Emergency Power Shutoff units do not have a protective cover. Fourteenth NISN Customers� Forum 6

7. Accepted Risk: RA-05 RA-05, Vulnerability Scanning The organization scans for vulnerabilities in the information system monthly or when significant new vulnerabilities potentially affecting the system are identified and reported. GSFC MOVE Vulnerability scan will be run on MOVE-GSFC quarterly. Statement of Risk Acceptance/Mitigation GSFC-MOVE is a stand-alone system and accepts the risk of not running a vulnerability scan every month. Quarterly run vulnerability scans will be sufficient for GSFC-MOVE Fourteenth NISN Customers� Forum 7

8. Accepted Risk: SC-05 SC-05, Denial Of Service Protection The information system protects against or limits the effects of the following types of denial of service attacks: Please visit http://www.us-cert.gov and http://www.cert.org/tech_tips/denial_of_service.html websites for the current list of DoS attacks. GSFC MOVE MOVE-GSFC is a stand-alone system with no remote access, Denial of Service is not a potential threat. Statement of Risk Acceptance/Mitigation MOVE-GSFC is a stand-alone system with no remote access, Denial of Service is not a potential threat. GSFC-MOVE accepts the risk that no Denial of Service protection is implemented. There is no Internet connectivity to/from GSFC-MOVE. Fourteenth NISN Customers� Forum 8

9. Accepted Risk: SC-10 SC-10, Network Disconnect The information system terminates a network connection at the end of a session or after 30 minutes of inactivity. GSFC MOVE The operator workstations (LSAs) will automatically lock and blank the screen after 30 minutes of inactivity. No session is terminated since this is a mission critical system. Statement of Risk Acceptance/Mitigation No sessions are terminated. The operator workstations (LSAs) will automatically lock and blank the screen after 30 minutes of inactivity. GSFC-MOVE accepts this risk because it is a mission critical system. Fourteenth NISN Customers� Forum 9

10. Accepted Risk and POA&M: SI-02 SI-02,Flaw Remediation �The organization identifies, reports, and corrects information system flaws. Vendor or NASA designated critical patches shall be applied within 72 hours. Center "snapshot" of patch status shall automatically be provided weekly for update of the Agency ERS and used for build of the Agency monthly Patch reports. GSFC-MOVE The system uses vulnerability scan reports to identify information system flaws. Flaws are corrected by working the vendor, FUSA, as regression testing may be required. Vendor maintenance and service agreement prohibit NASA from making unauthorized changes. POA&M The vendor is developing the process to maintain the operation system on the LSA system. This will include patch mangement and potentially operating system upgrades upgrades. Fourteenth NISN Customers� Forum 10

11. Accepted Risk and POA&M: SI-02 SI-02, Flaw Remediation Statement of Risk Acceptance/Mitigation The SRD allows NASA to perform Foundstone scans. However, the contract does not allow NASA to address the vulnerabilities that are discovered. Vulnerability fixes that affect the baseline will have to be regression tested in the vendor development area before they can be applied to the MOVE-GSFC systems. The need for vendor regression will delay the implementation of security fixes. Fourteenth NISN Customers� Forum 11

12. Accepted Risk and POA&M: SI-03 SI-03, Malicious Code Protection The information system implements malicious code protection. GSFC MOVE A contract modification is being drafted to mitigate the lack of malicious code protection. �POA&M The vendor responsibilities for malicious code software installatin and management are currently being developed. The vendor will implement a Symantec solution to the LSA system. Statement of Risk Acceptance/Mitigation The vendor maintenance and service agreement prohibits NASA from making unauthorized changes to the vendor baseline without prior testing in the vendor development area. Therefore, it is unlikely that NASA will be able to apply malicious code/anti-virus signatures and engine updates in a timely manner. Fourteenth NISN Customers� Forum 12

13. POA&M: AC-01 AC-01, Access Control Policy and Procedures The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. AGENCY Planned Correction: HQ personnel will compose NASA IT Requirement (NITR)-2810-18. Status: NITR-2810-18 has been in OCIO for vetting since October 2008. It contained some controversial issues and is currently in the second round of vetting through OCIO Fourteenth NISN Customers� Forum 13

14. POA&M: AU-04, AU-11 AU-04, Audit Storage Capacity The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. � �AU-11, Audit Record Retention The organization retains audit records for 1 year then: Delete/destroy when no longer needed for administrative, legal, audit or other operational purposes (NPR 1441.1)to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. �MOVE GSFC The MOVE-GSFC has sufficient capacity to hold system logs for 1 year, but is currently configured to store logs for 30 days. POA&M The vendor will reconfigure the system to store audit logs for one year. Fourteenth NISN Customers� Forum 14

15. POA&M: CP-06 CP-06, Alternate Storage Site The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information. GSFC MOVE Backups of the system applications, operating system, and system baselines are stored off-site at an alternate storage site at the vendor�s builidng located in Columbia, Maryland. The system has identified Building 14 as the primary storage site and Building 32 as the secondary/alternate storage site. Since the secondary/alternate site is on center/campus, a POA&M is open. POA&M The system is awaiting the completion of the Code 700 Continuity of Operations Plan. The COOP will contain the specification of an alternate storage site that MOVE - GSFC will evaluate for use. Fourteenth NISN Customers� Forum 15