Board Report: 2015-IT-B-001 January 30, 2015
The Board is relying on FRB Richmond to provide all low and moderate PE controls for the data center and to provide for their ongoing review; however, the Board has not confirmed that the implementation of the controls provided by FRB Richmond will meet Board requirements. In addition, to meet Board requirements, a security plan must be created for the data center and a risk assessment must be conducted. The BISP states that information system owners are responsible for the development and maintenance of a system security plan and that all Board information systems must undergo a formal risk assessment. Further, the Federal Information Security Management Act of 20023 requires agencies to develop, document, and implement an enterprise- wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, a contractor, or other source. To meet this requirement, the Board's Information Security Officer (ISO) has signed two memorandums, relying on the Division of Reserve Bank Operations and Payment Systems' (RBOPS) reviews of the Baltimore facility and on FRB Richmond's implementation of the SAFR program's controls. While both the BISP and the SAFR program are built on NIST SP 800-53, implementation of each program's standards can differ. The ISO, who is ultimately responsible for maintaining the appropriate operational security posture, must ensure that the controls meet the Board's own requirements, that compensating controls have been designed, or that the risk has been accepted.
In December 2013, the ISO issued a memorandum indicating that he was relying on RBOPS's review of the building and physical security controls associated with the Baltimore Branch of FRB Richmond and that a separate Federal Information Security Management Act of 2002 review would not be required. RBOPS conducts periodic reviews to ensure that the Reserve Banks are complying with the Board's guidelines. While the RBOPS review is not conducted based on NIST SP 800-53, at the request of the Division of Information Technology (Division of IT), RBOPS reconciled its review with the SP 800-53 controls. RBOPS determined that while its review did not cover all PE controls, it did encompass PE protection policy and procedures, physical access authorizations, physical access control, monitoring physical access, and access records (NIST SP 800-53 controls PE-1, 2, 3, 6, and 8, respectively). The ISO's reliance on RBOPS, therefore, was limited to building and physical security controls focused on the current, existing physical structure, current right of ways, visible and nonvisible perimeter security assemblies and barriers, access controls (internal and external), and visitor registration processes.
For assurance that all PE controls will be implemented, in April 2014, the ISO issued a second memorandum indicating that he would rely on FRB Richmond's implementation of SAFR, which includes both the implementation and periodic assessment of the required PE controls. The memorandum states that FRB Richmond is responsible for providing all low and moderate controls identified in the PE control family. However, there are differences between SAFR requirements and BISP requirements. The ISO further stated that the Board reserves the right to review FRB Richmond's documentation, including its Security Plan, which documents how FRB Richmond supports the PE controls, and its Security Assessment Reports regarding the PE controls. As the Security Assessment Reports will be conducted using SAFR criteria, SAFR requirements should be reconciled with BISP requirements to ensure that the SAFR review of the controls will also certify compliance with Board criteria.
While both programs are built on NIST SP 800-53, implementation of each program's standards can differ. For example, NIST SP 800-53 includes a control for monitoring physical access, PE-6. This control leaves the frequency of monitoring open to organizationally defined time frames. The BISP's baselines require monthly reviews, but the SAFR program only requires quarterly reviews. While FRB Richmond can implement controls, the ISO must still ensure that the controls meet the Board's own requirements, implement compensating controls, or accept the risk.
While the PE controls for the data center have been planned, a security plan had not been documented at the close of our fieldwork. Documenting the controls for the data center will assist in comparing BISP requirements with SAFR requirements to ensure that all planned controls will ultimately meet Board requirements.
The BISP requires that system security plans be developed for all information systems that fully describe the security environment of the information system. The security plan acts as the central reference for how information systems implement required and supplemental security controls and for the acceptance of residual risk. The information system owner is responsible for the development and maintenance of a system security plan.
PE controls have been designed for the data center with input from the Board, FRB Richmond, and the A/E firm, but they have not been consolidated into a security plan. In September 2012, the Division of IT issued Data Center Design Guidelines to outline potential controls for the new data center. This document was then used by the Board in October 2012 to create the Data Center High Level Requirements document. Subsequently, the Data Center High Level Requirements document was provided to the A/E firm, which in September 2013 developed the Facility and Infrastructure Design Criteria Program. This document contains the specific planned design elements for the new data center.
The BISP requires that all information systems undergo a formal risk assessment based on NIST standards. This formal risk assessment determines the information security controls that are needed beyond the security control baselines to ensure that the security implemented in the information system is commensurate with the risk and magnitude of harm that can result from the loss, misuse, unauthorized access to, or modification of information generated, stored, or processed by the information system. Each vulnerability must be evaluated to determine whether the risk to the Board can be justifiably accepted or, if the risk is unacceptable, how the risk can be reduced.
As it applies to the data center, the risk assessment should be used to evaluate the planned PE controls and to assess and accept or mitigate risks resulting from differences between SAFR and BISP requirements. Based on the residual risk, the information owner should decide whether additional controls need to be implemented to lower the residual risk to an acceptable level.
Further, the risk assessment should be used to obtain system owner approval for major security control decisions. For example, the original Data Center Design Guidelines called for a gaseous and a water-based fire suppression system, but the A/E firm later recommended installing only a dry-pipe, water-based fire suppression system. This recommendation was discussed at length among the project management personnel from the Board and FRB Richmond and was ultimately accepted. While the decision was discussed among the project team and documented, if the team determined that there is a resulting risk, that risk should be documented in a risk assessment and formally accepted by the system owner.
There are risks associated with a water-based fire suppression system, such as damage to equipment, and we also noted that the system will not be linked with the emergency power-off function to automatically stop the flow of electricity in the event of a fire. The data center project team discussed this issue at length and ultimately decided to maintain the two systems as independent entities. If this selection poses risk, this decision should also be documented in a risk assessment and formally accepted by the system owner.
The ISO stated that the formal system security plan and risk assessment process is planned to be completed prior to signing an authorization to operate. Subsequent to our fieldwork, Board staff began to develop a spreadsheet that identifies how the data center will meet each PE control in the BISP. This spreadsheet includes the BISP PE control baseline and responses from the Board, RBOPS, and FRB Richmond regarding how each individual control will be met. It also lists the artifacts that will be available for corroboration.
We recommend that the Director of the Division of IT
The Director of the Division of IT agreed with our recommendation, outlined corrective actions taken to compare the implementations to the Board's security requirements, and stated that the Board's ISO will work with the 5th District to address identified risks and ensure the controls are appropriately documented in a security plan.
In our opinion, the actions described by the Director are responsive to our recommendation. We plan to follow up on the division's actions to ensure that the recommendation is fully addressed.