Copy of SSP Controls Questionnaires_Master 7-2 (2)

CMS Control Description QuestionsContact for

Info.Responses / Comments

The organization prohibits the use of Voice over Internet Protocol (VoIP)

technologies, unless explicitly authorized, in writing, by the CIO or his/her

designated representative. If authorized, the organization:

a. Establishes usage restrictions and implementation guidance for VoIP

technologies based on the potential to cause damage to the information

system if used maliciously; and

b. Authorizes, monitors, and controls the use of VoIP within the information

system.

1. Does the organization use any type of VOIP service?

2. What are the restrictions in place for use of VOIP service?

3. Is there any authorization procedure for allowing use of VOIP service?

4. Does the security team monitor use of VOIP service?

DoIT - Security No information yet

Controls shall be implemented to protect ACA sensitive information (such

as PHI, PII or Privacy Act protected information) that is sent via email.

Implementation Standard(s)

1. Prior to sending an email, place all ACA sensitive information in an

encrypted attachment.

1. What are the guidelines for encrypting ACA sensitive information (e.g. PII,

PHI, etc.)?

2. Are all attachments sent via email encrypted if they contain sensitive

information?

3. Is there any automated mechanism to encrypt the attachments

automatically?

DoIT - Security No information yet

1. The information system provides additional data origin and integrity

artifacts along with the authoritative data the system returns in response to

name/address resolution queries.

1. Are any data origin and integrity artifacts provided while providing the

DNS service?

For example, does the information system use digital signatures for

providing origin authentication.

Or are DNS resource records used as authoritative data.

GSS No information yet

2. The information system, when operating as part of a distributed,

hierarchical namespace, provides the means to indicate the security status

of child subspaces and (if the child supports secure resolution services)

enable verification of a chain of trust among parent and child domains.

Does the organization make use of delegation signer (DS) resource records

in the DNS; in order to provide an indication of the seucirty status of child

subspaces.


The information systems that collectively provide name/address resolution

service for an organization are fault-tolerant and implement internal/external

role separation.

1. How many DNS servers support the New HEIGHTS, NH EASY, Mainframe?

2. How are the DNS servers configured - do they have backup, in case the

primary server fails?

3. Could you desribe the high level architecture of these DNS server(s)? For

example, network subnets, geographical areas, internal/external roles, are

the clients that could access the DNS server restricted by the organization?


2. (PII) When sending or receiving faxes containing PII:

(i) fax machines must be located in a locked room with a trusted staff

member having custodial coverage over outgoing and incoming

transmissions or fax machines must be located in a secured area;

(ii) accurate broadcast lists and other preset numbers of frequent fax

recipients must be maintained; and

(iii) a cover sheet must be used that explicitly provides guidance to the

recipient that includes: a notification of the sensitivity of the data and the

need for protection, and a notice to unintended recipients to telephone the

sender (collect if necessary) to report the disclosure and confirm

destruction of the information.

Are the guidelines provided by the control followed?

When sending or receiving faxes containing PII:

(i) fax machines must be located in a locked room with a trusted staff

member having custodial coverage over outgoing and incoming

transmissions or fax machines must be located in a secured area;

(ii) accurate broadcast lists and other preset numbers of frequent fax

recipients must be maintained; and

(iii) a cover sheet must be used that explicitly provides guidance to the

recipient that includes: a notification of the sensitivity of the data and the

need for protection, and a notice to unintended recipients to telephone the

sender (collect if necessary) to report the disclosure and confirm

destruction of the information.

Milenda Cox No information yet

1. The information system denies access to all proxies except for those

hosts, ports and services that are explicitly required

1. Are the ports, hosts and services restricted on the mainframe?

2. Is there a list of allowed ports/hosts/services which could access the

mainframe?

3. The document "Ports-services-authorized-list.pdf" is blank as it is

restricted access by DoIT. Will this document potentially cover this control

requirement?

DoIT - NetOps No information yet

SC-7(3) – The organization limits the number of access points to the

information system (e.g., prohibiting desktop modems) to allow for more

comprehensive monitoring of inbound and outbound communications and

network traffic.

1. Is there any measure implemented such as the Trusted Internet

Connection (TIC) to limit the number of access points?

- All agencies should maintain up to date inventories of their external

connections, including service provider, cost, location, capacity, and traffic

volumes throughout the TIC Initiative.

- PLan to reduce the number of access points

- Steps taken to reduce them

2. What are the various access points to the organization?

3. Are there any other measures to restric the number of access points?


SC-7(4) – Enhancement (Moderate):: The organization:

(a) Implements a managed interface for each external telecommunication

service;

(b) Establishes a traffic flow policy for each managed interface;

(c) Employs security controls as needed to protect the confidentiality and

integrity of the information being transmitted;

(d) Documents each exception to the traffic flow policy with a supporting

mission/business need and duration of that need;

(e) Reviews exceptions to the traffic flow policy within every three hundred

sixty-five (365) days; and

(f) Removes traffic flow policy exceptions that are no longer supported by an

explicit mission/business need.

1. Is there a traffic flow policy defined?

2. Are there traffic flow charts/diagrams/configurations?

3. Are traffic flow exceptions defined, recorded, reviewed, and revoked at

predetermined timeframe?

4. What all devices is the traffic flow policy implemented?


5. The information system at managed interfaces, denies network traffic by

default and allows network traffic by exception (i.e., deny all, permit by

exception).

1. What are the policy and configurations for the routers, switches,

firewalls, etc. ?

