CSO-PROS-1325_External_IT_Service_Authorization_Process

ML22080A023
Person / Time
Issue date:	09/01/2021
From:	Jonathan Feibus NRC/OCIO
To:
Shared Package
ML22077A369	List: ML22077A390 ML22077A396 ML22077A398 ML22077A405 ML22080A023 ML22080A024 ML22080A025 ML22080A029 ML22080A035 ML22080A038 ML22080A040 ML22080A042 ML22080A044 ML22080A046 ML22080A052 ML22080A055 ML22080A060 ML22080A061
References
CISO-PROS-1325
Download: ML22080A023 (15)
v • d • e

Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-1325 Office Instruction

Title:

External IT Service Authorization Process Revision Number:

2.4 Effective Date:

September 1, 2021 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO/CSO Summary of Changes:

CSO-PROS-1325, External IT Service Authorization Process, defines the authorized process that must be followed to obtain authorization to use an external IT service that is being adopted into the NRC environment.

Office Owner Primary Agency Official OCIO/CSO Garo Nalabandian Acting Chief Information Security Officer (CISO)

CSO-PROS-1325 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 2.1 PREREQUISITES.............................................................................................................................. 2 2.1.1 Consult with Computer Security Organization...................................................................... 2 Examine Providers Authorization Documentation............................................................ 2 Request Access to FedRAMP Authorization Documentation........................................... 3 Request Access to Government Agency External IT Service........................................... 3 2.2 INITIATION OF NRC INTAKE PROCESS FOR APPROVAL....................................................................... 4 2.3 APPROVAL IN THE TECHNICAL REFERENCE MODEL........................................................................... 4 3

SPECIFIC REQUIREMENTS................................................................................................................ 4 3.1 STEP ONE: OBTAIN A SHORT-TERM AUTHORIZATION........................................................................ 5 3.2 STEP TWO: DEVELOP NRC-REQUIRED ARTIFACTS.......................................................................... 5 3.3 STEP THREE: PERFORM ASCA....................................................................................................... 6 3.4 STEP FOUR: RECEIVE AUTHORIZATION OR DENIAL OF EITSA REQUEST............................................ 7 3.5 STEP FIVE: SUBMIT A FEDRAMP ATO LETTER................................................................................ 7 3.6 STEP SIX: PERFORM CONTINUOUS MONITORING.............................................................................. 7 ACRONYMS..................................................................................................................... 8 REFERENCES................................................................................................................ 10 EITSA ROLES AND RESPONSIBILITIES..................................................................... 11

Computer Security Process CSO-PROS-1325 External IT Service Authorization Process 1 PURPOSE CSO-PROS-1325, External IT Service Authorization Process, provides the steps that must be followed to obtain authorization to use an external information technology (IT) service that is being adopted into the Nuclear Regulatory Commission (NRC) environment.

External IT services include, but are not limited to, the following:

External IT Services that are hosted by an NRC contractor or vendor that are used or operated on behalf of the agency.

External IT Services used by the NRC that are owned and operated by another federal agency.

External Cloud services used or operated on behalf of the NRC.

The information contained in this document is intended to be used by system owners, information system security officers (ISSOs), NRC IT project managers, system administrators, independent assessors, and other stakeholders responsible for implementing and authorizing IT services in the NRC environment.

2 GENERAL REQUIREMENTS The NRC External IT Service Authorization (EITSA) process must be followed for the successful authorization of IT services external to NRC.

This EITSA process is a separate and distinct process from the NRC acquisitions and procurement processes; however, this authorization process must be performed concurrently with NRC acquisitions and procurement processes to:

Avoid a scenario where the NRC becomes financially and contractually responsible for an IT service that is not Federal Risk and Authorization Management Program (FedRAMP) authorized; and Ensure certain agreements developed during the NRC acquisitions process (e.g.,

statements of work [SOWs], service level agreements [SLAs], memorandums of understanding [MOUs], interconnection security agreements [ISAs]) are available to be used as supporting artifacts, which are required throughout the EITSA process.

As stated in the Office of Management and Budget (OMB) M-14-03, Enhancing the Security of Federal Information Systems, federal information systems and organizations shall ensure that

CSO-PROS-1325 Page 2 cloud deployments are authorized through FedRAMP1. All cloud services holding federal data require FedRAMP authorization. If the service is not FedRAMP approved, contact the NRC inventory team at: CSO_Inventory@nrc.gov for next steps. Approval of a non-FedRAMP authorized service is considered a special circumstance and requires support from the Authorizing Official (AO) and a recommendation email from the Chief Information Security Officer (CISO).

