DATE: February 24, 2017
TO: Tribal Agencies Administering Child Support Enforcement Plans under Title IV-D of the Social Security Act and Other Interested Parties
SUBJECT: Identifying Independent Security Assessors and Examples of Minimum Baseline Security Controls
BACKGROUND: In order for a tribal child support agency to gain access to the Federal Parent Locator Service (FPLS), the first requirement is to submit an independent assessment to the Office of Child Support Enforcement (OCSE). The assessment is required so OCSE can get an accurate account of the state of the tribe’s IT system and ensure that the tribe has the required security controls in place.
OCSE will accept an independent assessment completed by the Internal Revenue Service (IRS), Social Security Administration (SSA), or an independent tribal auditing organization within the last three years. If you have not had an independent assessment completed by one of these three organizations, you can hire an independent firm or assessor outside of your tribe to complete the assessment.
The independent assessment must be performed by a competent, independent, and unbiased evaluator who has expertise in information assurance and IT cybersecurity technology, processes, and methodology to validate existing security controls and make a determination of a general security posture of an IT system. The assessment must include information on the security controls defined within the security agreement and detailed findings (if any) and recommendations to improve the tribal child support agency’s plans, procedures, and practices so the system can be deemed secured and meeting federal requirements. The tribal child support agency must provide an independent assessment to OCSE for review and approval before obtaining access to the FPLS.
CONTENT: This Information Memorandum addresses how to identify an appropriate and qualified independent assessor and provides examples of security controls. OCSE has developed technical assistance to help tribes identify the best ways to search for an independent assessor and identify the minimum baseline for security controls that must be in place. Our goal is to make this process clearer so all interested tribes can access the FPLS. Please remember that once OCSE accepts your initial assessment, you must submit a new assessment every three years. In addition, if major organizational or system framework changes take place after your most recent independent assessment, you must conduct a new independent assessment and submit it to OCSE within six months of the change.
The independent assessor should use industry best practices and guidelines, such as those published by the National Institute of Standards and Technology (NIST) and outlined by the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), and IRS Publication 1075 to conduct the security assessment.
The assessor should be certified to perform independent assessments. Acceptable certifications include the following:
Security+ is a basic-level certification, but based on the assessor’s technical experience, he or she may be able to conduct an effective assessment. CAP, CISSP, and CISM fall on the more advanced side of certifications and are the preferred ones, with CISSP and CISM being the most highly respected. Always verify that the assessor you select has the proper certifications and credentials.
Research various IT security companies in your area to determine if they perform security control assessments. Google searches are very effective in finding appropriate companies.
In addition, agencies like International Information Systems Security Certification Consortium, Inc. (ISC²) and Information Systems Audit and Control Association (ISACA) certify security assessors. Once you locate the chapters in your area, you can contact them to help you identify a certified independent security assessor. Please note that OCSE neither endorses nor recommends a specific independent security assessor.
OCSE developed the Tribal Security Self-Assessment Tool to help tribal child support agencies assess and document compliance with OCSE’s security requirements. The tool includes assessment questions addressing the requirements in the OCSE tribal security agreement with tribal child support agencies as well as NIST SP 800-53 Rev 4 security controls from the moderate catalog. However, depending on the level of a tribe’s computing systems and technology, not all tribal child support agencies will be able to provide responses to all of the controls within the tool. The tool provides two important functions to tribal agencies:
While OCSE does not require tribal child support agencies to use this tool or submit this assessment to us, we recommend that you use the tool as a guide to assess your security posture through an independent assessor or assessment team that conducts impartial assessments of organizational information systems. “Impartial” implies that assessors are free from any perceived or actual conflicts of interest with regard to development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. The tool can be found in IM-16-03, Information for Tribal Access to the FPLS.
Understanding your agency’s security posture is extremely important in safeguarding data. The following list is not exhaustive because security controls should be commensurate with the level of complexity of your IT system; however, these are examples of some of the controls you should have in place.
|Documented System Security Control Plan||NIST publication 800-18 Rev. 1
Reference: NIST publication
|System Boundary Document or Diagram||Document or Diagram highlighting the overall design of your network.|
|Identify critical assets, partition network into zones, test segmentation effectiveness.
Reference: NIST publication 800-53 SC-2
|User Authentication/Access Control||Multi-factor authentication where possible, strong password policies, audit password policies regularly.
Reference: NIST publication 800-53 AC control family
Exploit Mitigation/Vulnerability Management
|Open-source vulnerability scan tools, POAM management, independent assessments.
Reference: NIST publication 800-53 CA-5, RA-5, SI-2
|Secure Configurations||Standard system images, check for deviations overtime, continuous improvement.
Reference: NIST publication 800-53 CM control family
|Restrict Administrator Privileges||Limit on business need, monitor accounts, detect abnormal behavior.
Reference: NIST publication 800-53 AC control family, IA control family
|Application Whitelisting||Software inventories, list of allowed applications, monitor unauthorized software.
Reference: NIST publication 800-53 CM-8
|Patch management||Prioritize based on risk, have a patch schedule.
Reference: NIST publication 800-53 CM-6, SI-2
|Physical controls||Door locks, clean desk policies, security systems.
Reference: NIST publication 800-53 PE control family
Every tribe that seeks access to the FPLS must have and implement the federally required security controls. It is not just a matter of being able to show written processes; the processes must be in practice. We hope these tips will be helpful to you in preparing for and identifying an appropriate independent security assessor.
INQUIRIES: Contact [Paige Hausburg, retired] or firstname.lastname@example.org if you have any questions regarding this notice.
Donna J. Bonar
Office of Child Support Enforcement
cc: ACF/OCSE Regional Program Managers