10.8.2  IT Security Roles and Responsibilities

Manual Transmittal

May 16, 2014

Purpose

(1) This transmits revised Internal Revenue Manual (IRM) 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

Background

Department of Treasury Directive Publication (TD P) 85-01 and federal regulations require that senior management/executive officials establish an IT security program, which includes the identification of IT security roles and responsibilities.

  1. This IRM establishes the IT security roles and responsibilities for the Internal Revenue Service (IRS) organizations and the employees relevant to sensitive information and systems.

IRM 10.8.2 has been aligned to the roles and responsibilities described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers and 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.

IRM 10.8.2 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Information Technology Cybersecurity.

FIPS 200 mandates the use of NIST Special Publication 800-53 as baseline for the creation of agency IT security policy.

Material Changes

(1) The following sections have been updated/clarified with this version of policy:

  1. Manual Transmittal: Added Background section detailing background of this IRM.

  2. Effects on Other Documents: Updated language.

  3. IRM 10.8.2.1, Subsection title change from Policy to Overview.

  4. IRM 10.8.2.1.2, Subsection title change from Overview to Authority.

  5. IRM 10.8.2.1.2, Authority: Section completely revamped and language added to address the authority of this IRM and where authority comes from.

  6. IRM 10.8.2.1.3, Scope: Updated language.

  7. IRM 10.8.2.1.4, IRM Section Topic: Removed Section.

  8. IRM 10.8.2.1.4, Subsection title change from IRM Section Topic to Risk Acceptance and Risk Based Decisions.

  9. IRM 10.8.2.2.1.1, Agency Head: Added clarification as to who the Agency Head is in the IRS.

  10. IRM 10.8.2.2.1.2, Chief Information Officer (CIO)/Chief Technology Officer (CTO): Added Cyber Critical Infrastructure Program (CIP) responsibilities.

  11. IRM 10.8.2.2.1.3, Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO): updated responsibilities based on criteria from IRM 10.8.1.

  12. IRM 10.8.2.2.1.3, Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO): Security test and evaluation removed and changed to Security Control Assessment (SCA).

  13. IRM 10.8.2.2.1.3.2, Risk Executive (Function): Removed paragraph (2) and moved under (4) (i) as the second note.

  14. IRM 10.8.2.2.1.3.3, Common Control Provider: Added note under paragraph (1).

  15. IRM 10.8.2.2.1.5, Information System Owner/ Business and Functional Unit Owner: Removed paragraph 3 (m) as it repeated what was in paragraph 3 (l).

  16. IRM 10.8.2.2.1.5, Information System Owner/ Business and Functional Unit Owner: Added reference to IRM 10.8.62.

  17. IRM 10.8.2.2.1.5, Information System Owner/ Business and Functional Unit Owner: Removed paragraph 6 (e) as it repeated what was in paragraph 5 (e).

  18. IRM 10.8.2.2.1.5.1.1 Security Program Management Officer (SPMO): Corrected the Acronym in the subsection title subsequent paragraphs within this section.

  19. IRM 10.8.2.2.1.7, Authorizing Official: Paragraph (2)(a), updated responsibilities to align with Treasury Directive TD P 85-01.

  20. IRM 10.8.2.2.1.7, Authorizing Official: Paragraph (2)(e) removed Designated Approval Authority removed title last release and one was missed.

  21. IRM 10.8.2.2.1.7, Authorizing Official: Removed paragraph (2)(i).

  22. IRM 10.8.2.2.1.7, Authorizing Official: Paragraph (3) (r) added audit plans.

  23. IRM 10.8.2.2.1.7, Authorizing Offical: Removed paragraphs (4) and (5) and moved them to subsection 10.8.2.2.1.6 Information Owner.

  24. IRM 10.8.2.2.1.7, Authorizing Official: Paragraph (7)(a) Note, updated note to reflect Form 14201 is the risk request and acceptance form.

  25. IRM 10.8.2.2.1.7, Authorizing Official: Added paragraph (8) clarifying AO role in the RBD process.

  26. IRM 10.8.2.2.1.7, Authorizing Official: Corrected title for AODR.

  27. IRM 10.8.2.2.1.8, Information System Security Officer (ISSO): Updated responsibilities to align with Treasury Directive TD P 85-01.

  28. IRM 10.8.2.2.1.17, Employee: Subsection Renumbered, and moved from 10.8.2.2.2.7 to 10.8.2.2.1.17 under roles and responsibilities from organizational functional roles and responsibilities.

  29. IRM 10.8.2.2.1.18, Contractor: Subsection Renumbered, and moved from 10.8.2.2.2.8 to 10.8.2.2.1.18 under roles and responsibilities from organizational functional roles and responsibilities.

  30. IRM 10.8.2.2.1.19, Database Administrator (DBA): Subsection Renumbered, and moved from 10.8.2.2.2.9 to 10.8.2.2.1.19 under roles and responsibilities from organizational functional roles and responsibilities and title corrected.

  31. IRM 10.8.2.2.1.19, Database Administrator (DBA): Language added to address DBA role and responsibilities.

  32. IRM 10.8.2.2.1.20, Encryption Recovery Agent: Subsection Renumbered, and moved from 10.8.2.2.2.10 to 10.8.2.2.1.20 under roles and responsibilities from organizational functional roles and responsibilities.

  33. IRM 10.8.2.2.1.21, Network Administrator: Subsection Renumbered, and moved from 10.8.2.2.2.11 to 10.8.2.2.1.21 under roles and responsibilities from organizational functional roles and responsibilities.

  34. IRM 10.8.2.2.1.22, Program Developer/Programmer: Subsection Renumbered, and moved from 10.8.2.2.2.12 to 10.8.2.2.1.22 under roles and responsibilities from organizational functional roles and responsibilities.

  35. IRM 10.8.2.2.1.23, Web Developer: Subsection Renumbered, and moved from 10.8.2.2.2.13 to 10.8.2.2.1.23 under roles and responsibilities from organizational functional roles and responsibilities.

  36. IRM 10.8.2.2.1.24, Resource Access Facility (RACF) Security: Subsection Renumbered, and moved from 10.8.2.2.2.14 to 10.8.2.2.1.24 under roles and responsibilities from organizational functional roles and responsibilities.

  37. IRM 10.8.2.2.1.25, Security Specialist (Sec Spec): Subsection Renumbered, and moved from 10.8.2.2.2.15 to 10.8.2.2.1.25 under roles and responsibilities from organizational functional roles and responsibilities.

  38. IRM 10.8.2.2.1.26, System Administrator (SA): Subsection Renumbered, and moved from 10.8.2.2.2.16 to 10.8.2.2.1.26 under roles and responsibilities from organizational functional roles and responsibilities.

  39. IRM 10.8.2.2.1.27, Systems Operations Staff: Subsection Renumbered, and moved from 10.8.2.2.2.17 to 10.8.2.2.1.27 under roles and responsibilities from organizational functional roles and responsibilities.

  40. IRM 10.8.2.2.1.28, Telecommunications Specialist: Subsection Renumbered, and moved from 10.8.2.2.2.18 to 10.8.2.2.1.28 under roles and responsibilities from organizational functional roles and responsibilities.

  41. IRM 10.8.2.2.1.29, User Administrator (UA): Subsection Renumbered, and moved from 10.8.2.2.2.19 to 10.8.2.2.1.29 under roles and responsibilities from organizational functional roles and responsibilities.

  42. IRM 10.8.2.2.1.30, Live Data Functional Coordinator (LDFC): Subsection Renumbered, and moved from 10.8.2.2.2.20 to 10.8.2.2.1.30 under roles and responsibilities from organizational functional roles and responsibilities.

  43. IRM 10.8.2.2.1.31, IDRS Security Analyst: New Role, one of two roles replacing IDRS Security Officer

  44. IRM 10.8.2.2.1.32, IDRS Security Account Administrator: Subsection Renamed as one of roles that replaced IDRS Security Officer and responsibilities added. Section Renumbered, and moved from 10.8.2.2.2.22 to 10.8.2.2.1.32 under roles and responsibilities from organizational functional roles and responsibilities.

  45. IRM 10.8.2.2.1.33, Computer Audit Specialist: Subsection Renumbered, and moved from 10.8.2.2.2.23 to 10.8.2.2.1.33 under roles and responsibilities from organizational functional roles and responsibilities.

  46. IRM 10.8.2.2.1.34, Functional Workstation Specialist: Subsection Renumbered, and moved from 10.8.2.2.2.24 to 10.8.2.2.1.34 under roles and responsibilities from organizational functional roles and responsibilities.

  47. IRM 10.8.2.2.1.35, Management Program Analyst: Subsection Renumbered, and moved from 10.8.2.2.2.25 to 10.8.2.2.1.35 under roles and responsibilities from organizational functional roles and responsibilities.

