Designate a Chief Information Officer (CIO)/Chief Technology Officer (CTO); and

Ensure high priority is given to effective information security awareness, awareness training, and role-based training for the workforce.

Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
i. Information collected or maintained by or on behalf of the agency; and
ii. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;

Complying with the requirements of FISMA Section 3544 § and related policies, procedures, standards, and guidelines, including:
i. Information security standards promulgated under the U.S. Code Section 11331 of Title 40; and
ii. Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President;

Ensuring information security management processes are integrated with agency strategic and operational planning processes;

Ensuring that the agency has trained personnel sufficient to assist the agency in complying with the requirements of FISMA Section 3544 §, this policy and related policies, procedures, standards, and guidelines; and

Ensuring policies are disseminated to all employees.

Ensure that senior management/executive officials provide information security, for the information and information systems that support the operations and assets under their control;

Assess risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems;

Determine the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under the U.S. Code Section 11331 and policies for information security classifications and related requirements;

Implement policies and procedures to cost-effectively reduce risks to an acceptable level; and

Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented;

Delegate to the CIO/CTO, established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency; and

Ensure that the CIO/CTO, in coordination with other senior management/executive officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions.

Perform annual FISMA activity reviews;

Review the results of the annual FISMA activity reviews, including any weaknesses for inclusion in the IRS’ Plan of Action and Milestones (POA&M); and

Coordinate with the Authorizing Official (AO) regarding the security posture of IT resources.

Designate a Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) who shall carry out the CIO/CTO’s responsibilities for system and program security planning and assessments;

Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address system security planning and all applicable requirements;

Ensure information security considerations are integrated into programming, planning and budgeting cycles, enterprise architectures and acquisition/system development life cycles;

Ensure information systems are covered by an approved security plan and are authorized to operate;

Ensure security authorizations are accomplished in an efficient, cost-effective and timely manner;

Ensure centralized capability for reporting of all security-related activities;

Determine the appropriate allocation of resources dedicated to the protection of the organization's missions and business functions and the information systems supporting those missions/business functions based on organizational priorities.

Manage the identification, development, implementation, and assessment of common security controls;

Ensure compliance with applicable information security requirements;

Ensure that personnel with significant responsibilities for system and program security plans and assessments are trained;

Assist senior management/executive officials with their responsibilities for system and program security plans and assessments;

Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions;

Encourage the maximum reuse and sharing of security-related information including: 1) threat and vulnerability assessments; 2) risk assessments; 3) results from common security control assessments; and 4) any other general information that may be of assistance to information system owners and their supporting security staffs;

Determine the appropriate allocation of resources dedicated to the protection of the agency’s information systems based on organizational priorities; and

In certain instances, operate as the AO for agency-wide general support systems (GSS) or as co- AO with other senior management/executive officials for selected agency systems.

Develop and implement an enterprise-level plan that ensures that the agency is in compliance with Executive Order 13103. http://www.bsagovernment.com/downloads/guidelinesForImplimenting.pdf

Coordinate with Department of Treasury Bureaus and Offices an initial assessment of the agency’s existing policies and practices with respect to the use and management of computer software through qualified personnel or an outside contractor;

Maintain an enterprise list of Treasury Department authorized and supported software. The list shall indicate by Bureaus and Offices, terms of licenses, authorized number of users, and physical location of software;

Perform spot audits. Periodic audit checks shall be done to ensure Bureaus and Offices are in compliance with software license agreements; and

Establish centralized software acquisition whenever possible.

