EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET July 27, 1978 CIRCULAR NO. A-71 Transmittal Memorandum No. 1 TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS Security of Federal automated information systems 1. Purpose. This Transmittal Memorandum to OMB Circular No. A-71 dated March 6, 1965 promulgates policy and responsibilities for the development and implementation of computer security programs by executive branch departments and agencies. More specifically, It: a. Defines the division of responsibility for computer security between line operating agencies and the Department of Commerce, the General Services Administration, and Civil Service Commission. the of b. Establishes requirements for the development management controls to safeguard personal, proprietary and other sensitive data in automated systems. c. Establishes a requirement for agencies to implement a computer security program and defines a minimum set of controls to be incorporated into each agency computer security program. d. Requires the Department of Commerce to develop and issue computer security standards and guidelines. to e. Requires the General Services Administration issue policies and regulations for the physical security of computer rooms consistent with standards and guidelines issued by the Department of Commerce; assure that agency procurement requests for automated data processing equipment, software, and related services include security requirements; and assure that all procurements made by GSA the security requirements established by the user meet agency. f. Requires the Civil Service Commission to establish personnel security policies for Federal personnel associated (No. A-71) with the design, operation or maintenance of Federal computer systems, or having access to data in Federal computer systems. 2. Background. Increasing use of computer and communications technology to improve the effectiveness of governmental programs has introduced a variety of new management problems. Many public concerns have been raised in regard to the risks associated with automated processing of personal, proprietary or other sensitive data. Problems have been encountered in the misuse of computer and communications technology to perpetrate crime. In other cases, inadequate administrative practices along with poorly designed computer systems have resulted in improper payments, unnecessary purchases or other improper actions. The policies and responsibilities for computer security established by this Transmittal Memorandum supplement policies currently contained in OMB Circular No. A-71. 3. Definitions. The following definitions purposes of this memorandum: apply for the a. "Automated decisionmaking systems" are computer applications which issue checks, requisition supplies or perform similar functions based on programmed criteria, with little human intervention. b. "Contingency plans" are plans for emergency response back-up operations and post-disaster recovery. c. "Security specifications" are a detailed description of the safeguards required to protect a sensitive computer application. ! d. "Sensitive application" is a computer application which requires a degree of protection because it processes sensitive data or because of the risk and magnitude of loss or harm that could result from improper operation or deliberate manipulation of the application (e.g., automated decisionmaking systems). "Sensitive data" is data which requires a degree of protection due to the risk and magnitude of loss or harm which could result from inadvertent or deliberate disclosure, alteration, destruction of the data (e.g., or personal data, proprietary data). 4. Responsibility of the heads of executive agencies. The head of each executive branch department and agency is of other responsible for assuring an adequate level of security for all agency data whether processed in-house or commercially. This includes responsibility for the establishment physical, administrative and technical safeguards required to adequately protect personal, proprietary or sensitive data not subject to national security regulations, as well as national security data. It also includes responsibility for assuring that automated processes operate effectively and accurately. In fulfilling this responsibility each agency head shall establish policies and procedures and assign responsibility for the development, implementation, and operation of an agency computer security program. The agency's computer security program shall be consistent with all Federal policies, procedures and standards issued by the Office of Management and Budget, the General Services Administration, the Department of Commerce, and the Civil Service Commission. In consideration of problems which have been identified in relation to existing practices, each agency's computer security program shall a minimum: at a. Assign responsibility for the security of each computer installation operated by the agency, including installations operated directly by or on behalf of the agency (e.g., government-owned contractor operated facilities), to a management official knowledgeable in data processing and security matters. all b. Establish personnel security policies for screening individuals participating in the design, operation or maintenance of Federal computer systems or having access to data in Federal computer systems. The level of screening required by these policies should vary from minimal checks to full background investigations commensurate with the sensitivity of the data to be handled and the risk and magnitude of loss harm that could be caused by the individual. These policies should be established for government and contractor personnel. Personnel security policies for Federal employees shall be consistent policies issued by the Civil Service Commission. c. or with assure Establish a management control process to that appropriate administrative, physical and technical safeguards are incorporated into all new computer applications and significant modifications to existing computer applications. This control process should evaluate the sensitivity of each application. For sensitive applications, particularly those which will process sensitive data or which will have a high potential for loss, (No. A-71) 27-754 0-83--13 such as automated decisionmaking systems, specific controls should, at a minimum, include policies and responsibilities for: (1) Defining and approving security specifications prior to programming the applications or changes. The views and recommendations of the computer user organization, the computer installation and the individual responsible for the security of the computer installation shall be sought and considered prior to the approval of the security specifications for the application. (2) Conducting and approving design reviews and application systems tests prior to using the systems operationally. The objective of the design reviews should be to ascertain that the proposed design meets the approved security specifications. The objective of the system tests should be to verify that the planned administrative, physical and technical security requirements are operationally adequate prior to the use of the system. The results of the design review and system test shall be fully documented and maintained as a part of the official records of the agency. Upon completion of the system test, an official of the agency shall certify that the system meets the documented and approved system security specifications, meets all applicable Federal policies, regulations and standards, and that the results of the test demonstrate that the security provisions are adequate for the application. be facility d. Establish an agency program for conducting periodic audits or evaluations and recertifying the adequacy of the security safeguards of each operational sensitive application including those which process personal, proprietary or other sensitive data, or which have a high potential for financial loss, such as automated decisionmaking applications. Audits or evaluations are to conducted by an organization independent of the user organization and manager. Recertifications should be fully documented and maintained as a part of the official documents of the agency. Audits or evaluations and recertifications shall be performed at time intervals determined by the agency, commensurate with the sensitivity of information processed and the risk and magnitude of loss or harm that could result from the application operating improperly, but shall be conducted at least every three years. computer e. Establish policies and responsibilities to assure that appropriate security requirements are included in computer related specifications for the acquisition or operation of facilities, equipment, software packages, or services, whether procured by the agency or by the General Services Administration. These requirements shall be reviewed and approved by the management official assigned responsibility for security of the computer installation to be used. This individual must certify that the security requirements specified are reasonably sufficient for the intended application and that they comply with current Federal computer security policies, procedures, sṭandards and guidelines. f. Assign responsibility for the conduct of periodic risk analyses for each computer installation operated by the agency, including installations operated directly by or on behalf of the agency. The objective of this risk analysis should be to provide a measure of the relative vulnerabilities at the installation So that security resources can effectively be distributed to minimize the potential loss. A risk analysis shall be performed: (1) Prior to the approval of design specifications for new computer installations. hardware the (2) Whenever there is a significant change' to physical facility, or software at a computer installation. Agency criteria for defining significant changes shall be commensurate with the sensitivity of the information processed by the installation. (3) At periodic intervals of time established by the agency, commensurate with the sensitivity of the information processed by the installation, but not to exceed five years, if no risk analysis has been performed during that time. assure to g. Establish policies and responsibilities to that appropriate contingency plans are developed and maintained. The objective of these plans should be provide reasonable continuity of data processing support These should events occur which prevent normal operations. plans should be reviewed and tested at periodic intervals of time commensurate with the risk and magnitude of loss or harm which could result from disruption of data processing support. Commerce. The 5. Responsibility of the Department of Secretary of Commerce shall develop and issue standards and (No. A-71) |