2. Do they follow a deny-all policy?

3. Is there a list of ports/devices allowed access to the network?

(TIE TO PREVIOUS QUESTION)


System and Communications Protection (SC)

7. In the event of an operational failure of the boundary protection

mechanism, the information system prevents the unauthorized release of

information outside of the information system boundary or any unauthorized

communication through the boundary

1. Are there any mechanisms implemented in the network that would stop

the flow of information in case of critical border protection mechanisms

fail?

For example, if the firewall at the outer perimeter of the DMZ fails, then

does the system stop accepting new external connections?


8. The information system prevents remote devices that have established a

non-remote connection with the system from communicating outside of that

communications path with resources in external networks.

1. What type of remote connection is provided?

2. How are remote systems stopped from making connections outside of

the established pathway?

As an example, prevention of split-tunneling when VPN connections are

implemented?


The organization prohibits running collaborative computing mechanisms,

unless explicitly authorized, in writing, by the CIO or his/her designated

representative. If authorized, the authorization shall specifically identify

allowed mechanisms, allowed purpose, and the information system upon

which the mechanisms can be used. The information system:

a. Prohibits remote activation of collaborative computing devices; and

b. Provides an explicit indication of use to users physically present at the

devices.

SC-15(1) – Enhancement: If collaborative computing is authorized, the

information system provides physical disconnect of collaborative computing

devices in a manner that supports ease of use.

Are collaborative computing mechanisms allowed?

Collaborative mechanisms include: networked white boards, cameras, and

microphones. Need to validate this control from interviews.


The information system protects against or limits the effects of the following

types of denial of service attacks defined on the following sites or in the

following documents:

- SANS Organization www.sans.org/dosstep;

- SANS Organization's Roadmap to Defeating DDoS

www.sans.org/dosstep/roadmap.php; and

- NIST CVE List http://checklists.nist.gov/home.cfm.

1. Are there any mechanisms implemented to avoid DoS attacks? e.g.

firewalls, routers, blackholing, etc.

2. What are the maximum concurrent sessions that NH Easy could handle?

3. What are the countermeasures for avoiding DoS attacks on the

Mainframe? Could it be possible to attack the Mainframe (say via the web

server residing on it)

DoIT - WebOps No information yet

2. The information system utilizes stateful inspection/application firewall

hardware and software

1. The APD document describes that the DoIT group will be implementing

firewalls for the NH Easy application. However, what type of firewalls would

be used is not defined.

2. Does the organization currently utilize stateful inspection or firewalls at

the applications/system in scope?


3. The information system utilizes firewalls from a least two (2) different

vendors at the various levels within the network to reduce the possibility of

compromising the entire network.

1. What firewalls are currently implemented? Cisco, Juniper, etc.

2. Are they at separate levels within the network? Maybe one before DMZ

and another after DMZ.

3. The APD document describes that the DoIT group will be implementing

firewalls for the NH Easy application. However, what type of firewalls would

be used is not defined.


6. Publicly accessible (i.e. public web server) information system

components are physically allocated to separate sub networks with separate

physical network interfaces (i.e., DMZ)

1. The APD document says that "the proxy server in the DMZ will provide

the security for the online NH EASY application"

2. However, per the prior assessment no DMZ has been created.

- What is the current status of development of a DMZ?

- Are there any other mechanisms to separate publicly accessible

information systems?




The organization includes the following requirements and/or specifications,

explicitly or by reference, in information system acquisition contracts based on

an assessment of risk and in accordance with applicable federal laws, Executive

Orders, directives, policies, regulations, and standards:

a. Security functional requirements/specifications;

b. Security-related documentation requirements; and

c. Developmental and evaluation-related assurance requirements.

a. Do the contracts/agreements for acquisition of software/service have

security requirements in them? Are below items provided in the

agreements:

i. Security functional requirements/specifications;

ii. Security-related documentation requirements; and

iii. Developmental and evaluation-related assurance requirements."

TSG Information received

The organization requires in acquisition documents that vendors/contractors

provide information describing the functional properties of the security controls

to be employed within the information system, information system components,

or information system services in sufficient detail to permit analysis and testing

of the controls.

a. Do the vendors/contractors provide details of the security

controls to be implemented within the information system?TSG No information yet

The organization ensures that each information system component acquired is

explicitly assigned to an information system, and that the owner of the system

acknowledges this assignment.

b. Are information system components mapped and explicitly

assigned to an information system? E.g. memory devices to be

assigned to mainframe


The organization maintains an updated list of related system operations and

security documentation

a. Do you have system operations and security documentation

developed for the Mainframe? E.g. FRDs, TRDs, flowcharts,

configuration settings, other functional/technical documents, etc.


The organization updates documentation upon changes in system functions and

processes. Must include date and version number on all formal system

documentation.

b. Are system changes / upgrades replicated in the system

documentation?

c. Are updates to such documentation tracked with versioning?


The organization:

a. Requires that providers of external information system services comply with

organizational information security requirements and employ appropriate

security controls in accordance with applicable federal laws, Executive Orders,

directives, policies, regulations, standards, and guidance;

b. Defines and documents government oversight and user roles and

responsibilities with regard to external information system services;

a. How are security requirements communicated to the external

providers?

b. Are the vendors required to follow the State's security policies

or at the least match the security requirements?

c. Are government oversight requirements clearly defined and

communicated to the external provider?

d. Are user roles and responsibilities documented and

communicated to the external provider?