For other types of external IT services provided by another government agency, system owners, or designees must ensure that the external IT service has a valid, current ATO.

2.1 Prerequisites The system owner or designee must ensure the following activities are completed before procurement, and the subsequent authorization of an external IT service can be considered:

Consult with the Computer Security Organization (CSO);

Examine the service providers authorization documentation; Receive NRC Intake Team approval; and Receive Technical Reference Model (TRM) approval.

These prerequisites are described in detail in the following subsections.

NOTE: Failure to perform these prerequisites could cause an immediate denial to continue with the authorization effort.

2.1.1 Consult with CSO System owners or designees must consult with their CSO point of contact (POC) to explain the purpose and scope of the external IT service procurement. This meeting allows CSO to determine:

If the external IT service can be subsumed by another NRC information systems boundary or if a new information system is required; If there are any known security implications that could affect NRC data and/or the NRC network; and/or If any potential changes to the authorization process are necessary.

Examine Providers Authorization Documentation Once the consultation with CSO has taken place and no roadblocks identified, system owners, or designees must obtain access to and review the providers authorization documentation for the external IT service to uncover any possible security concerns. Such documentation includes, but is not limited to, the Privacy Impact Assessment (PIA), the Security Categorization Report, the System Security Plan (SSP), the latest Security Assessment Report (SAR), the Plan of Action and Milestones (POA&Ms), and any approved system deviations.

1 An Authorization to Operate (ATO) for a FedRAMP cloud solution can either be issued by another government Agency ATO (A-ATO) or through the Joint Authorization Board (JAB) Provisional ATO (P-ATO), either of which are acceptable.

CSO-PROS-1325 Page 3 The NRC system owner or designee must consider the following when reviewing the providers authorization documentation:

Is the ATO still current and valid; Are all continuous monitoring requirements being met; Is the external organization or service provider managing risk and closing POA&Ms; Are there any security concerns that may be unacceptable to the NRC; and Has the service provider satisfied any conditions documented in the information systems ATO.

After the NRC system owner or designee reviews the security documentation and has no security concerns with the external service provider, the CSO POC must be notified that the project will be moving forward.

Request Access to FedRAMP Authorization Documentation Authorization documentation for all FedRAMP authorized cloud service offerings is stored in FedRAMPs secure repository on OMB MAX system, where access is explicitly authorized by the FedRAMP Project Management Office (PMO). NRC personnel requesting access to a package must complete the following process:

1. Locate the cloud service offering on the FedRAMP Marketplace and complete the appropriate Package Access Request Form.

2. Complete the Package Access Request Form using the Package ID assigned to the cloud service offering.

3. Email the completed Package Access Request Form to the NRC CISO (use the CISO@NRC.gov address) for signature and agency approval.

The NRC CISO or designee will digitally sign the Package Access Request Form and email the form back to the NRC personnel requesting access, who will then email the form to the FedRAMP PMO. The FedRAMP PMO will email the NRC personnel requesting access with instructions on how to access the authorization package through OMB MAX.2 This allows 30 days access to the security documentation. Instructions on how to submit the Package Access Request Form to the FedRAMP PMO are provided in the form itself.

Request Access to Government Agency External IT Service For external IT services owned and operated by another agency, the NRC system owner/designee and/or ISSO must request authorization documentation from the POC from the outside agency. If the outside agency does not wish to share authorization documentation with the NRC, please contact the CSO POC for further instructions.

2 Please note that Amazon Web Services (AWS) hosts authorization documentation on CapLinked as opposed to OMB MAX.

Instead of instructions specifying how to access an authorization package through OMB MAX, FedRAMP will provide instructions on how to access AWS authorization packages through CapLinked. The request process is identical.

CSO-PROS-1325 Page 4 2.2 Initiation of NRC Intake Process for Approval After consultation with the CSO POC has taken place and security documentation has been reviewed with no concerns, the system owner or designee must ensure that the new IT products are presented to the NRCs Intake Technical Review Team (TRT) for review to ensure that the external IT service does not introduce unacceptable risks to the NRC. The external IT service must be approved by the Intake TRT to move forward. Information on the intake process can be found at https://drupal.nrc.gov/ocio/catalog/55704 2.3 Approval in the Technical Reference Model Once the new IT products are approved by the Intake TRT, they are listed in the TRM. TRM information can be found at https://usnrc.sharepoint.com/teams/NRC-Information-Technology-Standards.

NOTE: The external IT service will not get approved by the Intake TRT without knowing the NRC information system boundary and assurance there is a pathway for authorization.

3 SPECIFIC REQUIREMENTS This section provides the specific methodology that system owners or their designee must use to obtain an authorization for an external IT service.