Provide leadership and high level direction in the management of projects and plans involving highly complex, mission critical information systems and business systems modernization projects in support of modernizing the nation's tax system;

Ensure the organization's core IT competencies are aligned to provide maximum value in support of agency business processes, and ensures overall strategies are established and engaged to support long-term enterprise-wide information needs and modernization projects;

Define objectives and make decisions which impact the cost, schedule, supportability and performance modernization projects;

Provide focus for technology management within the IRS by developing integrated enterprise-wide technology policies;

Establish and maintain strong relationships with stakeholders such as oversight groups, IRS business leaders and external stakeholders, etc., to facilitate the exchange of information in support of program goals and requirements;

Provide oversight and guidance to key contractors to ensure successful performance of contracts;

Provide executive leadership in IT strategic and operational planning to achieve business goals by fostering innovation, prioritizing complex IT initiatives and directing the evaluation, deployment and management of current and future IT systems across the organization;

Serve as the external spokesman for the IRS on technology matters to the Administration, Congress and external oversight bodies;

Influence strategic business decisions regarding the use of technology and assesses the impact of emerging technology to strategic business needs;

Drive the vision for all enterprise-wide IT activities including planning, budgeting, acquisition, allocation of computer services and communication services; and

Develop and implement IT initiatives that will advance operational efficiencies, improve enterprise-wide decision making and communication, increase revenues, drive cost efficiencies and strengthen financial reporting and controls.

Establish overall strategy for the information security awareness and training program;

Ensure that the agency head, senior managers, system and information owners, and others understand the concepts and strategy of the information security awareness and training program, and are informed of the progress of the program’s implementation;

Ensure that the agency’s information security awareness and training program is funded;

Ensure the training of agency personnel with significant responsibilities for information security;

Ensure that all users of information systems are sufficiently trained in their security responsibilities and other information security basics and literacy through awareness training;

Ensure that an effective information security awareness effort is developed and employed such that all personnel are routinely or continuously exposed to awareness messages through posters, e-mail messages, logon banners, and other techniques; and

Ensure that effective tracking and reporting mechanisms are in place.

Possess the qualifications, training and experience required to administer information security program functions;

Maintain information security duties as their primary responsibility;

Head an office with the mission of assisting in achieving FISMA compliance;

Develop, document, and implement an agency wide information security program to provide security for all systems, networks, and data that support the operations of the organization;

Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;

Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements;

Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems;

Coordinate the development, review, and acceptance of system security plans with information system owners, ISSOs, and the AO;

Coordinate the identification, implementation, and assessment of the common security controls;

Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;

Develop and implement procedures for detecting, investigating, reporting, responding, and resolving security incidents;

Develop and review procedures for monitoring and reacting to system security alarms, warning messages, and reports, and implement said procedures. Note: This duty may be delegated to Information System Security Officers (ISSOs);

Oversee a program of disaster recovery readiness and evaluation;

Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Ensure that contingency plans for IT systems are developed, maintained and tested;

Support the agency CIO/CTO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions;

Ensure that an ISSO has been assigned for each IT system; and

Assist senior management/executive officials concerning their responsibilities.

Ensure that the security aspects and day-to-day security operations of the information system, including physical security, personnel security, incident handling, and security training and awareness, are managed;

Ensure that IT system Security Assessment and Authorization (i.e. Certification & Accreditation (C&A)) reports and risk analyses are conducted by each AO;

Ensure that security plans are reviewed and submitted to the AO for approval at least annually or upon significant changes to the system, whichever is sooner;

Review IRS business cases and budget submissions to ensure that IT security requirements are addressed and adequately resourced;

Establish an IRS IT security oversight program to ensure that the security procedures and requirements are in compliance with Department of Treasury and IRS policies and standards;

Conduct security audits, verifications and acceptance checks and maintain documentation on the results;

Manage and Maintain agency Plan of Action and Milestones (POA&Ms) for all IT security weaknesses, tracking milestones, and resource allocation of resources for remediation, and provide a quarterly status to Department of Treasury through the IRS CIO/CTO;

Ensure the CIO/CTO is informed of technical risks and vulnerabilities, to include those accepted by AOs;

Ensure that IRS security status and other relevant data is provided to the CIO/CTO for situational awareness and related purposes;

Coordinate the implementation of logical access controls into operating systems, relational database management systems (RDBMS), remote terminals and IT applications;

Provide IT and facility technical and non-technical (e.g., physical and personnel security) certification support to any Information System Owner;