TSG No information yet

The organization monitors security control compliance by external service

providers.

c. How is monitoring of vendor's security posture, and whether they

are actually applying the controls?TSG No information yet

The organization prohibits service providers from outsourcing any system

function outside the U.S. or its territories.

d. Is there any explicit prohibition to outsource function/data

outside of the U.S.?TSG No information yet

The organization:

a. Uses software and associated documentation in accordance with contract

agreements and copyright laws;

b. Employs tracking systems for software and associated documentation

protected by quantity licenses to control copying and distribution; and

c. Controls and documents the use of peer-to-peer file sharing technology to

ensure that this capability is not used for the unauthorized distribution, display,

performance, or reproduction of copyrighted work.

a. Are software and associated documentation used in accordance

with contract agreements and copyright laws

b. Is there any tracking systems to ensure that software and

associated documentation that are protected by quantity licenses are

not copied and distributed;

TSG / Desktop

Admins GroupInformation received

1. The organization prohibits users from downloading or installing software,

unless explicitly authorized, in writing, by the CIO or his/her designated

representative. If authorized, explicit rules govern the installation of software by

users.

2. If user installed software is authorized, ensure that business rules and

technical controls enforce the documented authorizations and prohibitions.

c. Can users install any software on their own? Maybe from internet

or via CD drive? Is there any exception to this rule?

TSG / Desktop

Admins GroupInformation received

System and Services Acquisition (SA)



The information system uniquely identifies and authenticates organizational

users

Does help desk requires user identification for any transaction that has

information security implications?DoIT - NetOps

The organization manages information system authenticators for users and

devices by:

a. Verifying, as part of the initial authenticator distribution, the identity of the

individual and/or device receiving the authenticator;

b. Establishing initial authenticator content for authenticators defined by the

organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their

intended use;

d. Establishing and implementing administrative procedures for initial

authenticator distribution, for lost/compromised or damaged authenticators, and

for revoking authenticators;

e. Changing default content of authenticators upon information system

installation;

f. Establishing minimum and maximum lifetime restrictions and reuse conditions

for authenticators (if appropriate);

g. Changing/refreshing password authenticators as defined in IA-5(1);

h. Protecting authenticator content from unauthorized disclosure and

modification; and

i. Requiring users to take, and having devices implement, specific measures to

safeguard authenticators.

Is there any documentation for Authenticator Management? Is there any

automate process for Authenticator Management?TSG

The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Is there any documentation for cryptographic module? TSG

The information system uniquely identifies and authenticates non-organizational

users

What is the procedure of information system uniquely identifies and

authenticates non-organizational users?TSG

The information system uniquely identifies and authenticates organizational

users

Are the process uniquely identified in the system ?

How are processes identified uniquely?

Password Management Need information on how the initial password is distributed to the user

What is the Password policy for New Heights

Does the org encrypt passwords in storage and in transmission

Identification and Authentication (IA)



CP-8 – Telecommunications Services

Is there any alternate telecommunications services including necessary

agreements to permit the resumption of information system operations for

essential missions and business functions within the resumption time

period exists?

DoIT - NetOps /

GSS

Contingency Planning (CP)



IR – 2 Incident Response Training

Does the organization train personnel in their incident response roles and

responsibilities with respect to the New Heights information system ie. Training users

to identifying and reporting of suspicious activities, both from external and internal

sources.

TSG

IR – 2 Incident Response Training Which team is responsible to train the users? TSG

IR – 2 Incident Response Training How often do they train the users? TSG

IR – 2 Incident Response Training Is there a training document? TSG

IR – 2 Incident Response Training What kind of training is provided? Is it simulation based training or classroom training? TSG

For how long are the closed incident cases in the system?

Incident Response (IR)

CMS Control Description

Develops and keeps current a list of personnel with authorized access to the facility

where the information system resides?

Reviews and approves the access list and authorization credentials every 180 days

and also removing from the access list personnel no longer requiring access.

Create a restricted area, security room, or locked room to control access to areas

containing PII.

Enforces physical access authorizations for all physical access points (including

designated entry/exit points) to the facility where the information system resides?

Inventories physical access devices within every three hundred sixty-five (365)

days

The organization controls physical access to information system distribution and

transmission lines within organizational facilities.

The organization controls physical access to information system output devices to

prevent unauthorized individuals from obtaining the output.

Monitors physical access to the information system to detect and respond to

physical security incidents

The organization controls physical access to the information system by

authenticating visitors before authorizing access to the facility where the

information system resides other than areas designated as publicly accessible.

The organization controls physical access to the information system by

authenticating visitors before authorizing access to the facility where the

information system resides

Physical and Environmental (PE)

The organization protects power equipment and power cabling for the information

system from damage and destruction

Organization provide the capability of shutting off power to the information system

or individual system components in emergency situations?

The organization provides a short-term uninterruptible power supply to facilitate an

orderly shutdown of the information system in the event of a primary power source

loss

The organization employs and maintains fire suppression and detection

devices/systems for the information system that are supported by an independent

energy source.

The org maintains temperature and humidity levels within the facility where the

information system resides within acceptable vendor-recommended levels

The organization protects the information system from damage resulting from

water leakage by providing master shutoff valves that are accessible, working

properly, and known to key personnel

The organization authorizes, monitors, and controls the flow of information system-

related components entering and exiting the facility and maintains records of those

items.

The org employs appropriate security controls at alternate work sites to include, but

not limited to, laptop cable locks, recording serial numbers and other identification

information about laptops, and disconnecting modems

The organization positions information system components within the facility to

minimize potential damage from physical and environmental hazards and to

minimize the opportunity for unauthorized access

The organization protects the information system from information leakage due to

electromagnetic signals emanations.

QuestionsContact for

Info.