The process steps include:

1. Step One: Obtain a Short-Term Authorization: A Short-Term Authorization allows an organization to build, test, and deploy an information system prior to a full authorization.

2. Step Two: Develop NRC-Required Artifacts: All external IT services that are authorized to operate within the NRC require the development of security artifacts. These artifacts define and categorize the types of NRC information (including privacy information) that will be stored, processed, or transmitted by the external IT service, specify the security controls that will be implemented by the NRC to help protect such information, and outline the specific procedures that NRC staff must follow to ensure all stated protections are operating as intended.

3. Step Three: Perform Authorization System Cybersecurity Assessment (ASCA): An ASCA must be performed on the external IT service in accordance with CSO-PROS-2102, System Cybersecurity Assessment Process, before it can be fully authorized.

The ASCA will test the effectiveness of the security controls implemented by the NRC and provide an analysis of risk on the use of the external IT service that will allow the AO to make an authorization determination.

4. Step Four: Receive Authorization or Denial of EITSA Request: The CISO reviews the ASCA results and provides a recommendation (i.e., approve, deny, or refer) to the AO who then makes the final decision.

5. Step Five: Submit a FedRAMP ATO Letter: System owners or designees must submit the NRC ATO decision to the FedRAMP PMO to ensure permanent access to the external IT system security artifacts and to facilitate the management and oversight of the external IT service. Note that this helps NRC system owners to be compliant with security control System and Services Acquisition (SA)-9, External Information System

CSO-PROS-1325 Page 5 Services3, which requires organizations to monitor security control compliance by external service providers on an ongoing basis. System owners or designees can also submit a FedRAMP ATO letter when a Short-Term Authorization has been granted.

6. Step Six: Perform Continuous Monitoring: As with on-premise NRC systems, system owners must perform continuous monitoring on external IT services in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.

NOTE: Step One and Step Two must be completed before Step Three can begin.

These six process steps are described in detail in the following subsections.

3.1 Step One: Obtain a Short-Term Authorization Once all prerequisites have been completed, and the external IT service has been procured, the system owner has several available authorization options that would allow the external IT service to be built, tested, and deployed prior to a full authorization. Whether the proposed Cloud Service Offering is an Infrastructure as a Service (IaaS), Platform as a Service (PaaS),

and/or Software as a Service (SaaS), a Short-Term Authorization request may be appropriate for testing and deployment in preparation for obtaining a full authorization.

Refer to CSO-PROS-1341, Short-Term Authorization Process, which defines the steps for obtaining a Short-Term Authorization for deploying an external IT service within NRC systems.

NOTE: This process does not apply to external IT services provided by other government agencies.

3.2 Step Two: Develop NRC-Required Artifacts While undergoing the Short-Term Authorization, the ISSO or designee must begin the development of the following NRC artifacts:

Privacy Threshold Analysis (PTA)/PIA: The Office of the Chief Information Officer (OCIO) privacy group must review and approve the PTA/PIA to determine if the external IT service should be considered a Privacy Act System of Records, initiating specific protections that the system owner and ISSO must employ to protect NRC data.

Security Categorization Report: The CISO must first review and approve the NRC security categorization before other NRC artifacts can be developed. Refer to CSO-PROS-2001, System Security Categorization Process, for more information.

SSP: The NRC SSP provides the details for all of the security controls the NRC is responsible for implementing.

TIP: One of the FedRAMP security artifacts that system owners have access to is the Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM). This document summarizes the implementation status of each security control and the party responsible for maintaining that security control, whether the customer is fully responsible for the security control, partially inherits the security control (there are some 3 NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4

CSO-PROS-1325 Page 6 customer responsibilities), or the security control is fully implemented by the CSP (no responsibilities for the customer). The CIS/CRM provides details for what the customer responsibilities are for a given security control, including responsibilities for optional services (applicable depending on which services the customer acquires). System owners or designees can use the CIS/CRM to assist them in developing the NRC security controls baseline which is then documented in the SSP. Refer to CSO-PROS-7002, Security Control Tailoring Process, for further guidance on security control tailoring.

Supporting Security Artifacts: Supporting security artifacts can include administrative processes and procedures, design and build documents, and system diagrams that are necessary to facilitate NRCs implementation of the external IT service.

All NRC security artifacts must be completed before the assessment activities can begin for eventually obtaining an ATO.

3.3 Step Three: Perform ASCA Assessment and authorization activities begin approximately six to eight months prior to the expiration of the Short-Term Authorization assuming all of the prerequisites documented in Section 2.1, Prerequisites, have been met.