Prepare and submit a written report for all technical security exceptions. The report shall outline the risks and vulnerabilities and/or advantages that could result from granting the exception or from implementing any alternative. Maintain a file of all approved IT facility security-related exceptions;

Ensure that re-accreditation/reauthorization and risk analyses are conducted at least every 3 years or when major changes occur for IT systems/application processing sensitive information;

Ensure that a security test and evaluation (ST&E) is performed for each non-national security system when conducting a Security Assessment and Authorization (i.e. C&A) (for policy pertaining to NSS see IRM 10.9.1);

Ensure that contingency plans for IT systems processing sensitive information are developed, maintained and tested;

Develop each certification letter citing risks and mitigations along with Authority to Operate (ATO) or Interim Authority to Operate (IATO) recommendation to the AO;

Review and approve Security Assessment and Authorization (i.e. C&A) package artifacts;

Be a voting member on the Configuration Control Board (CCB) for the IRS' IT architecture;

Review contract vehicles to ensure they address appropriate security measures; and

Define and implement performance metrics to evaluate the effectiveness of their IT security programs.

Maintain and provide updates to IRM 10.8.3, in accordance with IRM 10.8.2 and other applicable IRS policies; and

Develop Guidelines, Standards, and Procedures (GSP) documentation, consistent with the requirements of this IRM, to describe platform-specific files, permissions, and other configuration settings necessary to comply with IRM 10.8.3.

Ensure that awareness, awareness training, and role-based training material developed or purchased is appropriate and timely for the intended audiences;

Ensure that awareness, awareness training, and role-based training material is effectively deployed to reach the intended audiences;

Ensure that employees, users, those receiving role-based training, and managers have an effective way to provide feedback on the awareness, awareness training, and role-based training material and its presentation;

Ensure that awareness, awareness training, and role-based training material is reviewed periodically and updated when necessary; and

Assist in establishing a tracking and reporting strategy.

Plan for security in all phases of the system life cycle;

Ensure appropriate officials are assigned security responsibility;

Review security controls annually (i.e., FISMA annual security program review); and

Formally authorize (accredit) processing prior to operations (as an AO) and periodically thereafter.

Exercising oversight to ensure that a program manager is assigned for each system;

Exercising oversight over Security Awareness Training and Education (ATE/SATE) funding; and

Annually validating and updating the master inventory of information systems.

Be responsible for ensuring their respective units are funded and that activities within these units are prioritized;

Develop organizational assignments and operational procedures to implement the roles and responsibilities defined in this policy;

Be knowledgeable in the nature of the information and process supported by the application and in the management, operational, and technical controls used to protect it;

Include security requirements in their capital planning and investment business cases;

Ensure security requirements are adequately funded and documented in accordance with OMB Circular A-11.

Serve as or designate a "user representative" which represents the operational interests of the user community and serve as the liaison for that community throughout the system development life cycle;

Own the business case, which is a product of the Enterprise Life Cycle (ELC), and formally propose the continuation of the project submitting the related funding requests;

Initiate and manage Security Assessment and Authorization (i.e. C&A) activities to ensure they are performed appropriately and timely;

Plan and coordinate activities within his/her organization required to complete Security Assessment and Authorization (i.e. C&A), FISMA reviews, and POA&M development;

Inform key agency officials of the need to conduct a Security Assessment and Authorization (i.e. C&A) of the information system;

Ensure appropriate resources are available for the Security Assessment and Authorization (i.e. C&A) effort;

Develop the system security plan in coordination with information owners, the system administrator, the information system security officer (ISSO), the SAISO/CISO, and functional end users;

Maintain the system security plan and ensuring that the system is deployed and operated according to the agreed-upon security requirements;

Ensure that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior) and assisting in the identification, implementation, and assessment of the common security controls;

Provide necessary system-related documentation to the certification agent;

Ensure full and current documentation of the information system in the system security plan and other associated Security Assessment and Authorization (i.e. C&A) documentation;

Assemble and Ensure submission of all Security Assessment and Authorization (i.e. C&A) documents to MITS Cybersecurity;

Complete the annual review of system security controls for the annual FISMA system security program review.