- Is there a list of personnel with authorized access to the facility?

- What is the process for accessing the area containing PII?

- Is there a written documentation?

- How many level of barriers to access PII information?

- Is the access monitored?

- How is the facility protected? (guards / keys / biometrics /smart card/PIN

combination)

- Who maintains the keys / access devices?

- Does the org changes combinations and keys when keys are lost or

comprimised?

- Does the org change combination or take back the keys for terminated /

tranferred / retired employees?

- Is the access monitored?

- Does the org have an maintain an inventory for physical access devices?

- Is there a process to review the inventory every 365 days?

- Are Protective measures taken to control physical access to information

system distribution and transmission lines include:such as locked wiring

closets; disconnected or locked spare jacks?

- Are physical access logs reviewed?

- How often are the logs reviewed?

- Is there a real-time surveillance equipment?

- Does the organization escorts visitors and monitors visitor activity?

- Does the The organization requires two forms of identification for visitor

access to the facility?

- Does the org Maintains visitor access records?

- Does the org Review visitor access records monthly?


- Does the organization employs redundant and parallel power cabling

paths?

- Does the organization employs automatic voltage controls to the

equipments?

- Does the org permit only authorized maintenance personnel to access

infrastructure assets, including power generators, HVAC systems, cabling,

and wiring closets?

- Who are the authorized personnel?

- Is the emergency shutoff automatic?

- Where are the emergency shutoff switches or devices placed?

- Does the org protect emergency power shutoff capability from unauthorized

activation?

- Is the uninterruptible power supply manual or automatic?

- Are there automatic emergency lighting?

- Does the fire detection devices/systems activate automatically?

- Is there an automatic notification sent to the organization and emergency

responders in case of fire?

- Does the organization ensures that the facility undergoes fire marshal

inspections and promptly resolves identified deficiencies?

- Does the org maintains temperature and humidity levels within the facility?

- Is there an automatic temperature and humidity controls in the facility to

prevent fluctuations?

- Is there an alarm that notifies the fluctuation temperature and humidity?

- Is there an automatic notification sent in case of fluctuation in temperature

and humidity?

- Does the organization employ the mechanism of protecting the information

system from water damage without manual intervention?

How does the org effectively authorize the entry and exit of information

system components from the facility.

Has different sets of security controls for specific alternate work sites or

types of sites defined? Need an example

Does the organization consider the location or site of the facility with regard to

physical and environmental hazards? Or Consider the location of physical

entry points where unauthorized individuals, while not being granted access,

might nonetheless be in close proximity to the information system?

Responses / Comments


CMS Control Description

a. Develops a security assessment plan that describes the scope of the

assessment including:

- Security controls and control enhancements under assessment;

- Assessment procedures to be used to determine security control effectiveness;

and

- Assessment environment, assessment team, and assessment roles and

responsibilities;

b. Assesses the security controls in the information system within every three

hundred sixty-five (365) days in accordance with the Information Security (IS)

Acceptable Risk Safeguards (ARS) Including Minimum Security Requirements

(CMSR) Standard, to determine the extent to which the controls are implemented

correctly, operating as intended, and producing the desired outcome with respect

to meeting the security requirements for the system;

c. Produces a security assessment report that documents the results of the

assessment; and

d. Provides the results of the security control assessment within every three

hundred sixty-five (365) days, in writing, to the Business Owner who is responsible

for reviewing the assessment documentation and updating system security

documentation where necessary to reflect any changes to the system.

For FTI: The agency shall conduct, periodically, but at least annually, an

assessment of the security controls in the systems that receive, store, process or

transmit FTI. (Pub 1075, Ref. 9.4)


1. A security assessment of all security controls must be conducted prior to issuing

the initial authority to operate for all newly implemented systems.

2. The annual security assessment requirement mandated by OMB requires all

CMSRs attributable to a system or application to be assessed over a 3-year period.

To meet this requirement, a subset of the CMSRs shall be tested each year so that

all security controls are tested during a 3-year period.

3. The Business Owner notifies the CISO within thirty (30) days whenever updates

are made to system security authorization artifacts or significant role changes

Security Assessment and Authorization (CA)

a. Develops and submits a Plan of Action and Milestones (POA&M) for the

information system within thirty (30) days of the final results for every

internal/external audit/review or test (e.g., ST&E, penetration test) to document the

organization's planned remedial actions to correct weaknesses or deficiencies

noted during the assessment of the security controls and to reduce or eliminate

known vulnerabilities in the system; and

b. Updates and submits existing POA&M monthly until all the findings are resolved

based on the findings from security controls assessments, security impact

analyses, and continuous monitoring activities.

Implementation Standards

For FTI: The agency must submit an updated Corrective Action Plan (CAP) twice

each year to address corrective actions identified during an on-site safeguards

review until all findings are closed. The CAP is submitted as an attachment to the

SAR, and on the CAP due date which is six months from the scheduled SAR due

date. (Pub 1075, Ref. 7.5

a. Authorizes connections from the information system to other information

systems outside of the authorization boundary through the use of

Interconnection Security Agreements;

b. Documents, for each connection, the interface characteristics, security

requirements, and the nature of the information communicated; and

c. Monitors the information system connections on an ongoing basis

verifying enforcement of security requirements.


1. Record each system interconnection in the System Security Plan (SSP)

and Information Security (IS) Risk Assessment (RA) for the CMS system

that is connected to the remote location.