An independent assessor conducts the ASCA, gathers results, and develops security reports in accordance with CSO-PROS-2102, System Cybersecurity Assessment Process. The ASCA focuses on the NRCs implementation of the security control baseline and verifies security control inheritance from the CSP.

Independent assessors examine external ATO artifacts (i.e., FedRAMP, agency) to verify that certain mandatory NRC requirements for external IT services are being met. The assessment does not test any portion of the security control solely provided by the external IT service provider; or security controls that are inherited by another NRC system, such as the Information Technology Infrastructure (ITI) system. Those inherited security controls are assessed as a hybrid NRC security control, in accordance with CSO-PROS-2102 and CSO-STD-0021, Common and Hybrid Security Control Standard. The assessment is focused on those security controls that are the responsibility of the NRC.

After the ASCA package is finalized, the ISSO must prepare the ATO and consideration for ongoing authorization request to the CSO POC using CSO-TEMP-1328, Ongoing Authorization Request Email Template, which is available on the CSO Federal Information Security Modernization Act (FISMA) Repository.

NOTE: Although a full assessment is not conducted on security control implementation provided by the external service provider, assessors examine external authorization packages to ensure that the use of the external IT service does not unduly increase the risk exposure of the NRC. The assessor examines the authorization packages to include all layers of the stack (i.e., infrastructure, platform, and software layers) to ensure that all services that process, transmit, or store NRC data are adequately protected.

CSO-PROS-1325 Page 7 3.4 Step Four: Receive Authorization or Denial of EITSA Request A decision is made to approve, conditionally approve, or deny the NRC authorization of the external IT service. The decision is formalized in an ATO email, which is provided to the NRC system owner and ISSO.

NOTE: The system owner and ISSO must consult with the CSO POC to determine a path forward should the authorization request be denied.

3.5 Step Five: Submit a FedRAMP ATO Letter Once the authorization has been granted, system ISSOs must provide the FedRAMP PMO with the NRC ATO letter. Having an ATO letter on file enables the FedRAMP office to contact the NRC if FedRAMP obtains relevant security information related to the CSP responsibilities that should be disseminated to the CSP customers. It also allows the NRC to have permanent access to the CSPs security documentation.

For this purpose, a FedRAMP ATO letter template and an email submittal template were developed and are located in the CSO FISMA Repository. The ISSO must complete the FedRAMP ATO letter and submit it to the CSO POC. Further instructions for completing and submitting the FedRAMP ATO letter are in CSO-TEMP-1334,FedRAMP ATO Letter Submittal Email Template.

3.6 Step Six: Perform Continuous Monitoring Continuous monitoring/continuous diagnostic activities are mandated by the Federal Information Security Modernization Act Public Law 113-293, dated December 19, 2014.

These activities begin after a formal authorization has been granted. The goal of continuous monitoring/continuous diagnostics is to ensure that the system owner and ISSO maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, in accordance with NIST SP 800-137.

The NRC system owner, ISSO, and the external IT service provider must comply with all continuous monitoring requirements for the external IT service, including any applicable FedRAMP continuous monitoring requirements. These activities occur throughout the system lifecycle of the external IT service.

Refer to CSO-PROS-1323, NRC Agencywide Continuous Monitoring Program, for detailed information on continuous monitoring requirements.

NOTE: If the NRC system owner or designee wants to extend the external IT service boundary to include more features, the ISSO must make the request to the CISO who has the authority to approve or deny the request.

CSO-PROS-1325 Page 8 ACRONYMS A-ATO Agency Authorization to Operate AO Authorizing Official ASCA Authorization System Cybersecurity Assessment ATO Authorization to Operate AWS Amazon Web Services CIO Chief Information Officer CIS Customer Implementation Summary CISO Chief Information Security Officer CRM Customer Responsibility Matrix CSO Computer Security Organization CSP Cloud Service Provider EITSA External IT Service Authorization FedRAMP Federal Risk and Authorization Management Program FISMA Federal Information Security Modernization Act IaaS Infrastructure as a Service ISA Interconnection Security Agreement ISCM Information Security Continuous Monitoring ISSO Information System Security Officer IT Information Technology ITI Information Technology Infrastructure JAB Joint Authorization Board MOU Memorandum of Understanding NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer OMB Office of Management and Budget P-ATO Provisional Authorization to Operate PaaS Platform as a Service PDF Portable Document Format PIA Privacy Impact Assessment PIV Personal Identity Verification PMO Program Management Office POA&M Plan of Action and Milestones POC Point of Contact PROS Process