Conduct annual testing of the system;

Combine and review all security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits and internal reviews into POA&M weaknesses;

Coordinate the completion of the Self-Assessment Questionnaire with appropriate organizations and provide the consolidated assessment to the appropriate Security PMO;

Propose changes to the information systems including hardware, software, and surrounding environment as part of the POA&M and/or applicable change management process;

Ensure risks to IRS operations and assets are identified, documented, assessed, and appropriately managed (See IRM 10.8.1 for certification);

Assess the business impact of a weakness occurring as part of the POA&M activities;

Determine the corrective actions to mitigate the weakness and the associated cost, time, and resources;

Based on the threat, probability of occurrence, and business and technical impact, consider the cost, time and resources necessary to mitigate and prioritize the weaknesses into High (H), Medium (M), Low (L) categories and notate on the POA&M as appropriate;

Take appropriate steps to reduce or eliminate system vulnerabilities identified in the Security Assessment and Authorization (i.e. C&A) process;

Implement corrective actions to mitigate weaknesses assigned to the Business Unit;

Track the mitigation of the weaknesses in the POA&M through frequent status updates, changes to milestones and additional comments according to PMO guidance, but no less than quarterly;

Test and validate the effectiveness of the corrective actions at a minimum during continuous monitoring or ST&E testing;

Plan and manage the development and execution of the POA&M to ensure all identified security weaknesses are documented, assessed, prioritized, and managed;

Provide quarterly POA&M status reports to Security PMO for submission to MITS Cybersecurity;

Implement and manage a change control process to ensure changes to the system or its environment are appropriately documented, authorized, tested, and implemented;

Ensure least-privilege system access controls and administration are in compliance with policy;

Ensure that appropriate technical, administrative, physical, and personnel security requirements in specifications for the acquisition or operation of information systems are reviewed and approved by the management official responsible for security at the facility operating the information system;

Establish the rules for appropriate use and protection of the subject information (e.g., rules of behavior);

Retain responsibility for the information even when the information is shared with other organizations;

Provide input to information system owners regarding the security requirements and security controls for the information systems where the information resides; and

Authorize user access to the information system (privileges or access rights provisioning, deprovisioning, and recertification functions, as well as access timeline / duration of requests).

Conduct an annual FISMA Contractor Review of the contractor’s facility and systems;

Perform continuous monitoring and create and maintain a Plan of Action and Milestones (POA&M) of their FISMA Contractor Systems in accordance with NIST 800-37 and 800-53 guidance; and

Provide funding to conduct the annual FISMA Contractor reviews.

Fully describe and document the information system in Information Technology Contingency Plan (ITCP);

Acquire and transport replacement equipment required to restore operations;

Acquire space for processing operation to include occupation of an alternate processing facility when necessary;

Estimate supplies and office equipment needed to support a computer processing operation occupying an alternate processing facility when appropriate;

Support expeditious acquisition and transportation of replacement equipment required to restore operations; and

Refer to IRM 10.8.60, Information Technology (IT) Disaster Recovery Policy and Guidelines for additional information on IT Disaster Recovery roles & responsibilities.

Determine recovery needs and time frames needed for business restoration through comprehensive business impact analysis evaluations;

Develop DR requirements during the development phase of all new systems and throughout any production system upgrades;

Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business);

Fully describe and document the details of the information system in the IT Contingency Plan (ITCP) that is required by FISMA for each major system;

Support expeditious acquisition and transportation of replacement equipment required to restore operations;

Support the development of processing priorities for completion of work following emergencies that degrade computer processing capabilities;

Work jointly with MITS Operations and IT Disaster Recovery Organization (ITDRO) to ensure ITCPs and DR plans for all applications and systems are tested annually;

Work jointly with MITS Operations and ITDRO in the development and testing of DR plans to ensure availability of data from the recovered system and business continuity;

Work jointly in the testing of the DR plans to ensure availability of data from the recovered system;

Work with ITDRO regarding enterprise priorities; and

Refer to IRM 10.8.60, Information Technology (IT) Disaster Recovery Policy and Guidelines for additional information on IT Disaster Recovery roles & responsibilities.

