Transmittal Letter - USPS

1 Transmittal LetterInformation Resource Certification and Accreditation (C&A) ProcessHandbook AS-805-AJune 2015 Transmittal As part of the Postal Service s efforts to enhance security across all technology, this handbook establishes the process and guidance for the Postal Service information resource certification and accreditation (C&A) process. The process provides a framework for characterizing an information resource, determining sensitivity and criticality, defining security requirements and controls, testing security solutions, assessing risk, and evaluating the security posture of Postal Service applications to ensure that appropriate, cost-effective information security controls and processes are This document is available on the Postal Service intranet at Submit comments and questions to:CORPORATE INFORMATION SECURITY OFFICEUNITED STATES POSTAL SERVICE4200 WAKE FOREST ROADRALEIGH NC 27668-1510 Comments may also be sent by e-mail to Use AS-805-A in the subject Date.

2 This handbook is effective (A) Randy MiskanicChief Information Officer and Executive Vice PresidentJune 2015iiiContents1 Introduction..11-1 About This Handbook .. 11-2 Purpose of Certification and Accreditation.. Policy Owner .. Handbook Questions or Comments .. 21-3 Importance of Certification and Accreditation .. 21-4 Supporting Documentation.. 22 Roles and Responsibilities ..32-1 Chief Inspector .. 32-2 Executive Vice President and Chief Information Officer .. 52-3 Vice President, Information Technology .. 52-4 Manager, Computer Operations .. 62-5 Manager, Corporate Information Security Office .. 62-6 Vice Presidents of Functional Business Areas .. 62-7 Executive Sponsors .. 72-8 Business Relationship Management Portfolio Managers .. 82-9 Project Managers .. 92-10 Chief Privacy Officer .. 92-11 Certifier .. 92-12 Accreditor.

3 102-13 Information Systems Security Officers .. 102-14 Information Systems Security Representatives .. 112-15 Contracting Officers and Contracting Officer Representatives .. 122-16 Business Partners .. 122-17 Disaster Recovery Services .. 132-18 Functional System Coordinators .. 132-19 Functional System Gatekeepers.. 133 Information Designation and Control ..153-1 Elements of the Certification and Accreditation Process .. 153-2 What the Certification and Accreditation Process Applies To .. Typical Information Resources .. Field Information Resources .. 173-3 Frequency of Certification and Accreditation .. 173-4 Funding .. 173-5 Certification and Accreditation Core Team .. 17 Information Resource Certification and Accreditation (C&A) ProcessivHandbook AS-805-A4 Certification and Accreditation Process ..194-1 Phase 1 Initiate and Plan.

4 Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Register Information Resource in Enterprise Information Repository .. Hold Certification and Accreditation Meeting .. Assign Information Systems Security Representative .. 204-2 Phase 2 Requirements .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Review Documentation .. Document Application Characteristics .. Conduct Business Impact Assessment .. Update Plan of Action and Milestones and Enterprise Information Repository .. 254-3 Phase 3 Design .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Analyze Requirements .. Develop Network Architecture Diagrams.. Document Security Specifications.. Identify Potential Security .. Controls.

5 Select/Design Security Controls .. Develop Security Plan .. Conduct Site Security Review .. 314-4 Phase 4 Build .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Develop, Acquire, and Integrate Information Security Controls .. Harden Information Resources .. Develop Standard Operating Procedures .. Develop Operational Security Training Materials.. Incorporate Security Requirements in Service Level .. Agreements and Trading Partner Agreements .. Register Information Resources in eAccess .. 34 ContentsJune Initiate Contingency Planning .. Identify Connectivity Requirements .. 354-5 Phase 5 System Integration Testing .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Develop Security Test and Evaluation Plan.

6 Conduct Operational Security Training .. Complete Contingency Planning .. 394-6 Phase 6 Customer Acceptance Testing .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Conduct Security Code Review.. Conduct the Security Test and Evaluation .. Conduct Vulnerability Scans .. Conduct Penetration Test .. Conduct Independent Reviews .. Assess Risks .. Conduct Risk Assessment and Develop Risk Mitigation Plan.. ISSO Evaluates C&A Documentation .. ISSO Prepares C&A Evaluation Report .. ISSO Escalates Security Concerns or Forwards C&A Package .. Certifier Escalates Security Concerns or Certifies Information Resource .. Accreditor Escalates Security Concerns or Accredits Information Resource .. VP IT and VP Functional Business Area Prepare and Sign Risk Acceptance Letter (if Required).