  48. IRM 10.8.2.2.1.36, System Designer: Subsection Renumbered, and moved from 10.8.2.2.2.26 to 10.8.2.2.1.36 under roles and responsibilities from organizational functional roles and responsibilities.

  49. IRM 10.8.2.2.1.36, System Designer: Added ST&E requirement.

  50. IRM 10.8.2.2.1.37, Technical Support Staff (Desktop): Subsection Renumbered, and moved from 10.8.2.2.2.27 to 10.8.2.2.1.37 under roles and responsibilities from organizational functional roles and responsibilities.

  51. IRM 10.8.2.2.1.38, Physical Security Analyst: Subsection Renumbered, and moved from 10.8.2.2.2.28 to 10.8.2.2.1.38 under roles and responsibilities from organizational functional roles and responsibilities.

  52. IRM 10.8.2.2.1.39, Physical Security Specialist: Subsection Renumbered, and moved from 10.8.2.2.2.29 to 10.8.2.2.1.39 under roles and responsibilities from organizational functional roles and responsibilities.

  53. IRM 10.8.2.2.1.40, Cyber Critical Infrastructure Protection (CIP) Coordinator: NEW ROLE.

  54. IRM 10.8.2.2.2.1, IRS Information Technology Cybersecurity Organization: Removed paragraph (4) and moved to subsection 10.8.2.2.2.2 IRS Information Technology User and Network Services Organizations (UNS) parapgraph (5)

  55. IRM 10.8.2.2.2.6, Incident Commander: ROLE REMOVED.

  56. IRM 10.8.2.2.21, IDRS Security Officer: ROLE REMOVED.

  57. Exhibit 10.8.2-1, Glossary: Added Terms and definitions.

  58. Exhibit 10.8.2-2, Other References: Added references and corrected references.

(2) Editorial changes (including grammar, spelling, and minor clarifications) were made throughout the IRM.

(3) Security Testing and Evaluation (ST&E) have been replaced with Security Control Assessment (SCA) in all cases except for the System Designers.

Effect on Other Documents

IRM 10.8.2 dated September 5, 2012, is superseded. This IRM supersedes all prior versions of IRM 10.8.2. This IRM supplements IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

Audience

IRM 10.8.2 shall be distributed to all personnel responsible for ensuring that adequate security is provided for IRS information and information systems. This policy applies to all employees, contractors, and vendors of the IRS.

Effective Date

(05-16-2014)

Terence V. Milholland
Chief Technology Officer

10.8.2.1  (05-16-2014)
Overview

  1. This IRM lays the foundation for roles and responsibilities within the IRS.

10.8.2.1.1  (05-16-2014)
Purpose

  1. This IRM establishes the IT security roles and responsibilities for the IRS.

    1. In accordance with IRM 10.8.1Information Technology (IT) Security, Policy and Guidance, the IRS shall implement security roles and responsibilities in accordance with federal laws and IT security guidelines that are appropriate for specific operations and functions.

10.8.2.1.2  (05-16-2014)
Authority

  1. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. Department of Treasury Directive Publication (TD P) 85-01 and federal regulations require that senior management/executive officials establish an IT security program, which includes the identification of IT security roles and responsibilities.

10.8.2.1.3  (05-16-2014)
Scope

  1. This IRM covers IT security roles and responsibilities.

  2. The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate information systems that store, process or transmit IRS Information or connect to an IRS network or system.

  3. Although IRM 10.8.2 is intended to be the primary source for general IT security roles and responsibilities, all documents in the 10.8.X series, additional applicable policy suites of IRMs, applicable business unit Guidelines, Standards and Procedures (GSP), and Standard Operating Procedures (SOP) shall be carefully reviewed for an individual to comprehensively understand their role and specific responsibilities in their environmental context. IRMs in the 10.8.X series provide explicit Management, Operational, and Technical requirements where security roles and responsibilities are delineated.

    1. Due to each document having its own update lifecycle, there may be instances where updated roles and responsibilities are published in supplementary policies which have not yet been added to this IRM. In those instances, the newer published roles and responsibilities shall be implicitly followed along with those stated in this IRM.

10.8.2.1.4  (05-16-2014)
Risk Acceptance and Risk-Based Decisions

  1. Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision.

  2. Risk-Based Decision requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in Request for Risk Acceptance and Risk-Based Decision Standard Operating Procedures (SOPs), available on the Enterprise FISMA Compliance SharePoint site via the Risk Acceptance Requests link at:
    http://it.web.irs.gov/cybersecurity/Divisions/SRM/Policy_Guidance/risk_acceptance.htm

  3. Refer to IRM 10.8.1 for additional guidance about risk acceptance.

10.8.2.2  (03-23-2007)
Roles and Responsibilities

  1. The IRS shall implement IT security roles and responsibilities that ensure the confidentiality, integrity, and availability of its systems, applications, and information.

  2. The following roles and responsibilities are based on Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Department of Treasury guidance and policies.

  3. Throughout this IRM, roles may be identified as being responsible for creating, updating, and maintaining documentation. This may be accomplished through agreements and coordination with other organizational entities. When this is done, it does not relieve the individual with the role of the responsibility, but rather requires effective communication between the two parties.

10.8.2.2.1  (07-12-2010)
Key Governance and Related Roles & Responsibilities

  1. In accordance with NIST 800–100, Information Security Handbook: A Guide for Managers, there are several governance stakeholders common to most organizations that span the organization. These stakeholders include senior management/executive official, a Chief Information Officer (CIO)/Chief Technology Officer (CTO), information security personnel, and a chief financial officer (CFO), among others. The specific requirements of each role may differ with the degree of information security governance centralization or in response to the specific missions and needs of an organization.

  2. This section provides functional roles and responsibilities for personnel who have security-related governance responsibility for the protection of information systems they operate, manage and support. These roles are defined in accordance with FISMA, NIST, OMB, Treasury and IRS Policy and Guidelines.

10.8.2.2.1.1  (09-05-2012)
Agency Head

  1. FISMA requires the head of each federal agency to provide information security protections commensurate with the risk and magnitude of the harm that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of its information and information systems. The protection should apply not only within the agency, but also within contractor or other organizations working on behalf of the agency.

    1. For the IRS, the Agency Head is the IRS Commissioner, Acting Commissioner, or senior IRS executive acting on behalf of the IRS.

  2. The Agency Head shall:

    1. Designate a Chief Information Officer (CIO)/Chief Technology Officer (CTO).

    2. Ensure high priority is given to effective information security awareness, security awareness training, and role-based training for the workforce.

  3. In accordance with FISMA, the Agency Head shall be responsible for:

    1. Providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
      i. Information collected or maintained by or on behalf of the agency.
      ii. Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

    2. Complying with the requirements of FISMA Section 3544 § and related policies, procedures, standards, and guidelines, including:
      i. Information security standards promulgated under the U.S. Code Section 11331 of Title 40.
      ii. Information security standards and guidelines for national security systems issued in accordance with law and as directed by the President.

    3. Ensuring information security management processes are integrated with agency strategic and operational planning processes.

    4. Ensuring that the agency has trained personnel sufficient to assist the agency in complying with the requirements of FISMA Section 3544 §, this policy and related policies, procedures, standards, and guidelines.

    5. Ensuring policies are disseminated to all employees.

  4. In accordance with FISMA, the Agency Head shall:

    1. Ensure that senior management/executive officials provide information security, for the information and information systems that support the operations and assets under their control.

    2. Assess risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems.

    3. Determine the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under the U.S. Code Section 11331 and policies for information security classifications and related requirements.

    4. Implement policies and procedures to cost-effectively reduce risks to an acceptable level.

    5. Periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented.

    6. Delegate to the CIO/CTO, established under Section 3506 of the FISMA Act (or comparable official in an agency not covered by such section), the authority to ensure compliance with the requirements imposed on the agency.

    7. Ensure that the CIO/CTO, in coordination with other senior management/executive officials, reports annually to the agency head on the effectiveness of the agency information security program to include progress of remedial actions.

10.8.2.2.1.2  (05-16-2014)
Chief Information Officer (CIO)/Chief Technology Officer (CTO)

  1. The CIO/CTO, in accordance with NIST and TD P 85-01, shall be responsible for designating a Point of Contact (POC) to coordinate all policy issues related to information systems security including: computer security, telecommunications security, operational security, certificate management, electronic authentication, Disaster Recovery (DR), and critical infrastructure protection related to cyber threats.

  2. In accordance with TD P 85-01, the CIO/CTO (or designee) shall:

    1. Perform annual FISMA activity reviews.

    2. Review the results of the annual FISMA activity reviews, including any weaknesses for inclusion in the IRS’ Plan of Action and Milestones (POA&M).