Ensure that audit plans are developed for all IRS systems and applications in accordance with IRM 10.8.3; and

Ensure that audit logs are collected and maintained for each IRS system in accordance with IRM 10.8.3.

Ensure that DBMS environments comply with the security change management requirements listed in the Operational Controls section of IRM 10.8.1;

Ensure that changes to DBMSs are documented and tracked using the appropriate change management process;

Ensure that development servers properly configured and managed in accordance with the requirements in IRM 10.8.4, Relational Database Management Systems Security;

Work with Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.4;

Advise the Security Specialist of any technical, operational, or security problems and recommended solutions; and

Ensure DBAs do not have operating System Administrator privileges. DBAs should have the least level of elevated privileges required to perform DBA-related duties.

Work with Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.6;

Advise the Security Specialist of any technical, operational, or security problems and recommended solutions for secure application development; and

Not have operating system Administrator privileges and will therefore, have the least level of privileges required to perform operational duties.

Work with System Administrators (SA) and other stakeholders to ensure proper configuration of Windows based operating systems in accordance with IRM 10.8.20; and

Advise the Security Specialist of any technical, operational, or security problems and recommend solutions for the Windows environment.

Ensure that Web servers and Web application servers are properly configured and managed in accordance with the requirements of associated IRM;

Work with System Administrators (SA) and other stakeholders to ensure proper configuration of Web servers and web application server software on the operating system in accordance with associated IRM; and

Coordinate placement of information and scripts on the Web server and Web application servers with appropriate authorities.

Develop implementation policies and procedures for managing security patches to the systems and applications for which they are responsible;

Review various sources for security-related patches specific to their systems and applications;

Notify CSIRC prior to the working on each set of their pending patch activities. Notification shall be via the Patch and Vulnerability Group (PVG) member;

Provide application names and implementation counts to the CSIRC for the Business Impact Analysis during the assignment of severity levels;

Maintain hardware/software inventories;

Coordinate their patch activities with the Business and Functional Unit Owners;

Coordinate their patch activities with the CSIRC;

Provide multiple representation to the PVG based on key stakeholder organizations involved in the Enterprise Life Cycle (ELC) and operations;

Acknowledge receipt of the PVG Advisories per the Acknowledgment of Receipt schedule;

In the event an applicable patch is not applied, the Business and Functional Unit Owner shall document this weakness in a Plan of Actions and Milestones (POA&M) associated with the Security Assessment and Authorization (i.e. C&A) package; and

Business and Functional Unit Owners shall be represented on the PVG.

For all equipment capable of storing or transmitting data, conduct a risk assessment before connecting it to an IRS system or network;

Apply adequate countermeasures before connecting the equipment to an IRS system or network;

Decide through Security Assessment and Authorization (C&A) processes to allow or disallow equipment to be connected to an IRS system or network;

Document interconnections between external networks with an Interconnection Security Agreement (ISA) signed by both DAAs/AOs;

Oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding;

Issue an Interim Authorization to Operate (IATO) the information system under specific terms and conditions;

Deny Authorization to Operate (ATO) the information system (or if the system is already operational, halt operations) if unacceptable security risks exist;

Report to the Business and Functional Unit Owner and manage the day-to- day activities for the owner; and

Assume accountability for the security risks associated with information system operations.