7 484-7 Phase 7 Governance Compliance .. 534-8 Phase 8 Release and Production .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Data Conversion .. Deploy Information Resource .. Operate Information Resource.. Test Information Resource Contingency Plans .. Maintain Information Resource .. Reassess Risks and Upgrade Security Controls .. Monitor Operations and Enhance Security Posture .. 55 Information Resource Certification and Accreditation (C&A) ProcessviHandbook Periodically Test Security Controls .. Update Certification and Accreditation Documentation Package .. Re-initiate C&A as Required .. 564-9 Phase 9 Retire .. Objectives .. Deliverables .. Roles and Responsibilities .. Activities .. Dispose of Sensitive-Enhanced or Sensitive Data.. Dispose of Equipment and Associated Electronic Storage.

8 Retire Information Resource .. 605 Independent Reviews..655-1 Independent Security Code Reviews .. Criteria for Conducting .. Definition of COTS .. Documentation .. 665-2 Independent Information Security Risk Assessments .. Criteria for Conducting .. Guidelines .. Documentation .. 675-3 Independent Vulnerability Scans .. Criteria for Conducting .. Documentation .. 685-4 Independent Penetration Testing .. Criteria for Conducting .. Documentation .. 685-5 Independent Security Test Validation .. Scope .. Criteria for Conducting .. Process .. Documentation .. 696 Re-Initiating the Certification and Accreditation ..716-1 Purpose.. 716-2 Criteria Forcing Security Recertification .. Scheduled Recertification .. Significant Change .. Other Criteria Forcing Security Recertification.

9 726-3 Process .. Requesting a Re-C&A .. Conducting a Re-C&A.. 73 ContentsJune 2015vii7 Assessment of Offsite Hosted Solutions ..757-1 Purpose.. 757-2 Process .. 75 Information Resource Certification and Accreditation (C&A) ProcessviiiHandbook AS-805-AThis page intentionally left blankJune 2015ixExhibitsExhibit 2 Relationship of Certification and Accreditation Roles .. 4 Exhibit 3-1 Certification and Accreditation Phases and Major Deliverables .. 16 Exhibit 4-1 Phase 1, Initiate and Plan .. 21 Exhibit 4-2 Phase 2, Requirements .. 26 Exhibit 4-3 Phase 3, Design .. 32 Exhibit 4-4 Phase 4, Build .. 36 Exhibit 4-5 Phase 5, SIT .. 40 Exhibit 4-6 Phase 6, CAT.. 49 Exhibit 4-8 Phase 8 Release and Production .. 57 Exhibit 4-9 Retire .. 61 Exhibit 4-10C&A Templates .. 62 Exhibit 4-11C&A Requirements for Information Resources .. 63 Information Resource Certification and Accreditation (C&A) ProcessxHandbook AS-805-AThis page intentionally left blankJune 201511 Introduction1-1 About This HandbookThis handbook does the the Postal Service information resource electronic certification and accreditation (C&A) the roles and responsibilities in the the deliverables and templates required to complete each phase of the process in order to:(1)Characterize an information resource.

10 (2)Determine sensitivity and criticality.(3)Define security requirements.(4)Identify controls.(5)Test security solutions.(6)Assess risk.(7)Evaluate the security posture of the information is the technical analysis that establishes the extent to which an information resource meets specified security requirements. Accreditation is the management analysis that determines, from a business standpoint, whether implemented security controls satisfy specified security requirements and provide an acceptable level of information resource C&A process is integrated in the information technology (IT) technical solution life cycle (TSLC) Waterfall and Agile Development Purpose of Certification and AccreditationThe C&A is the process the Postal Service uses to evaluate the protection of its information resources so that risks associated with deployment can be appropriately managed throughout the life OwnerThe policy owner of this handbook is the Corporate Information Security Officer (CISO).