DHS 4300ASensitive Systems HandbookVersion 11.0January 14, 2015Protecting the Information that Secures the Homeland
DHS 4300A SENSITIVE SYSTEMS HANDBOOKThis page intentionally left blankv11.0, January 14, 2015ii
DHS 4300A SENSITIVE SYSTEMS HANDBOOKFOREWORDThis Handbook and its Attachments provide guidance and best practices for implementation, andchecklists of required and recommended measures that protect the security of DHS information.The Handbook is based on the Department of Homeland Security (DHS) 4300 series ofinformation security policies, which are the official documents that create and publishDepartmental standards in accordance with DHS Management Directive 140-01 InformationTechnology System Security.Comments concerning DHS Information Security publications are welcomed and should besubmitted to the DHS Director for Information Systems Security Policy [email protected] or addressed to:DHS Director of Security Policy and RemediationOCIO CISO Stop 0182Department of Homeland Security245 Murray Lane SWWashington, DC 20528-0182/S/Jeffrey EisensmithChief Information Security OfficerDepartment of Homeland Securityv11.0, January 14, 2015iii
DHS 4300A SENSITIVE SYSTEMS HANDBOOKContents1.0INTRODUCTION.11.1Information Security Program and Implementation Guidelines .11.2Authorities.21.3Handbook Overview .21.4Definitions.21.4.1 Sensitive Information .31.4.2 Public Information .31.4.3 Classified National Security Information .31.4.4 National Intelligence Information .31.4.5 Foreign Intelligence Information .41.4.6 Information Technology .41.4.7 DHS System .41.4.8 Component .51.4.9 Trust Zone .51.4.10 Continuity of Operations.51.4.11 Continuity of Operations Plan .51.4.12 Essential Functions .51.4.13 Vital Records .61.4.14 Operational Data .61.4.15 Federal Information Security Management Act .61.4.16 Personally Identifiable Information .81.4.17 Sensitive Personally Identifiable Information .81.4.18 Privacy Sensitive System .81.4.19 Strong Authentication .81.4.20 Two-Factor Authentication .81.5Waivers .81.5.1 Waiver Requests .91.5.2 Requests for Exception to U.S. Citizenship Requirement .91.6Electronic Signature .91.7Information Sharing .101.8Threats.101.8.1 Insider Threats .111.8.2 Criminal Threats .111.8.3 Foreign Threats .111.8.4 Lost or Stolen Equipment .111.8.5 Supply Chain Threats .111.9Changes to this Handbook, and Requests for Changes.122.0ROLES AND RESPONSIBILITIES .132.1Information Security Program Roles .132.1.1 DHS Senior Agency Information Security Officer .132.1.2 DHS Chief Information Security Officer .132.1.3 Component Chief Information Security Officer .152.1.4 Component Information Systems Security Manager .172.1.5 Risk Executive .18v11.0, January 14, 2015iv
DHS 4300A SENSITIVE SYSTEMS HANDBOOK126.96.36.199.188.8.131.52.92.23.0Authorizing Official .19Security Control Assessor .19Information Systems Security Officer .20Ongoing Authorization Manager and Operational Risk ManagementBoard .202.1.10 DHS Security Operations Center .202.1.11 Component Security Operations Centers .22Other Roles .232.2.1 Secretary of Homeland Security .232.2.2 Under Secretaries and Heads of DHS Components .242.2.3 DHS Chief Information Officer .242.2.4 Component Chief Information Officer .252.2.5 DHS Chief Security Officer .262.2.6 DHS Chief Privacy Officer .262.2.7 DHS Chief Financial Officer .282.2.8 Program Managers .282.2.9 System Owners .282.2.10 Common Control Provider.282.2.11 DHS Employees, Contractors, and Others Working on Behalf of DHS .28MANAGEMENT POLICIES .293.1Basic Requirements .293.2Capital Planning and Investment Control .293.2.1 Capital Planning and Investment Control Process .303.3Contractors and Outsourced Operations .313.4Performance Measures and Metrics .323.5Continuity Planning for Critical DHS Assets .333.5.1 Continuity of Operations Planning .333.5.2 Contingency Planning .363.6System Engineering Life Cycle .383.6.1 Planning .403.6.2 Requirements Definition .403.6.3 Design .403.6.4 Development .413.6.5 Test .413.6.6 Implementation .413.6.7 Operations and Maintenance.423.6.8 Disposition .423.7Configuration Management .423.8Risk Management .443.8.1 Risk Assessment .453.8.2 Risk Mitigation .463.8.3 Evaluation and Assessment.463.9Security Authorization and Security Control Assessments .463.9.1 Ongoing Authorization .503.9.2 FIPS 199 Categorization and the NIST SP 800-53 Controls .543.9.3 Privacy Assessment .55v11.0, January 14, 2015v
DHS 4300A SENSITIVE SYSTEMS .4 E-Authentication .563.9.5 Risk Assessment .563.9.6 Security Plan .563.9.7 Contingency Plan .573.9.8 Security Control Assessment Plan .573.9.9 Contingency Plan Testing .573.9.10 Security Assessment Report .593.9.11 A SAR is automatically created in IACS. Plan of Action and Milestones593.9.12 Authorization to Operate Letter .593.9.13 Interim Authorization to Operate .603.9.14 Annual Self-Assessments.60Information Security Review and Assistance .613.10.1 Review and Assistance Management and Oversight .623.10.2 Information Security Assistance .623.10.3 Information Security Reviews .62Security Working Groups and Forums .623.11.1 CISO Council .633.11.2 DHS Information Security Training Working Group .633.11.3 DHS Security Policy Working Group.633.11.4 DHS Enterprise Services Security Working Group .63Information Security Policy Violation and Disciplinary Action .63Required Reporting .64Privacy and Data Security.653.14.1 Personally Identifiable Information .653.14.2 Privacy Threshold Analyses .673.14.3 Privacy Impact Assessments .673.14.4 System of Record Notices .683.14.5 Protecting Privacy Sensitive Systems .