Ensure that the BU responsibilities are assigned within their organization for each system;

Obtaining and maintain Security Assessment and Authorization (i.e. C&A) for his/her systems and applications;

Sign the Accreditation Letter and assume responsibility and accountability for operating a system at an acceptable level of risk;

Ensure Security Assessment and Authorization (i.e. C&A) documentation is current;

Determine information sensitivity in accordance with NIST special publication guidance on security;

Coordinate with the CIO/CTO regarding the security requirements of the sensitive information and provide definitive directions to IT developers or owners relative to the risk in the security posture of the IT system;

Respond to self-assessment questions assigned;

Decide on accepting the minimum security safeguards (requirements) prescribed for an IT system;

Implement all applicable federal security and other protection policies as required by the Business system owner;

Ensure that risk analysis responsibilities are accomplished in accordance with this policy;

Ensure development of the documentation required for certification and ensure delivery to MITS Cybersecurity, which is supporting the CIO/CTO;

Evaluate security impact of any facility-unique patches or system modifications and approve those that do not adversely affect system security;

Report any condition which appears to invalidate a certification, immediately to MITS Cybersecurity;

Ensure that current copies of approved Security Assessment and Authorization (C&A) or IATO documentation are distributed to the organizations with a need to know as outlined in Security Assessment and Authorization (i.e. C&A) processes;

Ensure that all acquisitions of goods or services provide for information security, personnel security and physical security;

Maintain the deliverables/results of contracted and outsourced efforts for which they provided funding;

Approve security plans, security assessment plans/reports, memorandums of agreement or understanding, and POA&Ms;

Determine whether or not changes in the information system or environment of operation require re-accreditation/reauthorization. Ensure minimum security baseline requirements (i.e., NIST, OMB, Treasury, etc.,) selected are appropriately prescribed for IT systems throughout the enterprise;

Annually ensure each application's ITCP is reviewed, exercised and, if applicable, executed; or

Participate in a Disaster Recovery test, including signing off on the documentation as complete.

Analysis of security findings, issues and plans;

Interpretation and clarification of security policy, guidance and new or changing IRM requirements;

Recommendation for action(s) to resolve or mitigate known weaknesses, or for preventive measures and safeguards for potential threats;

Status monitoring for Plans of Action and Milestones (POA&M), and other applicable action plans designed to resolve known weaknesses or prevent potential threats;

Guidance in resolving known system weaknesses according to available enterprise-level plans or solutions;

Situational Awareness through notification of enterprise security issues, solutions, projects and plans that may impact the assigned system(s);

Be appointed in writing;

Be responsible for the coordination of activities that facilitate confidentiality, integrity, and availability of assigned IRS systems and applications;

Accomplish duties through planning, analysis, development, implementation, maintenance, and enhancement of MITS Cybersecurity information systems security programs, policies, procedures, and tools consistent with Department of Treasury, FISMA, and NIST guidelines;

Assist the SAISO/CISO in identifying, implementing, and assessing the common security controls;

Actively support the development and maintenance of the system security plan, to include coordinating system changes with the information system owner and assessing the security impact of those changes;

Perform and/or provide oversight and guidance for day-to-day security activities for assigned systems;

Develop or assist in development of system security policy;

Ensure compliance with system security policy;

Coordinate changes to the system with the system owner and the information owner, as needed;

Assess security impact of system changes;

In accordance to NIST 800-100, the ISSO is primarily responsible for addressing security concerns related to the CM program and for providing expertise and decision support to the Change/Configuration Control Review Board (CCRB/CCB);

Be a voting member on the Change Control Board (CCB) for the systems and applications for which they are assigned; and

Satisfy ISSO requirement for mandatory annual specialized IT-security training.