    3. Coordinate with the Authorizing Official (AO) regarding the security posture of IT resources.

    4. Manage implementation and operation of the Cyber Critical Infrastructure Protection (CIP) Program Plan.

    5. Ensure adequacy of resources for protecting cyber critical infrastructure.

    6. Designate an IRS Cyber CIP Coordinator.

  3. In accordance with FISMA and NIST guidance, the CIO/CTO shall:

    1. Designate a Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO), who shall carry out the CIO/CTO’s responsibilities for system and program security planning and assessments.

    2. Develop and maintain an agency-wide information security program including information security policies, procedures, and control techniques to address system security planning and all applicable requirements.

    3. Ensure information security considerations are integrated into programming, planning and budgeting cycles, enterprise architectures and acquisition/system development life cycles.

    4. Ensure information systems are covered by an approved security plan and are authorized to operate.

    5. Ensure security authorizations are accomplished in an efficient, cost-effective and timely manner.

    6. Ensure centralized capability for reporting of all security-related activities.

    7. Determine the appropriate allocation of resources dedicated to the protection of the organization's missions and business functions and the information systems supporting those missions/business functions based on organizational priorities.

    8. Manage the identification, development, implementation, and assessment of common security controls.

    9. Ensure compliance with applicable information security requirements.

    10. Ensure that personnel with significant responsibilities for system and program security plans and assessments are trained.

    11. Assist senior management/executive officials with their responsibilities for system and program security plans and assessments.

    12. Report annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.

    13. Encourage the maximum reuse and sharing of security-related information including: 1) threat and vulnerability assessments; 2) risk assessments; 3) results from common security control assessments; and 4) any other general information that may be of assistance to information system owners and their supporting security staffs.

    14. Determine the appropriate allocation of resources dedicated to the protection of the agency’s information systems based on organizational priorities.

    15. In certain instances, operate as the AO for agency-wide General Support Systems (GSS) or as co-AO with other senior management/executive officials for selected agency systems.

  4. In accordance with the Department of Treasury's Software Piracy Policy, the CIO/CTO shall:

    1. Develop and implement an enterprise-level plan that ensures that the agency is in compliance with Executive Order 13103.

    2. Coordinate with Department of Treasury Bureaus and Offices an initial assessment of the agency’s existing policies and practices with respect to the use and management of computer software through qualified personnel or an outside contractor.

    3. Maintain an enterprise list of Treasury Department authorized and supported software. The list shall indicate by Bureaus and Offices, terms of licenses, authorized number of users, and physical location of software.

    4. Perform spot audits. Periodic audit checks shall be done to ensure Bureaus and Offices are in compliance with software license agreements.

    5. Establish centralized software acquisition whenever possible.

  5. In addition, the CIO/CTO shall:

    1. Provide leadership and high level direction in the management of projects and plans involving highly complex, mission critical information systems and business systems modernization projects in support of modernizing the nation's tax system.

    2. Ensure the organization's core IT competencies are aligned to provide maximum value in support of agency business processes, and ensures overall strategies are established and engaged to support long-term enterprise-wide information needs and modernization projects.

    3. Define objectives and make decisions which impact the cost, schedule, supportability and performance modernization projects.

    4. Provide focus for technology management within the IRS by developing integrated enterprise-wide technology policies.

    5. Establish and maintain strong relationships with stakeholders such as oversight groups, IRS business leaders and external stakeholders, etc., to facilitate the exchange of information in support of program goals and requirements.

    6. Provide oversight and guidance to key contractors to ensure successful performance of contracts.

    7. Provide executive leadership in IT strategic and operational planning to achieve business goals by fostering innovation, prioritizing complex IT initiatives and directing the evaluation, deployment and management of current and future IT systems across the organization.

    8. Serve as the external spokesman for the IRS on technology matters to the Administration, Congress and external oversight bodies.

    9. Influence strategic business decisions regarding the use of technology and assesses the impact of emerging technology to strategic business needs.

    10. Drive the vision for all enterprise-wide IT activities including planning, budgeting, acquisition, allocation of computer services and communication services.

    11. Develop and implement IT initiatives that will advance operational efficiencies, improve enterprise-wide decision making and communication, increase revenues, drive cost efficiencies and strengthen financial reporting and controls.

  6. The CIO/CTO, as tasked by FISMA, shall administer training and oversee personnel with significant information security responsibilities. To accomplish this, the CIO/CTO shall work with the SAISO/CISO to:

    1. Establish overall strategy for the information security awareness and training program.

    2. Ensure that the agency head, senior managers, system and information owners, and others understand the concepts and strategy of the information security awareness and training program, and are informed of the progress of the program’s implementation.

    3. Ensure that the agency’s information security awareness and training program is funded.

    4. Ensure the training of agency personnel with significant responsibilities for information security.

    5. Ensure that all users of information systems are sufficiently trained in their security responsibilities and other information security basics and literacy through awareness training.

    6. Ensure that an effective information security awareness effort is developed and employed such that all personnel are routinely or continuously exposed to awareness messages through posters, email messages, logon banners, and other techniques.

    7. Ensure that effective tracking and reporting mechanisms are in place.

10.8.2.2.1.3  (05-16-2014)
Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO)

  1. The Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) is the agency official responsible for serving as the CIO/CTO’s primary liaison to the agency’s information system owners and information system security officer’s. At the IRS, the Associate CIO (ACIO), IRS Information Technology Cybersecurity organization is the SAISO/CISO.

  2. The SAISO/CISO shall serve as the CIO/CTO's primary liaison to AOs, information system owners, and ISSOs.

    1. The ACIO Cybersecurity shall appoint, in writing, a senior-level executive or manager to the role of AO for an IRS information system. The ACIO Cybersecurity may delegate the authority of appointing an AO to another senior-level executive.

  3. In accordance with FISMA, NIST and TD P 85-01, through delegation by the CIO/CTO, the SAISO/CISO shall:

    1. Possess the qualifications, training and experience required to administer information security program functions.

    2. Maintain information security duties as their primary responsibility.

    3. Head an office with the mission of assisting in achieving FISMA compliance.

    4. Develop, document, and implement an agency wide information security program to provide security for all systems, networks, and data that support the operations of the organization.

    5. Periodically assess risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.

    6. Develop and maintain risk-based, cost-effective information security policies, procedures, and control techniques to address all applicable requirements throughout the life cycle of each agency information system to ensure compliance with applicable requirements.

    7. Facilitate development of subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems.

    8. Coordinate the development, review, and acceptance of system security plans with information system owners, ISSOs, and the AO.

    9. Coordinate the identification, implementation, and assessment of the common security controls.

    10. Establish and maintain a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency.

    11. Develop and implement procedures for detecting, investigating, reporting, responding, and resolving security incidents.

    12. Develop and review procedures for monitoring and reacting to system security alarms, warning messages, and reports, and implement said procedures. Note: This duty may be delegated to Information System Security Officers (ISSOs).

    13. Oversee a program of disaster recovery readiness and evaluation.

    14. Ensure preparation and maintenance of plans and procedures to provide continuity of operations for information systems that support the operations and assets of the agency; Ensure that contingency plans for IT systems are developed, maintained and tested.

    15. Support the agency CIO/CTO in annual reporting to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.

    16. Ensure that an ISSO has been assigned for each IT system.

    17. Assist senior management/executive officials concerning their responsibilities.

  4. In accordance with NIST and TD P 85-01, the SAISO/CISO shall:

    1. Ensure that the security aspects and day-to-day security operations of the information system, including physical security, personnel security, incident handling, and security training and awareness, are managed.

    2. Ensure that IT system Security Assessment and Authorization (i.e. Certification & Accreditation reports and risk analyses) are conducted by each AO.

    3. Ensure that security plans are reviewed and submitted to the AO for approval at least annually or upon significant changes to the system, whichever is sooner.

    4. Review IRS business cases and budget submissions to ensure that IT security requirements are addressed and adequately resourced.

    5. Establish an IRS IT security oversight program to ensure that the security procedures and requirements are in compliance with Department of Treasury and IRS policies and standards.

    6. Conduct security audits, verifications and acceptance checks and maintain documentation on the results.

    7. Manage and Maintain agency Plan of Action and Milestones (POA&Ms) for all IT security weaknesses, tracking milestones, and resource allocation of resources for remediation, and provide a quarterly status to Department of Treasury through the IRS CIO/CTO.

    8. Ensure the CIO/CTO is informed of technical risks and vulnerabilities, to include those accepted by AOs.

    9. Ensure that IRS security status and other relevant data is provided to the CIO/CTO for situational awareness and related purposes.

    10. Coordinate the implementation of logical access controls into operating systems, relational database management systems (RDBMS), remote terminals and IT applications.

    11. Provide IT and facility technical and non-technical (e.g., physical and personnel security) certification support to any Information System Owner.

    12. Prepare and submit a written report for all technical security exceptions. The report shall outline the risks and vulnerabilities and/or advantages that could result from granting the exception or from implementing any alternative. Maintain a file of all approved IT facility security-related exceptions.

    13. Ensure that re-accreditation/reauthorization and risk analyses are conducted at least every 3 years or when major changes occur for IT systems/application processing sensitive information.

    14. Ensure that a Security Control Assessment (SCA) is performed for each non-national security system when conducting a Security Assessment and Authorization (for policy pertaining to national security system see IRM 10.9.1).

    15. Ensure that contingency plans for IT systems processing sensitive information are developed, maintained and tested.

    16. Develop each certification letter citing risks and mitigations along with Authority to Operate (ATO) or Interim Authority to Operate (IATO) recommendation to the AO.

    17. Review and approve Security Assessment and Authorization package artifacts.

    18. Be a voting member on the Configuration Control Board (CCB) for the IRS' IT architecture.

    19. Review contract vehicles to ensure they address appropriate security measures.

    20. Define and implement performance metrics to evaluate the effectiveness of their IT security programs.

  5. The SAISO/CISO shall maintain an inventory of major applications and GSSs. This inventory shall contain, at a minimum, the system name, platform and type (major application or GSS); classification level if appropriate; its interfaces and interconnections; whether it is an IT critical asset; and the dates for the last vulnerability test, risk assessment, and Security Assessment and Authorization.

  6. In accordance with IRM 10.8.3, Audit Logging Security Standards, the ACIO Cybersecurity shall:

    1. Maintain and provide updates to IRM 10.8.3, in accordance with IRM 10.8.2 and other applicable IRS policies.

    2. Develop Guidelines, Standards, and Procedures (GSP) documentation, consistent with the requirements of this IRM, to describe platform-specific files, permissions, and other configuration settings necessary to comply with IRM 10.8.3.

  7. The ACIO Cybersecurity, in conjunction with IRM 10.8.27, shall develop and disseminate policy appropriate to personal use of Government IT resources as necessary.

  8. The SAISO/CISO has the responsibility for the organization’s information security awareness and training program. In this role, the SAISO should:

    1. Ensure that security awareness, security awareness training, and role-based training material developed or purchased is appropriate and timely for the intended audiences.

    2. Ensure that security awareness, security awareness training, and role-based training material is effectively deployed to reach the intended audiences.

    3. Ensure that employees, users, those receiving role-based training, and managers have an effective way to provide feedback on the security awareness, security awareness training, and role-based training material and its presentation.

    4. Ensure that security awareness, security awareness training, and role-based training material is reviewed periodically and updated when necessary; and

    5. Assist in establishing a tracking and reporting strategy.

10.8.2.2.1.3.1  (09-05-2012)
Certification Agent

  1. The certification agent is either an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This role is assigned to the ACIO, IRS Information Technology Cybersecurity organization.

  2. The certification agent shall be responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

  3. The certification agent shall provide an assessment of the severity of weaknesses or deficiencies discovered through assessment and recommend corrective actions to address vulnerabilities in the system.

  4. In accordance with NIST, the certification agent shall:

    1. Provide corrective actions to reduce or eliminate vulnerabilities in the information system.

    2. Be independent from the persons directly responsible for the development of the information system and the day-to-day operation of the system.

    3. Be independent of those individuals responsible for correcting security deficiencies identified during the security certification.

  5. Refer to the Senior Agency Information Security Officer (SAISO)/Chief Information Security Officer (CISO) section of this IRM for additional roles and responsibilities.

10.8.2.2.1.3.2  (12-03-2010)
Risk Executive (Function)

  1. In accordance with NIST 800-37, the functional role of Risk Executive shall be appointed by the IRS for a comprehensive and organization-wide approach to address the issues related to the management of information system security-related and the associated capabilities that must be in place to achieve adequate security.

  2. The Risk Executive function shall provide a holistic view of risk beyond that risk associated with the operation and use of individual information systems.

  3. The function of the Risk Executive shall be performed by an individual or group within the IRS ensuring:

    1. Security risk-related considerations for individual information systems such as the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions.

    2. Managing risk from individual information systems is consistent across the enterprise, reflecting IRS’ risk tolerance, and is considered along with other organizational risks in order to ensure mission or business success.

    3. Sharing of security risk-related information among AOs and other senior management/executive officials enterprise-wide.

    4. Consistent risk acceptance decisions across the enterprise by providing senior management/executive official input and oversight for all risk management-related activities across the enterprise (e.g., security categorizations).

    5. Authorization decisions consider all factors necessary for mission and business success enterprise-wide.

    6. Creation of an enterprise-wide forum considering all sources of risk (including aggregated risk from individual information systems) to IRS’ operations and assets, individuals, other organizations, and the Nation.

    7. Cooperation and collaboration among AOs to include authorization actions requiring shared responsibility.

    8. Identification of the overall risk posture based on the aggregated risk from each of the information systems for which the IRS is responsible.

    9. Shared responsibility for supporting IRS mission/business functions using external providers of information and services receives the needed visibility and is elevated to the appropriate decision-making authorities.

      Note:

      The agency head may choose to retain the Risk Executive (function) or to delegate the function to another official (e.g., the chief information officer) or group (e.g., an executive leadership council). However implemented, risk management remains an organization-wide responsibility that starts with the head of the organization and goes through all levels of the organization.

      Note:

      AOs may have narrow or localized perspectives in rendering authorization decisions, perhaps without fully understanding or explicitly accepting all of the risks being incurred from such decisions.

10.8.2.2.1.3.3  (07-12-2010)
Common Control Provider

  1. In accordance with NIST 800-37, the IRS shall appoint a common control provider. The common control provider shall be an IRS official or group responsible for the planning, development, implementation, assessment, authorization, and maintenance of common controls (i.e., security controls inherited by information systems).

    Note:

    Organizations can have multiple common control providers depending on how information security responsibilities are allocated organization-wide. Common control providers may also be information system owners when the common controls are resident within an information system.

  2. Common control providers shall be responsible for:

    1. Documenting common controls to be utilized in a System Security Plan (SSP).

    2. Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence.

    3. Documenting assessment findings in a security assessment report.

    4. Producing a POA&M for all controls having weaknesses or deficiencies.

    5. Making available security plans, security assessment reports, and POA&Ms for common controls (or a summary of such information) to information system owners inheriting those controls after the information is reviewed and approved by the senior management/executive official or other with oversight responsibility for those controls.

10.8.2.2.1.4  (09-05-2012)
Senior Management/Executives

  1. OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, states executive agencies within the federal government shall:

    1. Plan for security in all phases of the system life cycle.

    2. Ensure appropriate officials are assigned security responsibility.

    3. Review security controls annually (i.e., FISMA annual security program review).

    4. Formally authorize (accredit) processing prior to operations (as an AO) and periodically thereafter.

  2. FISMA, Office of Management and Budget (OMB), Department of Treasury, and FISMA guidance specify that senior management/executive officials are subordinate to the Commissioner and shall be responsible for:

    1. Exercising oversight to ensure that a program manager is assigned for each system;

    2. Exercising oversight over Security Awareness Training and Education (ATE/SATE) funding; and

    3. Annually validating and updating the master inventory of information systems.

  3. The AO for a General Support System (GSS) or application shall be a senior management/executive official.

  4. Senior management/executive officials shall be responsible for balancing the mission and business priorities versus any security risks that might be applicable and formally authorizing the operation of an information system (this is known as security accreditation).

10.8.2.2.1.5  (09-05-2012)
Information System Owner/ Business and Functional Unit Owner

  1. The Information System Owner is the agency official responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system, and may rely on the assistance and advice of the Information System Security Officer (ISSO), system operators, and other IT staff in the implementation of their security responsibilities.

    1. If the Business and Functional Unit Owner has been approved to perform the functions of acquisition, management, and operation and maintenance of an information system, then they shall be responsible for performing the Information System Owner responsibilities defined within this IRM.

  2. Information System Owners shall ensure that personnel within their area of responsibility performing Quality Assurance functions have, in addition to the other duties they perform, a working knowledge of computer security and how it can be used to improve the quality of the IRS' Quality Assurance Program.

  3. In accordance with NIST, and TD P 85-01, the Information System Owner shall:

    1. Include security considerations and identify associated security funding requirements in the procurement of system software, hardware, and support services, including system development, implementation, operation and maintenance, and disposal activities (i.e., life cycle management).

    2. Categorize the information system and document the results of the security categorization in the security plan.

    3. Describe the information system (including system boundary) and document the description in the security plan.

    4. Ensure system personnel are properly designated, monitored and trained.

    5. Ensure the system is operated according to applicable security standards.

    6. Be responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with the information security requirements.

    7. Obtain and manage the budget throughout the project's life cycle against a project manager's delivered, locked baseline.

    8. Develop and maintain the SA&A package.

    9. Plan and coordinate activities within his/her organization required to complete SA&A, FISMA reviews, and POA&M development.

    10. Inform key agency officials of the need to conduct an SA&A of the information system.

    11. Ensure appropriate resources are available for the SA&A effort.

    12. In coordination with the Information System Security Officer (ISSO), the Information System Owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security requirements.

    13. Ensure that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior).

    14. Assist in the identification, implementation, and assessment of the common security controls.

    15. Provide necessary system-related documentation to the certification agent.

    16. Provide orderly, disciplined, and timely updates to the security plan, security assessment report, POA&M on an ongoing basis, supports the concept of a near real-time risk management and ongoing authorization.

    17. Assemble and ensure submission of all SA&A documents to IRS Information Technology Cybersecurity.

    18. Ensure all security weaknesses and deficiencies identified during the security control assessment are documented in the security assessment report to maintain an effective audit trail. Organizations develop specific plans of action and milestones based on the results of the security control assessment and in accordance with applicable laws, Executive Orders, directives, policies, standards, guidance, or regulations.

    19. Ensure a strategy is developed for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

    20. Ensure security controls that are modified, enhanced, or added during the continuous monitoring process are reassessed by the assessor to ensure that appropriate corrective actions are taken to eliminate weaknesses or deficiencies or to mitigate the identified risk.

    21. Identify security control weaknesses or deficiencies (i.e., the direct or indirect effect the weaknesses or deficiencies may have on the overall security state of the information system and hence on the risk exposure of the organization).

    22. Ensure security control assessments are conducted in parallel with the development and implementation phases of the system development life cycle facilitates the early identification of weaknesses and deficiencies and provides the most cost-effective method for initiating corrective actions.

    23. Provide specific recommendations on how to correct weaknesses or deficiencies in the controls.

    24. Ensure any weaknesses or deficiencies in the security controls noted during the assessment are corrected.

    25. Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the Authorizing Official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.

    26. Ensure system-level Plan of Action and Milestones (POA&Ms) are established and corrective actions are implemented in accordance with the Treasury standard for POA&Ms.

      Note:

      This includes taking appropriate steps to update the risk assessment and to reduce or eliminate vulnerabilities after receiving the security assessment results from the Certification Agent.

    27. Define how changes to the information system shall be monitored, how security impact analyses shall be conducted, and the security status reporting requirements including recipients of the status reports.

    28. Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information systems and its environment of operation.

    29. Decide who has access to the system and with what rights and privileges, granting individuals the fewest possible privileges necessary for job performance so that privileges are based on legitimate need. Further, re-evaluate access privileges annually and revoke access in a timely manner upon personnel transfer or termination.

      Note:

      These tasks may be delegated to the ISSO or other operation security personnel. However, the responsibility remains with the Information System Owner.

    30. Ensure the system is operated according to applicable security standards.

    31. Establish appropriate rules of behavior that apply to all personnel managing, administering, or having access to the system.

    32. In the case of outsourced systems and services, ensure the appropriate and applicable security controls are integrated into the procurement (or other contractor service provisioning) vehicle.

  4. Information System Owners are responsible for the information security of their Contractor Systems. In accordance with FISMA, Information System Owners shall:

    1. Conduct an annual FISMA Contractor Review of the contractor’s facility and systems.

    2. Perform continuous monitoring and create and maintain a POA&M of their FISMA Contractor Systems in accordance with NIST 800-37 and 800-53, Recommended Security Controls for Federal Information Systems and Organizations guidance.

    3. Provide funding to conduct the annual FISMA Contractor reviews.

  5. For DR / Business Resumption (BR), the Information System Owner shall cooperate with the other business units and the area/site managers to develop, maintain, and validate effective, comprehensive plans. At a minimum, the Information System Owner shall coordinate with other appropriate business units and shall be responsible to:

    1. Fully describe and document the information system in Information System Contingency Plan (ISCP).

    2. Acquire and transport replacement equipment required to restore operations.

    3. Acquire space for processing operation to include occupation of an alternate processing facility when necessary.

    4. Estimate supplies and office equipment needed to support a computer processing operation occupying an alternate processing facility when appropriate.

    5. Support expeditious acquisition and transportation of replacement equipment required to restore operations.

    6. Refer to IRM 10.8.60, Information Technology Disaster Recovery Policy and Guidelines, and IRM 10.8.62, Information Technology (IT) Security, Information System Contingency Plan (ISCP) and Disaster Recovery (DR) Test, Training, and Exercise (TT&E) Process, for additional information on IT Disaster Recovery roles & responsibilities.

  6. For DR, the Information System Owner shall coordinate with other appropriate business units and shall:

    1. Determine recovery needs and time frames needed for business restoration through comprehensive Business Impact Analysis (BIA) evaluations.

    2. Develop DR requirements during the development phase of all new systems and throughout any production system upgrades.

    3. Provide the funding for the DR equipment/space/storage needed to meet the recovery goals (set by the business).

    4. Fully describe and document the details of the information system in the ISCP that is required by FISMA for each major system.

    5. Support the development of processing priorities for completion of work following emergencies that degrade computer processing capabilities.

    6. Work jointly with IRS Information Technology Operations and Security Risk Management (SRM) to ensure ISCPs and DR Plans for all applications and systems are tested annually.

    7. Work jointly with IRS Information Technology Operations and SRM in the development and testing of DR plans to ensure availability of data from the recovered system and business continuity.

    8. Work jointly in the testing of the DR plans to ensure availability of data from the recovered system

    9. Work with SRM regarding enterprise priorities.

    10. Refer to IRM 10.8.60, for additional information on IT Disaster Recovery.

  7. For each IRS system within their area of responsibility, the Information System Owner shalll :

    1. Ensure audit plans are developed in accordance with IRM 10.8.3; and

    2. Ensure audit logs are collected and maintained in accordance with IRM 10.8.3.

  8. In accordance with IRM 10.8.21, the Information System Owner of the database shall :

    1. Ensure that Database Management System (DBMS) environments comply with the security change management requirements listed in the Operational Controls section of IRM 10.8.1.

    2. Ensure that changes to DBMSs are documented and tracked using the appropriate change management process.

    3. Ensure that development servers are properly configured and managed in accordance with the requirements in IRM 10.8.21.

    4. Work with Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.21.

    5. Advise the Security Specialist of any technical, operational, or security problems and recommended solutions.

    6. Ensure Database Administrators (DBAs) do not have unnecessary operating System Administrator privileges. DBAs shall have the least level of elevated operating system privileges required to perform DBA-related duties.

  9. In accordance with IRM 10.8.6, Secure Application Development, the Information System Owner shall:

    1. Assist Program Developer/Programmers to ensure proper configuration of application server software, on the operating system(s) are in accordance with IRM 10.8.6.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommended solutions for secure application development.

    3. Not have operating system Administrator privileges and will therefore, have the least level of privileges required to perform operational duties.

  10. In accordance with IRM 10.8.10Linux and Unix Security Policy, the Information System Owner shall be responsible for the following:

    1. Assist System Administrators (SA) and other stakeholders to ensure proper configuration of Linux/Unix based operating systems in accordance with IRM 10.8.10.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommend solutions for the Linux/Unix environment.

  11. In accordance with IRM 10.8.20, Windows Security Policy, the Information System Owner shall be responsible for the following:

    1. Assist System Administrators (SA) and other stakeholders to ensure proper configuration of Windows based operating systems in accordance with IRM 10.8.20.

    2. Advise the Security Specialist of any technical, operational, or security problems and recommend solutions for the Windows environment.

  12. In accordance with IRM 10.8.22, Web Server Security Policy, the Information System Owner shall be responsible for the following:

    1. Ensure that Web servers and Web application servers are properly configured and managed in accordance with the requirements of associated IRM.

    2. Work with SAs and other stakeholders to ensure proper configuration of Web servers and web application server software on the operating system in accordance with associated IRM.

    3. Coordinate placement of information and scripts on the Web server and Web application servers with appropriate authorities.

  13. In accordance with IRM 10.8.50, Service-wide Security Patch Management, Information System Owners that maintain systems, networks, IRS applications, and COTS shall:

    1. Develop implementation policies and procedures for managing security patches to the systems and applications for which they are responsible.

    2. Review various sources for security-related patches specific to their systems and applications.

    3. Notify Computer Security Incident Response Center (CSIRC) prior to the working on each set of their pending patch activities. Notification shall be via the Patch and Vulnerability Group (PVG) member.

    4. Provide application names and implementation counts to the CSIRC for the Business Impact Analysis during the assignment of severity levels.

    5. Maintain hardware/software inventories.

    6. Coordinate their patch activities with other Information System Owners;

    7. Coordinate their patch activities with the CSIRC.

    8. Provide multiple representation to the PVG based on key stakeholder organizations involved in the Enterprise Life Cycle (ELC) and operations.

    9. Acknowledge receipt of the IRS Patch and Vulnerability Group (PVG) Advisories per the Acknowledgment of Receipt schedule.

    10. In the event an applicable patch is not applied, the Business and Functional Unit Owner shall document this weakness in a POA&M associated with the SA&A package.

    11. Information System Owners shall be represented on the PVG.

  14. In accordance with IRM 10.8.54, Minimum Firewall Administration Requirements, Information System Owners that own or operate a perimeter firewall environment shall comply with the security requirements in IRM 10.8.54.

10.8.2.2.1.5.1  (07-12-2010)
Business System Planner (BSP)

  1. The Business System Planner (BSP) shall perform duties outlined for Senior Management/Executives.

10.8.2.2.1.5.1.1  (05-16-2014)
Security Program Management Officer (SPMO)

  1. The Security Program Management Officers (SPMOs) have been established within the Business Units and IRS Information Technology Cybersecurity organization to support their AO and other staff with the successful completion of that office's security related responsibilities, including the successful completion of all FISMA requirements.

  2. The SPMO shall support the BSP functions, System Owners, FISMA activities and shall provide other security-related support for other security activities.

  3. The SPMO shall provide ISSOs for the systems owned by their respective Business Unit.

    1. When there is no ISSO assigned for a system, the SPMO shall assume the role of the ISSO.

  4. In support of FISMA, the SPMO shall:

    1. Ensure development and implementation of the IRS Security Program strategy to meet FISMA requirements.

    2. Ensure currency of the FISMA Master Inventory.

    3. Coordinate and ensure completion of annual security reviews.

    4. Make security determinations (such as prioritization) for weakness reporting.

    5. Ensure timely completion of POA weaknesses and obtain AO or AO POC concurrence.

      Note:

      POA&Ms shall be approved by the AO (e.g., as a part of the accreditation process or prior to establishing in TAF), and shall be managed, and completed as planned.

    6. Collaborate with other SPMOs to ensure consistency of FISMA activities across business units.

    7. Serve as the security point of contact for business unit staff supporting FISMA and as the Cybersecurity interface into the business unit.

    8. Identify needs and implement IT security awareness training to current and newly assigned personnel in the business unit.

    9. Present all training and orientation materials to AOs and various Points of Contact (POCs), at minimum, annually.

  5. For weaknesses and POA&Ms, the SPMO shall:

    1. Identify and track, with ISSO support, the corrective actions to mitigate the weaknesses in the POA&M through status updates, changes to milestones, and additional comments.

    2. Identify the scheduled completion date, cost, and resources needed to mitigate each weakness.

    3. Validate the effectiveness of the corrective actions during continuous monitoring or SCA.

    4. Combine and review all high level security weaknesses from the self-assessment, risk assessment, TIGTA audits, GAO audits, and internal reviews into POA&M weaknesses.

    5. As determined by their business unit, consolidate self-assessment scores for their business unit applications then brief POCs and AOs on results.

    6. Support the development of answers to the self-assessment questions that cross multiple business units.

10.8.2.2.1.6  (05-16-2014)
Information Owner

  1. The information owner/steward is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. At the IRS, the Information Owner is the Business and Functional Unit Owner.

  2. The information owner/steward shall be responsible for establishing the appropriate use and protection of information (e.g., rules of behavior) and retains responsibility when information is shared with or provided to other organizations.

  3. The Information Owner, in collaboration with the AO shall approve the physical removal of Sensitive But Unclassified (SBU) information from IRS facilities in writing prior to its removal.

  4. The Information Owner, in collaboration with the AO shall approve the download, and remote storage of SBU information outside of IRS facilities in writing prior to the action.

  5. Information Owner/Stewards shall provide input to Information System Owners regarding the security requirements and security controls for the information systems where the information resides.

  6. Refer to the Information System owner section of this IRM for detailed roles and responsibilities for Business and Functional Unit Owners.

10.8.2.2.1.7  (05-16-2014)
Authorizing Official (AO)

  1. The Authorizing Official (AO) or accrediting official, shall be a senior management/executive official government employee with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

  2. In accordance with NIST and TD P 85-01, the AO shall:

    1. Ensure that each bureau IT system under their purview has a designated System Owner and an Information System Security Officer (ISSO), who are responsible for ensuring the security of the system is in compliance with requirements throughout the system life cycle (from design through disposal).

    2. For all equipment capable of storing or transmitting data, conduct a risk assessment before connecting it to an IRS system or network.

    3. Apply adequate countermeasures before connecting the equipment to an IRS system or network.

    4. Decide through Security Assessment and Authorization (SA&A) processes to allow or disallow equipment to be connected to an IRS system or network.

    5. Document interconnections between external networks with an Interconnection Security Agreement (ISA) signed by both AOs.

    6. Oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding.

    7. Issue an Interim Authorization to Operate (IATO) the information system under specific terms and conditions.

    8. Deny Authorization to Operate (ATO) the information system (or if the system is already operational, halt operations) if unacceptable security risks exist.

    9. Assume accountability for the security risks associated with information system operations.

  3. The AO shall also:

    1. Ensure that the BU responsibilities are assigned within their organization for each system.

    2. Obtaining and maintain Security Assessment and Authorization for his/her systems and applications.

    3. Sign the Accreditation Letter and assume responsibility and accountability for operating a system at an acceptable level of risk.

    4. Approves and documents (e.g., memo) any risk based decisions.

    5. Ensure Security Assessment and Authorization documentation is current.

    6. Determine information sensitivity in accordance with NIST guidance (e.g., FIPS 199, 800-53) on security.

    7. Coordinate with the CIO/CTO regarding the security requirements of the sensitive information and provide definitive directions to IT developers or owners relative to the risk in the security posture of the IT system.

    8. Respond to self-assessment questions assigned.

    9. Decide on accepting the minimum security safeguards (requirements) prescribed for an IT system.

    10. Implement all applicable federal security and other protection policies as required by the Business system owner.

    11. Ensure that risk analysis responsibilities are accomplished in accordance with this policy.

    12. Ensure development of the documentation required for certification and ensure delivery to IRS Information Technology Cybersecurity organization, which is supporting the CIO/CTO.

    13. Evaluate security impact of any facility-unique patches or system modifications and approve those that do not adversely affect system security.

    14. Report any condition which appears to invalidate a certification, immediately to IRS Information Technology Cybersecurity.

    15. Ensure that current copies of approved Security Assessment and Authorization or IATO documentation are distributed to the organizations with a need to know as outlined in Security Assessment and Authorization processes.

    16. Ensure that all acquisitions of goods or services provide for information security, personnel security and physical security.

    17. Maintain the deliverables/results of contracted and outsourced efforts for which they provided funding.

    18. Approve security plans, security assessment plans/reports, memorandums of agreement or understanding, audit plans and POA&Ms.

    19. Determine whether or not changes in the information system or environment of operation require re-accreditation/reauthorization. Ensure minimum security baseline requirements (i.e., NIST, OMB, Treasury, etc.,) selected are appropriately prescribed for IT systems throughout the enterprise.

    20. Annually ensure each application's ISCP are reviewed and tested, at a minimum annually.

    21. Participate in a Disaster Recovery test, including signing off on the documentation as complete.

  4. The AO shall have the authority to deny, terminate, or alter access to a system or application if the level of risk is increased by granting such access.

  5. The AO can delegate performance of his or her responsibilities to a designated representative except for the signature of the authorization letter.

    Note:

    The only activity that shall not be delegated by the AO is the security accreditation decision and the signing of the associated security authorization decision letter (i.e., the acceptability of risk to the agency).

  6. The AO may delegate the coordinating and conducting of the day-to-day activities associated with the security authorization process to the Authorizing Official Designated Representative.

    1. The AO shall retain responsibility for all risk accepted to the organization regardless of responsibilities delegated.

      Note:

      Day-to-day activities do not include signing security authorization decision letters or Risk Acceptance Request Form 14201. The designated representative is to confer with the AO on decisions where the acceptance of risk to the organization is involved. The AO will then be required to officially accept the risk by signing the associated security authorization decision letter (i.e., the acceptability of risk to the agency).

  7. In the event that there is a change in AOs, the new AO shall review the current authorization decision document, authorization package, and any updated documents created as a result of the ongoing monitoring activities and either sign an Authorization Letter taking over the current authorization or if they are unwilling to accept the current authorization, a new security assessment and re-authorization may be required. (NIST 800-37, Sec. F.4; TD P 85-01 Sec. 2.6)

    1. See IRM 10.8.1, CA-6 Security Authorization for additional guidance.

  8. The AO shall be responsible for ensuring that all activities and functions delegated to the Authorizing Official Designated Representative are carried out.

10.8.2.2.1.7.1  (09-05-2012)
Authorizing Official Designated Representative

  1. The Authorizing Official Designated Representative shall be an officially designated organization official that acts on behalf of the AO to coordinate and conduct the required day-to-day activities associated with the security authorization process.

  2. The Authorizing Official Designated Representatives shall coordinate their activities with the CIO/CTO, SAISO/CISO, Risk Executive (function), information system and common control providers, information system security officers, security control assessors, and other interested parties during the security authorization process.

  3. The Authorizing Official Designated Representative shall be empowered by the AO to make certain decisions with regard to the planning and resourcing security authorization process, such as:

    1. Approval of the security plan and security assessment plan.

    2. Approve and monitor the implementation of POA&Ms, and the assessment/determination of risk.

  4. The Designated Representative shall be permitted to be called upon to:

    1. Prepare the final authorization package.

    2. Obtain the AO’s signature on the authorizing decision document (i.e., authorization letter).

    3. Transmit the authorization package to appropriate organizational officials.

  5. The only activity that cannot be delegated to the Designated Representative by the AO is the authorization decision and signing of the associated authorization decision document (i.e., the acceptance of risk to organizational operations and assets, individuals, other, organizations, and the Nation); to include authorization letters and risk based decision memos (e.g., Form 14201).

10.8.2.2.1.8  (05-16-2014)
Information System Security Officer (ISSO)

  1. The Information System Security Officer (ISSO), while working in collaboration with the information system owner, shall be responsible to the AO, information system owner, or SAISO/CISO for ensuring that the appropriate operational security posture (i.e., physical and environmental protection, personnel security, incident handling, and security training and awareness) is maintained for an information system or program.

  2. As the principal advisor to the AO, Information System Owner, or SAISO/CISO on all matters, technical and otherwise, involving the security of an information system, the ISSO shall provide:

    1. Analysis of security findings, issues and plans.

    2. Interpretation and clarification of security policy, guidance and new or changing IRM requirements.

    3. Recommendation for action(s) to resolve or mitigate known weaknesses, or for preventive measures and safeguards for potential threats.

    4. Status monitoring for Plans of Action and Milestones (POA&M), and other applicable action plans designed to resolve known weaknesses or prevent potential threats.

    5. Guidance in resolving known system weaknesses according to available enterprise-level plans or solutions.

    6. Situational Awareness through notification of enterprise security issues, solutions, projects and plans that may impact the system(s) under their purview.

  3. The ISSO shall have the detailed knowledge and expertise required to manage the security aspects of an information system.

  4. In accordance with NIST and TD P 85-01, the Information System Security Officer (ISSO) shall:

    1. Be responsible for ensuring the security of the system is in compliance with the requirements throughout the system life cycle (from design through disposal).

    2. Be appointed in writing.

    3. Be responsible for the coordination of activities that facilitate confidentiality, integrity, and availability of assigned IRS systems and applications.

    4. Accomplish duties through planning, analysis, development, implementation, maintenance, and enhancement of IRS Information Technology Cybersecurity information systems security programs, policies, procedures, and tools consistent with Department of Treasury, FISMA, and NIST guidelines.

    5. Assist the SAISO/CISO in identifying, implementing, and assessing the common security controls.

    6. Actively support the development and maintenance of the system security plan, to include coordinating system changes with the information system owner and assessing the security impact of those changes.

    7. Perform and/or provide oversight and guidance for day-to-day security activities for assigned systems.

    8. Develop or assist in development of system security policy.

      Note:

      This includes, but is not limited to, contributing analysis and recommendations.

    9. Ensure operational security posture consistent with current system security policy is maintained.

      Note:

      This includes monitoring compliance with system security policy and providing guidance and recommendations to correct deficiencies.

    10. Coordinate changes to the system with the system owner and the information owner, as needed.

    11. Assess security impact of system changes.

    12. In accordance to NIST 800-100, the ISSO is primarily responsible for addressing security concerns related to the Configuration Management (CM) program and for providing expertise and decision support to the Change/Configuration Control Review Board (CCRB/CCB);

    13. Be a voting member on the Change Control Board (CCB) for the systems and applications for which they are assigned.

      Note:

      SPMO is currently the voting member on the CCB.

    14. Report existing potential security issues to the bureau CIO/CTO, SAISO/CISO, AO, and System Owner.

    15. Ensure that security incidents and the security status of the affected IT system(s) are reported to the bureau CSIRC.

    16. Ensure that system audit trails are regularly examined and anomalies reported to the bureau CSIRC.

    17. Ensure documentation is developed and maintained detailing the IT hardware and software configuration and all security countermeasures that protect it.

      Note:

      This is usually maintained in the SSP.

    18. Satisfy ISSO requirement for mandatory annual specialized IT-security training.

  5. For their respective Business Unit, the ISSO shall also:

    1. Support the AO in the management of an enterprise risk management capability that incorporates the specific GSS or application.

    2. Ensure current security plans, ISCP, and disaster recovery plans exist.

    3. Ensure DR planning and testing occurs.

    4. Ensure Business Resumption (BR) planning and testing occurs.

    5. Participate, as needed, in testing of corrective action effectiveness, system security controls, and any other security testing.

    6. Participate in Cybersecurity Operations Compliance Reviews and Contractor Site Reviews as they relate to assigned systems.

    7. Provide an early warning to appropriate personnel, assisting with (or in) the tasks necessary to plan, allocate resources, and conduct any required security re-certification and accreditation.

    8. Assist in identification of IT and security resources which support critical operations.

    9. Support the activities relating to the security posture of the GSS or application.

    10. Alert the AO to system-relevant security threats and/or vulnerabilities as they are discovered; provide recommendations for mitigation or resolution as appropriate.

    11. Recommend (dis)approval of deviations from policy and/or security input to risk-based decisions for the systems or applications for which they are responsible.

    12. Analyze the proposed changes to the systems and applications (including hardware, software, and surrounding environment) to provide system-specific input to the determination of need for re-certification.

    13. Analyze, interpret and/or clarify Security Assessment and Authorization packages with requirements and results for the AO.

  6. The ISSO shall support the SPMO in FISMA activities.

10.8.2.2.1.9  (09-05-2012)
Manager

  1. Managers shall:

    1. Explicitly assign information technology security roles to individuals on their staff when said individual is responsible for meeting any requirements or completing any functions and activities of a role defined in IRM 10.8.2.

    2. Assign multiple roles to any employee when said employee performs in multiple roles. No role assignment has precedence so all appropriate roles will be assigned.

    3. Not assign a role to an individual if that individual will not perform in that role. For example, because a person is capable and works within a business function that has system administrators (SAs), if that individual does not have any SA duties, then do not assign the associated role.

      Note:

      Note: The business function to which employees belong does not preclude them from being assigned a role defined in IRM 10.8.2.

  2. Managers shall be responsible for complying with information security awareness, awareness training, and role-based training requirements established for their employees, users, and those who have been identified as having significant responsibilities for information security. In accordance with IRM 1.4.1 Resource Guide for Managers, Management Roles and Responsibilities . Managers are also referred to as Front Line Managers.

  3. In accordance with NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, managers shall:

    1. Work with the CIO and SAISO to meet shared responsibilities.

    2. Serve in the role of system owner and/or information owner, where applicable.

    3. Include appropriate security training in the Career Learning Plans (CLP) for those with significant security responsibilities.

    4. Promote the professional development and certification of the information security program staff, full-time or part-time information security officers, and others with significant responsibilities for information security.

    5. Ensure that all users (including contractors) of their systems (i.e., general support systems and major applications) are appropriately trained in how to fulfill their information security responsibilities before allowing them access.

    6. Ensure that users (including contractors) understand specific rules of each system and application they use.

    7. Work to reduce errors and omissions by users due to lack of awareness, awareness training, and/or specialized role-based training.

  4. In addition to the guidance provided in IRM 1.4.X series Resource Guide for Managers, Manager's shall:

    1. Enforce the clean desk policy (see IRM 10.2.14 , Physical Security Program, Methods of Providing Protection for further information).

    2. Ensure employees complete their annual UNAX Awareness certification.

    3. Be responsible for notifying via Online 5081 (OL 5081) and following up with the responsible organization of the system user status changes (e.g., terminations, transfers).

    4. Receive Security Awareness Training and Education (Security ATE/SATE). Detailed training requirements for management are stated in IRM 10.8.1.

  5. In accordance with IRM 10.8.27, managers shall:

    1. Ensure employees are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy. These requirements are part of the employees’ mandatory annual Security ATE/SATE.

    2. Ensure IT resources are being used appropriately and shall take corrective action, as needed.

10.8.2.2.1.10  (12-03-2010)
Contracting Officer

  1. The Contracting Officer shall be responsible for managing contracts/acquisitions and overseeing their implementation, in accordance with IRM 1.1.17,Organization and Staffing, Agency-Wide Shared Services.