The organization updates the security authorization:

- At least every three (3) years;

- When substantial changes are made to the system;

- When changes in requirements result in the need to process data of a

higher sensitivity;

- When changes occur to authorizing legislation or federal requirements;

- After the occurrence of a serious security violation which raises questions

about the validity of an earlier security authorization; and

- Prior to expiration of a previous security authorization.

QuestionsContact for

Info.

Is there any comprehensive documentation around System Security Plan for

the New HEIGHTS?

Is there any comprehensive documentation for the security risk assessment

that was documented in the New HEIGHTS systems?

DoIT - Security


Is there any Plan of Action and Milestones exist for New HEIGHTS systems? DoIT - Security

A. Is there any formal agreement between State of NH DHHS and outside

entities?

B. Is there any documentation of Interface characteristics, security

requirements, and the nature of the information communicated to the New

HEIGHTS mainframe?

C. What is the process of monitoring the system connection on an ongoing

basis verifying enforcement of security requirement?

D. Is there any documantation of system security plan (SSP) or Information

Security Risk Assessment (ISRA)?

DoIT - Security

How did the organization updates the security authorization for the

following?

- At least every three (3) years;

- When substantial changes are made to the system;

- When changes in requirements result in the need to process data of a

higher sensitivity;

- When changes occur to authorizing legislation or federal requirements;

- After the occurrence of a serious security violation which raises questions

about the validity of an earlier security authorization; and

- Prior to expiration of a previous security authorization.

DoIT - Security

Responses/Comments




Establishes usage restrictions and implementation guidance for each allowed

remote access method;

What specific configurations/implementation guidance are provided for

each type of RA method (SSL/IPSec/Citrix)TSG

Monitors for unauthorized remote access to the information system 1. Does the security team monitor the remote access, especially

unauthorized use of it?

2. What are the tools that are used to monitor the access?

3. Are logs reviewed to identify such access?

4. How frequently is this activity performed?

5. Who is responsible for conducting this review?

TSG

The organization enforces the selected requirements for remote connections to

the information system.

How does the organization enforce the requirements on remote

connections?

How is access granted? Is there a set process?

How is access monitored?

TSG

1. The organization employs automated mechanisms to facilitate the monitoring

and control of remote access methods.

2. The organization monitors for unauthorized remote connections to the

information system at least quarterly, and takes appropriate action if an

unauthorized connection is discovered.

1. What automated mechanisms are in place?

2. Are detailed logs generated for all remote users?

3. Are unauthorized remote connections monitored? At what frequency?

4. Is there a responsible team/person assigned to monitor?

5. How are unauthorized connections blocked/prevented/revoked?

TSG

The organization uses cryptography to protect the confidentiality and integrity of

remote access sessions.

1. Could you describe the VPN installed?

2. What type of VPN is in place?

3. What are the encryption levels?

4. What advanced protocols are used? E.g. SSH tunnel, Blocking mode ON

5. How is Citrix secured? Is there TFA using physical tokens?

TSG

The information system routes all remote accesses through a limited number of

managed access control points.

Are there port restrictions for using VPN?

Are the entry/access points monitors and restricted?

Is there a list of allowed access points?

TSG

The organization :

a. Designates individuals authorized to post information onto an information

system that is publicly accessible;

b. Trains authorized individuals to ensure that publicly accessible information

does not contain nonpublic information;

c. Reviews the proposed content of publicly accessible information for nonpublic

information prior to posting onto the information system;

d. Reviews the content on the publicly accessible information system for

nonpublic information monthly; and

e. Removes nonpublic information from the publicly accessible information

system, if discovered.

1. Have you identified the individuals who are allowed to post information

on public systems? e.g. on NH Easy

2. Is there any training program provided for ensuring that public systems

would not have any non-public information?

3. Is there a process to review the content that is posted on the public

systems? So that you can be sure no restricted/confidential/private

information is uploaded on it.

4. Is there a monthly review of public systems, in order to ensure no

restricted/confidential/private information is posted on it?

5. Have there been cases where you have removed the nonpublic

information from public systems?

TSG

Inspects administrator groups, root accounts and other system related accounts

on demand, but at least once every fourteen (14) days to ensure that

unauthorized accounts have not been created.

Yes. Currently there's report that also includes public facing accounts as

well. There is a policy that is being in place to review the admins (Privileged

Account & Access review policy)

1. Does the daily report also include modifications?

Transactions come from Pam, and there's a report sent back to Pam, there

are no modify transactions, if there are transactions that fail, TSG reviews

and follow up individually. Case workers & DC.

Second report for TSG (refer above) includes modify

The information system automatically terminates emergency accounts within

twenty-four (24) hours and temporary accounts with a fixed duration not to

exceed three hundred sixty-five (365) days.

Ad-hoc and customary process to disable emergency and temp accounts.

Manual, not auto.There is a review at least once a year

Disable all file system access not explicitly required for system, application, and

administrator functionality.On-going process, Refer to SoD.

The organization explicitly authorizes access to privileged functions (e.g., system-

level software, administrator tools, scripts, utilities) deployed in hardware,

software, and firmware; and security relevant information is restricted to

explicitly authorized individuals.

No document, ad-hoc email based communication to audthorize access to

privileged runction. No policy. Follow up for a list.

SC



Establishes usage restrictions and implementation guidance for each allowed

remote access method;

What specific configurations/implementation guidance are provided for

each type of RA method (SSL/IPSec/Citrix)TSG

Monitors for unauthorized remote access to the information system 1. Does the security team monitor the remote access, especially

unauthorized use of it?

2. What are the tools that are used to monitor the access?

3. Are logs reviewed to identify such access?

4. How frequently is this activity performed?

5. Who is responsible for conducting this review?

TSG

The organization enforces the selected requirements for remote connections to

the information system.

How does the organization enforce the requirements on remote

connections?

How is access granted? Is there a set process?

How is access monitored?

TSG

1. The organization employs automated mechanisms to facilitate the monitoring

and control of remote access methods.

2. The organization monitors for unauthorized remote connections to the

information system at least quarterly, and takes appropriate action if an

unauthorized connection is discovered.

1. What automated mechanisms are in place?

2. Are detailed logs generated for all remote users?

3. Are unauthorized remote connections monitored? At what frequency?

4. Is there a responsible team/person assigned to monitor?

5. How are unauthorized connections blocked/prevented/revoked?

TSG

SI-2 What is the test environment for OS/Database upgrades? TSG

SI-2(2) Is there any Vulnerability scan performed on New HEIGHTS/NH

Easy/Mainframe/DB

Reddy

DoIT

SI-3 Malicious code protection on servers, entry points like routers etc. DoIT

SI-3What is the scope of McAfee GroupShield? Is it the only McAfee product

deployed?DoIT

SI -8 Is the spam protection module enabled on GrouShield?

SI-3 How are False Positives handled? DoIT

Are the McAfee products centrally managed?

SI-3

Is the malicious code protection tool configured to run scans during system

boot? What is the frequency of scanning configured? Is it at least once a

day?

DoIT

SI-3(2) Is the malicious code protection tool updated automatically? DoIT

SI-3(3)Is there protection to prevent users from circumventing the malicious code

protection capabilities? Can they disable the AV tool to install something?DoIT

SI-4 Are there any IDS devices DoIT

SI-4 Are the IDS devices interconnected in any way? DoIT

SI-4(4)Are the inbound/outbound connections monitored? Are the Cisco devices

allowing connections to the mainframe and db regularly monitored?

ERS

DoIT

TSG

SI4(5)Are we considering vulnerability scanning for New HEIGHTS and NH Easy

app?ERS

Are there any vulnerability scans performed on the network devices? DoIT NetOps

SI-4(6) Can users circumvent IDS policies? DoIT NetOps· Does NetOps employ any malicious code

protection mechanism at entry points to detect

malicious code o Is there a documented

policy/process to update

the malicious code o Is malicious code

blocked and quarantined

and is an alert sent to

administrator in response o Are non-privileged users

prohibited from

circumventing malicious

code protection capabilitieso Is the desktop malicious

code scanning software

configured to perform

critical system file scans · Are IDS devices installed at network perimeter

points and host-based IDS sensors on critical

serversAre the individual intrusion detection tools

interconnected into a system wide intrusion

detection system using common protocols

Does Net ops receive security alerts, advisories and directives from

designated external organizations on ongoing basis

Does NetOps generate internal alerts based on security alerts/advisories

Have key personnel been identified that need to be notified about security

alerts/advisories? Are they notified?

SI 5 Does DoIT receive any security alerts, advisories from US-CERT, vendors?

Are there any internal alerts, advisories or directives generated and

distributed throughout the organization?

Is there a time frame which is followed to address/notify system

owners/users about non compliance?

SI-12

Does the organization handles and retains both information within and

output from the information system in accordance with applicable federal

laws, Executive Orders, directives, policies, regulations, standards, and

operational requirements.

Melinda Cox

SI

CMS Control Description Column1Contact for


Do the configurations follow any guidelines provided by another

organizations?Reddy

Is there a document that lists mandatory configuration setting?

- Are exceptions monitored/documented?Reddy

What is the scope of the Advanced Tracking system?

- Does it have the baseline config for NH Easy & New HEIGHTS?

- Does it list hardware config needed?

Reddy

Does the CA SCM tool have any list of software authorized to execute on

the information system? (white list vs black list?)Reddy

Does the PPR document also act as Change request forms or is there is a

separate document? (For hw and sw changes)Reddy

Are the changes to the information system evaluated for potential security

risks?Reddy

Is there an inventory of information system components that Reddy

Is there a baseline config document for NH Easy and/or New HEIGHTS?

- Is it updated if new hardware is put in? ReddyTSG

DoIT

There is a baseline config. There is a spreadsheet that list

non-default values for WebSphere. There is no spearate set

of document where config is managed explicitly. There is a

document for currrent state and to-be state. There are hw

changes that happen frequently. COnfig management of sw

is done though separate process but no standalone process.

Does the group performing sw/hw tests look for security flaws? TSG

DoITNothing specifc done for security, unless IBM sends an alert.

Is there a document that lists mandatory configuration settings

- Are exceptions monitored/documented?TSG

DoIT

IBM implementation document, informs changes from

previous version.

Is there a “least functionality” config that restricts and disables use of

services/ports/network protocols to ensure only essential capabilities are

provided?

DoIT

Is a list of specifically needed system services, ports, and network protocols

maintained and documented?DoIT

Is there a list of software programs authorized (white list) or unauthorized

(black list) to execute on the information systemDoIT

TSG

is there any web content filtering DoIT

Is there any security analysis performed? Are configuration-controlled

changes to the system allowed with explicit consideration for security

impact analyses? Are these documented and retained? Is there a policy, if

not, as a customary process how long are they retained?

Reddy

DoIT

TSG

Are updatres to the system tested in a separate enviroment? What's the

environment called? How long are these tests conducted? Are the test

results retained? What is the process to fix flaws?