CSO-PROS-1325 Page 9 PSCA Periodic System Cybersecurity Assessment PTA Privacy Threshold Analysis SA System and Services Acquisition SaaS Software as a Service SAR Security Assessment Report SCA System Cybersecurity Assessment SLA Service Level Agreement SOW Statement of Work SP Special Publication SSP System Security Plan TRM Technical Reference Model TRT Technical Review Team

CSO-PROS-1325 Page 10 REFERENCES OMB M-14-03, Enhancing the Security of Federal Information Systems Federal Information Security Modernization Act Public Law 113-293, dated December 19, 2014 The Privacy Act of 1974, 5 U.S.C. § 552a, as amended NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4 NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations NRC Management Directive 11.1, NRC Acquisition of Supplies and Services NRC Management Directive 12.5, "NRC Cybersecurity Program" CSO-PROS-1323, NRC Agencywide Continuous Monitoring Program CSO-PROS-1341, Short-Term Authorization Process CSO-STD-2102, System Cybersecurity Assessment Process CSO-STD-0021, Common and Hybrid Security Control Standard CSO-TEMP-1328, Ongoing Authorization Request Email Template CSO-TEMP-1334, FedRAMP ATO Letter Submittal Email Template

CSO-PROS-1325 Page 11 EITSA ROLES AND RESPONSIBILITIES The following table provides the high-level roles and responsibilities associated with the EITSA process.

Role Responsibilities CIO

• Oversees NRCs external IT service program at the enterprise level

• Meets with system owners and ISSOs to discuss the viability of implementing IT service solutions within the NRC environment, if necessary AO

• Executive that issues an authorization and approves all risks related to the use of an external IT service System Owner

• Makes overall decisions concerning external IT services and service providers to be employed

• Facilitates the process of procuring an external IT service

• Consults with the CSO POC concerning external IT service solutions and the security implications associated with employing those solutions

• Facilitates service contracts and other required service agreements ISSO

• Ensures the overall IT security for external IT services adopted within the NRC

• Ensures service provider compliance with all applicable ATO and FedRAMP requirements

• Facilitates the EITSA process

• Submits authorization request for external IT services

• Coordinates with CSO POC to ensure security parameters are being met during the authorization process

• Develops required NRC system artifacts / ensures required NRC system artifacts are developed

• Facilitates development and testing of NRC components (if applicable) and NRC processes in accordance with NRC policy

• Ensures continuous monitoring compliance in accordance with CSO-PROS-1323 and the most recent NRC IT Security Risk Management Activities Memo

• Ensures service provider compliance with all applicable continuous monitoring requirements set forth by sponsoring government agencies and the FedRAMP PMO CISO

• Approves FedRAMP Package Access Request Forms

• Approves NRC security categorizations CSO POC

• Consults with system owners and ISSOs to discuss security implications associated with the use of an external IT service

• Assists system owners and ISSOs in facilitating the EITSA process

• Approves NRC security control baseline (i.e., security, privacy, program management controls for which the NRC is at least partially responsible)

• Determines NRC artifacts that must be developed

• Determines if any EITSA process steps can be exempt

CSO-PROS-1325 Page 12 Role Responsibilities Independent Assessor

• Authorized by the AO to conduct independent assessments

• Analyzes external IT service documentation (e.g., A-ATO/P-ATO, SLAs) to detect notable security concerns that could affect the security state of NRC data or the NRC operating environment

• Performs NRC Security Control Responsibility Analysis

• Conducts independent system cybersecurity assessment (SCA) in accordance with CSO-PROS-2102 on the NRC security control baseline

• Validates NRC security control baseline in the SSP

• Performs periodic SCA (PSCA) annually as required by CSO-PROS-1323 and the most recent NRC IT Security Risk Management Activities Memo

• Analyzes external IT service POA&M information to validate that the external service provider is remediating/mitigating weaknesses, and to determine if any new notable security concerns are present that could affect the security state of NRC data or the NRC operating environment

CSO-PROS-1325 Page 13 CSO-PROS-1325 Change History Date Version Description of Change Method Used to Announce &

Distribute Training 29-Jan-14 1.0 Initial issuance CSO web page and email distribution to ISSOs Upon request 07-Feb-18 2.0 Update OCIO/CSO website Upon request 25-Jul-19 2.1 Edits to the FedRAMP ATO letter OCIO/CSO website Upon request 11-Dec-19 2.2 Edits to account for Short-Term Authorization Process OCIO/CSO website Upon request 10-Aug-21 2.3 Updates based on changes to the process OCIO/CSO website Upon request 05-Nov-21 2.4 Removed references to EITSA checklist OCIO/CSO website Upon request