Support the AO in the management of an enterprise risk management capability that incorporates the specific GSS or application;

Ensure current security plans, IT contingency plans, and disaster recovery plans exist;

Ensure Disaster Recovery (DR) planning and testing occurs;

Ensure Business Resumption (BR) planning and testing occurs;

Participate, as needed, in testing of corrective action effectiveness, system security controls, and any other security testing;

Participate in Cybersecurity Operations Compliance Reviews and Contractor Site Reviews as they relate to assigned systems;

Provide an early warning to appropriate personnel, assisting with (or in) the tasks necessary to plan, allocate resources, and conduct any required security re-certification and accreditation;

Assist in identification of IT and security resources which support critical operations;

Support the activities relating to the security posture of the GSS or application;

Alert the AO to system-relevant security threats and/or vulnerabilities as they are discovered; provide recommendations for mitigation or resolution as appropriate;

Recommend (dis)approval of deviations from policy and/or security input to risk-based decisions for the systems or applications for which they are responsible;

Analyze the proposed changes to the systems and applications (including hardware, software, and surrounding environment) to provide system-specific input to the determination of need for re-certification; and

Analyze, interpret and/or clarify Security Assessment and Authorization (i.e. C&A) packages with requirements and results for the AO.

Explicitly assign information technology security roles to individuals on their staff when said individual is responsible for meeting any requirements or completing any functions and activities of a role defined in IRM 10.8.2.

Assign multiple roles to any employee when said employee performs in multiple roles. No role assignment has precedence so all appropriate roles will be assigned.

Not assign a role to an individual if that individual will not perform in that role. For example, because a person is capable and works within a business function that has system administrators (SAs), if that individual does not have any SA duties, then do not assign the associated role.

Work with the CIO and SAISO to meet shared responsibilities;

Serve in the role of system owner and/or information owner, where applicable;

Include appropriate security training in the Career Learning Plans (CLP) for those with significant security responsibilities;

Promote the professional development and certification of the information security program staff, full-time or part-time information security officers, and others with significant responsibilities for information security;

Ensure that all users (including contractors) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their information security responsibilities before allowing them access;

Ensure that users (including contractors) understand specific rules of each system and application they use; and

Work to reduce errors and omissions by users due to lack of awareness, awareness training, and/or specialized role-based training.

Enforce the clean desk policy (see IRM 10.2.14, Physical Security Program, Methods of Providing Protection for further information);

Ensure employees complete their annual UNAX Awareness certification;

Be responsible for notifying via Form 5081 and following up with the responsible organization of the system user status changes (e.g., terminations, transfers); and

Receive Security Awareness Training and Education (Security ATE/SATE). Detailed training requirements for management are stated in IRM 10.8.1.

Ensure employees are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy. These requirements are part of the employees’ mandatory annual Security ATE/SATE; and

Ensure IT resources are being used appropriately and shall take corrective action, as needed.

Work in partnership with the SAISO/CISO to ensure that agency contracting policies adequately address the information security requirements;

Coordinate with the SAISO/CISO to ensure that all agency contracts and procurements are compliant with the agency’s information security policy;

Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in information security; and

Collaborate with the SAISO/CISO to monitor contract performance for compliance with the agency’s information security policy.

Lead agency enterprise architecture development and implementation efforts;

Collaborate with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture;

Participate in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture;

Facilitate integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions; and

Work closely with the program managers, the SAISO/CISO, and the business owners to ensure that all technical architecture requirements are adequately addressed by applying Federal Enterprise Architecture (FEA) and the Security and Privacy Profile (SPP).

Employ best practices when implementing security controls within an information system including software engineering methodologies, security engineering principles, and secure coding techniques; and

Coordinate their activities with AO designated representatives, chief information officers, senior agency information security officers/chief information security officer, information system and common control providers, and information system security officers.

Review cost goals of each major information security investment;

Report financial management information to OMB as part of the President’s budget;

Comply with legislative and OMB-defined responsibilities as they relate to IT capital investments;

Review systems that impact financial management activities; and

Forward investment assessments to the IRB.

Ensure the organization’s physical security programs, to include appropriate controls for alternate work sites, are developed, promulgated, implemented, and monitored;

Ensure organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging);

Ensure organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage); and

Oversee and manage controls for delivery and removal of assets.

Develop, promulgate, implement and monitor the organization’s personnel security programs;

Develop, implement, and ensure documentation of position categorization (including third-party controls) and risk level designations, access agreements, and personnel screening, termination, and transfers; and

Ensure consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls.