Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
()
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Ensure complete security authorization packages for each major application and general support system is completed prior to deployment into production.
Identify all FISMA reportable systems in which the AO listed within the ATO, has
subsequently changed.
For those systems identified in which the AO listed in the ATO has changed, NARA should
follow the NARA Security Methodology for Certification and Accreditation and Security
Assessment in regard to requirements upon changes in AO. This is a separate...
Update the CFM for ongoing authorizations, to include examples of situations where a
change in status could prompt the independent security control assessor to recommend
re-certification of a system.
Continue to analyze and prioritize remediation efforts to accomplish security and control
objectives. Key tasks should include but are not limited to those systems identified in which
the AO listed in the ATO has changed, NARA should follow the NARA...
Perform a reconciliation of all NARA hardware asset inventories to ensure all data such
as assignments and status are accurately and completely stated, investigating any
unusual or potentially duplicate entries, and making revisions as needed.
Develop and implement formalized procedures to ensure for those systems utilized by
NARA and managed by Cloud Service Providers, controls for which NARA has a shared
responsibility should be reviewed on an annual basis, documented, and assessed as to...
For future agreements, the CIO should:
● Require that providers of external information system services comply with NARA
information security requirements,
● Define and document government oversight and user roles and responsibilities
with regard to...
Add an addendum to current agreements which requires compliance with NARA’s
information security requirements.
Conduct risk assessments for each system in operation and establish policies or
procedures to ensure that risk assessments are conducted at least annually.
Ensure IT policies, procedures, methodologies, and supplements are reviewed and
approved in accordance with NARA Directive 111.
Document Information Services review of Cross-site Request Forgery tokens for external
web applications and if an issue is identified, document the remediation efforts or other
existing mitigations in place to protect against cross site forgery...
Implement improved processes to remediate security deficiencies on NARA’s network
infrastructure, to include enhancing its patch and vulnerability management program to
address security deficiencies identified during our assessments of NARA’s...
Ensure all information systems are migrated away from unsupported operating systems
to operating systems that are vendor-supported.
Document, communicate and implement NARA’s configuration management processes
applicable to all NARA systems, not just those under ECAB control, within NARA’s
Configuration Management (CM) program management plan or other NARA
methodology.
The CIO should implement the following corrective actions:
● Complete efforts to implement the Net IQ Sentinel product,
● Develop and implement processes and procedures to monitor and at least weekly
review user activity and audit logs (in accordance...
Ensure user system accounts for all systems are periodically reviewed and automatically
disabled in accordance with NARA policy.
Ensure upon termination of employment, all system access is disabled in accordance with
the applicable system security plan defined period, as described under control PS-4
“Personnel Termination.”
Ensure audit logging is enabled for each major information system.
Ensure periodic reviews of generated audit logs are performed for each major information
system.
Ensure password configuration settings for all major information systems are in
accordance with NARA IT Security Requirements.
Ensure the use of shared/group accounts is restricted to only those users with a valid
business justification, by enhancing user account review procedures to incorporate
reviews of shared/group account membership and reasonableness.
Ensure a process is developed, documented, and implemented to change passwords
whenever users within shared/group accounts change.
Coordinate with system owners and ISSOs, identify and remediate inconsistencies in
contingency plan testing requirements between the CFM and the NARA IT Security
Methodology for Contingency Planning to ensure requirements are more clearly defined
and...
In coordination with system owners and ISSOs, identify and remediate inconsistencies in
contingency plan testing requirements between the CFM and the NARA IT Security
Methodology for Contingency Planning, to ensure requirements are more clearly defined...