DoIT

Is the detection of unauthorized, security-relevant configuration changes

incorporated into the organization's incident response capability to ensure

that such detected events are tracked, monitored, corrected, and available

for historical purposes

DoIT

Is there an asset (hw/sw) invetory list with current specs?DoIT

TSG

Is the inventory list accuretly maintained? How often is reviewed/updated? DoIT

Are there roles and responsibilities for group documented? Is access to the

New HEIGHTS system granted based on their roles?DoIT

Configuration Management (CM)



AU-6

Is network traffic, bandwidth utilization rates, alert notifications, and border

defense devices reviewed to determine anomalies on demand but no less

than once within a twenty-four (24) hour period. Generate alerts for

technical personnel review and assessment.

DoIT

AU-6

Is there a process to investigate suspicious activity or suspected violations

on the information system and report findings to appropriate officials and

take appropriate action.

DoIT

Networking

AU-6Are automated utilities used to review audit records at least once every

seven (7) days for unusual, unexpected, or suspicious behavior.

AU-2

Is logging enabled for perimeter devices, including firewalls and routers.

(a) Log packet screening denials originating from un-trusted networks,

(b) Packet screening denials originating from trusted networks,

(c) User account management,

(d) Modification of packet filters,

(e) Application errors,

(f) System shutdown and reboot,

(g) System errors, and

(h) Modification of proxy services.

Audit (AU)



PM-2

Is there a senior information security officer? What is the person's

responsibilities? Is there a document that gives an overview of the person's

responsibilities?

PM-3Doe the capital planning and investment requests include resource to

implement an information security program? Are exceptions documented?

Are the resources required documented in any business case/Exhibit

300/Exhibit 53?

Are the resources required documented in any business case/Exhibit

300/Exhibit 53?

PM-4

Does the org have a process to document and maintain plans of action and

milestones for the security program and the associated information

system?

Reddy

DoIT

TSG

PM-5 Is there an invetory of information systems? DoIT

PM-6Are there any outcome based-metrics that can be used by the org to

measure efficiency/effectiveness of the infosec program?ERS team

PM-7 ERS team

Audit (AU)



The organization:

a. Categorizes information and the information system in accordance with

applicable federal laws, Executive Orders, directives, policies, regulations,

standards, and guidance;

1. has information classification performed?

2. Are systems identified based upon the information they process,

transmit, or store?

Reddy

b. Documents the security categorization results (including supporting

rationale) in the security plan for the information system; and1. If information classification is performed, then is it further utilized to

categorize information and systems into various security buckets? E.g. PII

storage HDD, should be classified and protected to the highest level

2. Are these results documented somewhere?

Reddy

c. Ensures the security categorization decision is reviewed and approved by

the authorizing official or authorizing official designated representative.

Based upon responses to above questions:

Is the categorization reviewed and approved by an authorized individuals?

E.g. CIO?

Reddy

The organization:

a. Conducts an assessment of risk, including the likelihood and magnitude

of harm, from the unauthorized access, use, disclosure, disruption,

modification, or destruction of the information system and the information it

processes, stores, or transmits;

b. Documents risk assessment results in accordance with the Information

Security (IS) Risk Assessment (RA) Procedures;

c. Reviews risk assessment results within every three hundred sixty-five

(365) days; and

d. Updates the risk assessment within every three (3) years or whenever

there are significant changes to the information system or environment of

operation (including the identification of new threats and vulnerabilities), or

other conditions that may impact the security or authorization state of the

system.

1. When was the last risk assessment performed?

2. Is there any documentation for capturing the results?

3. What is the frequency at which the risk assessments are performed?

4. Who performs them?

5. Is the risk assessment performed as per the information security risk

assessment?

Reddy

Scans for vulnerabilities in the information system and hosted applications

within every ninety (90) days and when new vulnerabilities potentially

affecting the system/applications are identified and reported;

1. Are vulnerability scans performed?

2. How often are they performed?Reddy

Employs vulnerability scanning tools and techniques that promote

interoperability among tools and automate parts of the vulnerability

management process by using standards for:

- Enumerating platforms, software flaws, and improper configurations;

- Formatting and making transparent, checklists and test procedures; and

- Measuring vulnerability impact;

1. What tools are employed to perform VM scanning?

2. Any other automation mechanisms in place to perform the VM scanning?Reddy

Analyzes vulnerability scan reports and results from security control

assessments;1. Are the VM scanning reports analyzed by any particular group? Reddy

Remediates legitimate vulnerabilities based on the Business Owner's risk

prioritization in accordance with an organizational assessment of risk; and

1. Is there a remediation plan?

2. Are there action items created for security teams to perform after a VM

scan is conducted?

3. Is there any prioritization activitiy for these scans?

Reddy

Shares information obtained from the vulnerability scanning process and

security control assessments with designated personnel throughout the

organization on a "need to know" basis to help eliminate similar

vulnerabilities in other information systems (i.e., systemic weaknesses or

deficiencies).

Are the reports shared across various departments (based on need to

know)?

Is there a common security portal (such as SharePoint) ?Reddy

Perform external network penetration testing and conduct enterprise

security posture review as needed but no less than once within every three

hundred sixty-five (365) days, in accordance with CMS IS procedures.

1. Is external network penetration testing performed?

2. If so, how often?

3. Are the results documented?

Reddy

The organization employs vulnerability scanning tools that include the

capability to readily update the list of information system vulnerabilities

scanned.

1. Are there any VM scanning tools employed?

2. Are they utilized frequently?Reddy

Risk Assessment (RA)



The organization:

a. Schedules, performs, documents, and reviews records of maintenance

and repairs on information system components in accordance with

manufacturer or vendor specifications and/or organizational requirements;


1. (For PII only) In facilities where PII is stored or accessed, document

repairs and modifications to the physical components of a facility which are

related to security (for example, hardware, walls, doors, and locks).