  2. In accordance with IRM 1.1.17, the Contracting Officer shall:

    1. Work in partnership with the SAISO/CISO to ensure that agency contracting policies adequately address the information security requirements.

    2. Coordinate with the SAISO/CISO to ensure that all agency contracts and procurements are compliant with the agency’s information security policy.

    3. Ensure that all personnel with responsibilities in the agency’s procurement process are properly trained in information security.

    4. Collaborate with the SAISO/CISO to monitor contract performance for compliance with the agency’s information security policy.

10.8.2.2.1.10.1  (09-05-2012)
Contracting Officers Representatives (COR)

  1. The COR shall be a qualified employee appointed by the Contracting Officer to act as its technical representative in managing the technical aspects of a particular contract.

  2. In accordance with TDP 85-01, the COR shall:

    1. Determine whether contractors require IT access in the accomplishment of Treasury/IRS mission.

    2. Ensure that contractors comply with this policy and pursue appropriate action for noncompliance.

    3. Review and authorize access privileges for contractors and reviewing user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement (e.g., systems authorized for access and type).

    4. Notify system owners to revoke access privileges in a timely manner when a contractor under his/her supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

  3. In accordance with NIST 800-16, the COR shall:

    1. Identify security requirements to be included in statements of work and other appropriate procurement documents (e.g., procurement requests, purchase orders, task orders, and proposal evaluation summaries) as required by the Federal regulations.

    2. Develop security requirements specific to an information technology acquisition for inclusion in procurement documents (e.g., ensures that required controls are adequate and appropriate) as required by the Federal regulations.

    3. Evaluate proposals to determine if proposed security solutions effectively address agency requirements as detailed in solicitation documents and are in compliance with Federal regulations.

    4. Develop security requirements for hardware, software, and services acquisitions specific to the IT security program (e.g., purchase of virus-scanning software or security reviews) and for inclusion in general IT acquisition guidance.

    5. Interpret and/or approve security requirements relative to the capabilities of new information technologies, revise IT acquisition guidance as appropriate, and issue changes.

    6. Identify areas within the acquisition process where IT security work steps are required.

    7. Develop security work steps for inclusion in the acquisition process, (e.g., requiring an IT Security Officer review of statements of work).

    8. Evaluate procurement activities to ensure that IT security work steps are being effectively performed.

    9. Identify general and system-specific IT security specifications which pertain to a particular system acquisition being planned.

    10. Develop security-related portions of acquisition documents.

    11. Ensure that security-related portions of the system acquisition documents meet all identified security needs.

    12. Ensure that IT security requirements are appropriately identified in acquisition documents.

    13. Evaluate the presence and adequacy of security measures proposed or provided in response to requirements contained in acquisition documents.

    14. Monitor contract performance and review deliverables for conformance with contract requirements related to IT security and privacy.

    15. Take action as needed to ensure that accepted products meet contract requirements.

  4. Additionally, the COR shall:

    1. Ensure that security requirements for hardware, software, and services acquisitions are in compliance with the IT security program.

    2. Develop the system termination plan to ensure that IT security breaches are avoided during shutdown and long-term protection of archived resources is achieved.

    3. Ensure hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan.

    4. Ensure IT resources are being used appropriately and shall take corrective action, as needed.

    5. Determine if contractors require IT access in the accomplishment of their mission;

    6. Ensure contractors are informed of appropriate uses of Government IT resources as a part of their introductory training, orientation, or the initial implementation of this policy.

    7. Ensure that contractors comply with this policy and pursue appropriate action for noncompliance.

    8. Review and authorize access privileges for contractors and reviewing user security agreements on at least an annual basis to verify the continuing need for access, the appropriate level of privileges, and the accuracy of information contained in the agreement.

    9. Notify system owners to revoke access privileges in a timely manner when a contractor under his/her supervision or oversight no longer requires access privileges, requires a change in access privileges, or fails to comply with stated policies or procedures.

    10. Ensure contracts for Information Systems contain FISMA security language; and

    11. Ensure reviews are conducted on contractor facilities and systems annually, in accordance with FISMA and applicable NIST guidance such as 800-37 and 800-53.

10.8.2.2.1.11  (07-12-2010)
Enterprise Architect

  1. The Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, November 28, 2000, requires agencies to ensure consistency with Federal, agency, and bureau Enterprise Architectures and to demonstrate consistency through compliance with agency business requirements and standards. The Enterprise Architect is a highly experienced IT architect who has a broad and deep understanding of the agency's overall business strategy and general IT trends and directions.

  2. In accordance with OMB Circular A-130, the Enterprise Architect shall:

    1. Lead agency enterprise architecture development and implementation efforts.

    2. Collaborate with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture.

    3. Participate in agency strategic planning and performance planning activities to ensure proper integration of enterprise architecture.

    4. Facilitate integration of information security into all layers of enterprise architecture to ensure agency implementation of secure solutions.

    5. Work closely with the program managers, the SAISO/CISO, and the business owners to ensure that all technical architecture requirements are adequately addressed by applying Federal Enterprise Architecture (FEA) and the Security and Privacy Profile (SPP).

10.8.2.2.1.12  (12-03-2010)
Information System Security Engineer

  1. The information system security engineer is the individual responsible for conducting information system security engineering activities.

  2. In accordance with NIST SP 800-37, Information system security engineers shall:

    1. Employ best practices when implementing security controls within an information system including software engineering methodologies, security engineering principles, and secure coding techniques.

    2. Coordinate their activities with AO designated representatives, chief information officers, senior agency information security officers/chief information security officer, information system and common control providers, and information system security officers.

10.8.2.2.1.13  (07-12-2010)
Chief Financial Officer (CFO)

  1. To provide a sound leadership structure linked to OMB’s financial management responsibilities, the Chief Financial Officers (CFO) Act of 1991 creates chief financial officer positions in 23 major agencies. The CFO is the senior financial advisor to the Investment Review Board (IRB) and the agency head. Information security investments fall within the purview of the CFO and are included in the CFO’s reports.

  2. In accordance with the CFO Act, the CFO shall:

    1. Review cost goals of each major information security investment.

    2. Report financial management information to OMB as part of the President’s budget.

    3. Comply with legislative and OMB-defined responsibilities as they relate to IT capital investments.

    4. Review systems that impact financial management activities.

    5. Forward investment assessments to the IRB.

10.8.2.2.1.14  (09-05-2012)
Privacy Officer

  1. The role of the Privacy Officer and/or Chief Privacy Officer is defined in accordance with the Consolidated Appropriations Act, 2005 (H.R 4818) and the E-Government Act of 2002. This role within the IRS is assigned to the Director of Privacy, Governmental Liaison and Disclosure (PGLD).

  2. See IRM 10.5.1, Privacy, Information Protection & Data Security Policy and Guidance(PGLD), for a detailed description of Roles and Responsibilities.

10.8.2.2.1.15  (09-05-2012)
Physical Security Officer

  1. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. The role of the Physical Security Officer is established in accordance with NIST SP 800–12, An Introduction to Computer Security. This role is assigned to the Director of Physical Security and Emergency Preparedness.

  2. The Director of Physical Security and Emergency Preparedness (PSEP) shall be responsible for the overall implementation and management of physical security controls across the IRS, including integration with applicable information security controls.

  3. The Director of PSEP shall:

    1. Ensure the organization’s physical security programs, to include appropriate controls for alternate work sites, are developed, promulgated, implemented, and monitored.

    2. Ensure organizational implementation and monitoring of access controls (i.e., authorization, access, visitor control, transmission medium, display medium, logging).

    3. Ensure organizational environmental controls (i.e., ongoing and emergency power support and backups, fire protection, temperature and humidity controls, water damage).

    4. Oversee and manage controls for delivery and removal of assets.

  4. The Director of PSEP provides oversight for the Physical Security Analyst and Physical Security Specialist roles.

  5. Refer to Physical Security Program 10.2.x IRMs for additional information on Physical Security Officer roles & responsibilities.

10.8.2.2.1.16  (07-12-2010)
Personnel Security Officer

  1. The Personnel Security Officer manages and implements safeguards and security access authorization functions. The Personnel Security Officer is the first point of contact in helping managers determine if a security background investigation is necessary for a particular position. The Personnel Security Officer may also be responsible for providing security-related exit procedures when employees leave an organization.

  2. The Director of Personnel Security and Investigations shall be responsible for the overall implementation and management of personnel security controls across the IRS, including integration with specific information security controls.

  3. The Director of Personnel Security and Investigations shall:

    1. Develop, promulgate, implement and monitor the organization’s personnel security programs.

    2. Develop, implement, and ensure documentation of position categorization (including third-party controls) and risk level designations, access agreements, and personnel screening, termination, and transfers.

    3. Ensure consistent and appropriate sanctions for personnel violating management, operation, or technical information security controls.


More Internal Revenue Manual