1. What is the process to schedule maintenance of a system component?

2. Who initiates the reqeust for maintenance?

3. Who approves the request?

4. Who performs the maintenance? Is there any security personnel

overlooking the maintenance activity?

5. Does a paper trail exist for the maintenance activities?

6. Is the vendor/manufacturer provided schedule followed? Is there a

tracking mechanism?

7. Is there a review procedure to document repaird to physical

components? e.g. walls, doors, etc.

1. (For PII only) In facilities where PII is stored or accessed, document

repairs and modifications to the physical components of a facility which are

related to security (for example, hardware, walls, doors, and locks).

Reddy

b. Controls all maintenance activities, whether performed on site or

remotely and whether the equipment is serviced on site or removed to

another location;

1. What are the controls implemented on maintenance activity? Approval

chain, monitoring, review, etc.Reddy

c. Requires that a designated official explicitly approve the removal of the

information system or system components from organizational facilities for

off-site maintenance or repairs;

1. Does an authorized individual approve the removal of a system

component from the facility ? E.g. a mainframe memory needs to be

removed from facility - is it approved by anyone?

Reddy

e. Checks all potentially impacted security controls to verify that the controls

are still functioning properly following maintenance or repair actions.

1. Is there a process to identify controls that would be affected due to

maintenance activities?

2. Does the organization validate the functioning of the controls after the

maintenance activity is completed?

Reddy

the organization maintains maintenance records for the information system

that include:

- date and time of maintenance;

- name of the individual performing the maintenance;

- name of escort, if necessary;

- a description of the maintenance performed;

- a list of equipment removed or replaced (including identification numbers,

if applicable).

1. Are records maintained for maintenance activities carried out?

2. What are the fields captured in these records?Reddy

The organization approves, controls, monitors the use of, and maintains on

an ongoing basis, information system maintenance tools.

Are there specific maintenance tools utilized? for example, diagnostic and

test equipment used to conduct maintenance on the information system

How is the use of such tools monitored?

Is there an approval process?

How long are the tools kept onsite? Are they removed after a

predetermined interval?

Reddy

The organization inspects all maintenance tools carried into a facility by

maintenance personnel for obvious improper modifications.

Enhancement Supplemental Guidance: Maintenance tools include, for

example, diagnostic and

test equipment used to conduct maintenance on the information system.

Are the above mentioned tools inspected periodically and/or before use? Reddy

The organization checks all media containing diagnostic and test programs

for malicious code before the media are used in the information system.

Is scanning performed for media containing diagnostic / test programs for

malicious code?Reddy

The organization prohibits non-local system maintenance unless explicitly

authorized, in writing, by the CIO or his/her designated representative. If

authorized, the organization:

a. Monitors and controls non-local maintenance and diagnostic activities;

b. Allows the use of non-local maintenance and diagnostic tools only as

consistent with organizational policy and documented in the security plan for

the information system;

c. Employs strong identification and authentication techniques in the

establishment of non-local maintenance and diagnostic sessions;

d. Maintains records for non-local maintenance and diagnostic activities;

and

e. Terminates all sessions and network connections when non-local

maintenance is completed.


1. If password-based authentication is used during remote maintenance,

change the passwords following each remote maintenance service.

1. Are non-local system maintenance activities allowed? E.g. installation

using Remote Desktop

2. What are the authentication mechanisms for such maintenance

activities?

3. Is there monitoring of such activities?

Reddy

The organization audits non-local maintenance and diagnostic sessions and

designated organizational personnel review the maintenance records of the

sessions.

Are record maintaned? And are they periodically reviewed? Reddy

The organization documents, in the security plan for the information

system, the installation and use of non-local maintenance and diagnostic

connections.

Is the use of non-local maintenance allowed?

Is it documented in the security plan / information security policy?Reddy

Maintenance (MA)

The organization:

(a) Requires that non-local maintenance and diagnostic services be

performed from an information system that implements a level of security at

least as high as that implemented on the system being serviced; or

(b) Removes the component to be serviced from the information system

and prior to non-local maintenance or diagnostic services, sanitizes the

component (with regard to sensitive information) before removal from

organizational facilities, and after the service is performed, inspects and

sanitizes the component (with regard to potentially malicious software and

surreptitious implants) before reconnecting the component to the

information system.

1. What are the secdurity measures expected on the system used for non-

local maintenance?

2. Is there segregation of components before using non-local maintenance?

Reddy

The organization:

a. Establishes a process for maintenance personnel authorization and

maintains a current list of authorized maintenance organizations or

personnel; and

b. Ensures that personnel performing maintenance on the information

system have required access authorizations or designates organizational

personnel with required access authorizations and technical competence

deemed necessary to supervise information system maintenance when

maintenance personnel do not possess the required access authorizations.

1. Is there a process for maintenance personnel authorization

2. Is there a current list of authorized maintenance organizations or

personnel

Requirement:

b. Ensures that personnel performing maintenance on the information

system have required access authorizations or designates organizational

personnel with required access authorizations and technical competence

deemed necessary to supervise information system maintenance when

maintenance personnel do not possess the required access authorizations.

Reddy

The organization obtains maintenance support and/or spare parts for critical

systems and applications (including Major Applications [MA] and General

Support Systems [GSS] and their components) within twenty-four (24)

hours of failure.

1. Is there any SLA with service organization to obtain critical components /

spare parts

2. Is there a determined time interval within which to procure the spare

parts?

Reddy