TABLE OF CONTENTS
| Topics | Sections |
| OVERVIEW | 7.1 What is the purpose of this chapter? 7.2 What is the scope of this chapter? 7.3 What is the overall policy? 7.4 What are the authorities for this chapter? 7.5 What terms do you need to know to understand this chapter? |
| RESPONSIBILITIES | 7.6 Who is responsible for cybersecurity within the Service? |
| SECURITY CONTROL STANDARDS | 7.7 What are the security controls the Service must implement to protect information resources? |
OVERVIEW
7.1 What is the purpose of this chapter? This chapter:
A. Provides policy to help ensure the U.S. Fish and Wildlife Service (Service) has adequate information security to protect our information resources in accordance with applicable Federal and Department of the Interior (Department) cybersecurity laws, regulations, and policies;
B. Establishes the Service’s cybersecurity program within the Office of Information Resources and Technology Management (IRTM) and the responsibilities and authorities of the Service’s Associate Chief Information Security Officer (ACISO);
C. Identifies organizational responsibilities for securing and managing Service information and information systems; and
D. Describes the high-level security controls the Service must implement in accordance with the Department’s security control standards.
7.2 What is the scope of this chapter?
A. The information security responsibilities and requirements in this chapter apply to all Service employees, contractors, volunteers, or others who perform work for or on behalf of the Service. We use the term “employee” in this chapter as a general term to describe these individuals.
B. The requirements in this chapter apply to all Service information resources, which include:
(1) Any information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Service; and
(2) Information systems used, operated, or managed by a contractor or other organization on behalf of the Service.
7.3 What is the overall policy?
A. The Service must ensure the confidentiality, integrity, and availability of all Service information resources, including information residing in systems and networks owned and operated by a contractor or other organization on our behalf. We must protect Service information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in accordance with applicable Federal and Departmental laws, regulations, and policies, including, but not limited to, 375 Departmental Manual (DM) 19, Information Security Program.
B. To help protect Service information resources, the Service established a cybersecurity program within IRTM under the direction of the Associate Chief Information Officer (ACIO) and the oversight and management of the ACISO. The cybersecurity program must:
(1) Provide Servicewide security policies, planning, budgeting, management, implementation, and oversight;
(2) Implement a Servicewide risk management process and framework capable of assessing, monitoring, and responding to cybersecurity risk on an ongoing basis at the organizational, mission or business process, and information system levels;
(3) Manage security risks by reducing them to an acceptable level in a cost-effective manner;
(4) Coordinate with system owners and other employees throughout the Service as necessary to implement security controls in accordance with the Department’s security control standards (see section 7.7) and continually monitor those controls to verify they are working as intended;
(5) Incorporate cybersecurity principles, concepts, and techniques throughout the lifecycles of Service information systems including development, deployment, operation, and decommissioning;
(6) Oversee and monitor the processes for provisioning elevated and privileged accounts for employees in accordance with the Department’s access control security standard;
(7) Reinforce employee accountability for complying with security requirements established in this chapter and other policies;
(8) Collaborate with the Service’s Associate Privacy Officer (APO) and privacy program to coordinate security and privacy activities for all information systems or resources that collect, use, maintain, disseminate, or disclose Personally Identifiable Information (PII); and
(9) Coordinate with the Department’s Chief Information Security Officer (CISO) and other Departmental staff to carry out cybersecurity activities and represent the Service on applicable Departmental cybersecurity governance or project groups.
C. To provide uniform review for Service information systems prior to being deployed, the cybersecurity program staff work with system owners to complete the Assessment and Authorization (A&A) process prior to submission to the ACIO for Authorization to Operate (ATO). We carry out the A&A process in accordance with applicable Departmental and National Institute of Standards and Technology (NIST) guidance.
7.4 What are the authorities for this chapter?
A. Executive Order 14028, Improving the Nation’s Cybersecurity.
B. Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, NIST.
C. Federal Information Security Management Act of 2002 (Public Law 107-347, Title III).
D. Federal Information Security Modernization Act of 2014 (FISMA) (Public Law 113-283).
E. Federal Information Technology Acquisition Reform Act (FITARA), which is part of the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 (Public Law 113-291).
F. Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) (Public Law 104-106, Division E).
G. NIST Special Publication (SP) 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
H. NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations.
I. Office of the Chief Information Officer (OCIO) Memorandum, “Mandatory Annual Information Management and Technology Awareness and Role-Based Training Directive," August 8, 2022.
J. OCIO Memorandum, “Revised Security and Privacy Control Standards,” December 21, 2022.
K. Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource.
L. OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principals.
M. 375 DM 19, Information Security Program.
7.5 What terms do you need to know to understand this chapter?
A. Authorization to Operate (ATO). The official management decision that the Authorizing Official (AO) makes to allow operation of an information system and to explicitly accept the risk to operations, assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls.
B. Authorizing Official (AO). A senior Federal official with the authority to authorize the operation of an information system at an acceptable level of risk to operations, assets, individuals, other organizations, and the Nation. The ACIO serves as the AO within the Service.
C. Availability. In the context of information security, ensuring timely and reliable access to and use of information.
D. Confidentiality. In the context of information security, preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
E. Continuous monitoring. Maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support risk management decisions.
F. Incident. An event that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system, or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
G. Information resources. Data and related resources, such as personnel, equipment, funds, and information technology (IT). See 44 U.S.C. 3502.
H. Information security. The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide integrity, confidentiality, and availability.
I. Information system. A set of resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. We use “Service information system” to refer to those systems that we operate or another entity operates on our behalf.
J. Integrity. In the context of information security, guarding against improper modification or destruction. Includes ensuring information non-repudiation and authenticity.
K. Risk. A measure of the extent to which an entity is threatened by a potential circumstance or event, which is a function of the magnitude of harm that would arise if the circumstance or event occurs and the likelihood of occurrence.
L. Risk management. The program and processes to manage potential danger to operations, assets, individuals, other organizations, and the Nation.
M. Security control. Safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
N. Service information. Data created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Service, in any medium or form.
O. System owner. The employee or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and final disposition of an information system.
RESPONSIBILITIES
7.6 Who is responsible for cybersecurity within the Service?
Table 7-1: Cybersecurity Responsibilities
| These employees... | Are responsible for... |
| A. The Director | (1) Approving or declining to approve Servicewide cybersecurity policies and procedures, and (2) Ensuring the Service has an effective cybersecurity program. |
| B. Directorate members | (1) Ensuring that employees within their areas of responsibility are aware of this and any other cybersecurity policies, procedures, and guidance and comply with all applicable directives; and (2) Recommending employees to serve as system owners for programmatic or Regional systems and to carry out the responsibilities in section 7.6F below. |
| C. Associate Chief Information Officer (ACIO) (i.e., the Assistant Director - IRTM) | (1) Ensuring the confidentiality, integrity, and availability of the Service’s information resources; (2) Serving as the AO for Service information systems and designating system owners for those systems in writing; (3) Providing direction for the Service’s cybersecurity program, including the areas of cybersecurity operations, compliance, and risk management, and ensuring the program has the necessary resources; and (4) Designating the Service’s ACISO. |
| D. Associate Chief Information Security Officer (ACISO) (i.e., Chief, Division of Cybersecurity in IRTM) | (1) Overseeing and managing the Service’s cybersecurity program in accordance with applicable laws, regulations, policies, and standards; (2) Advising the Service Directorate (including the ACIO) on cybersecurity matters including, but not limited to, risk management, assessment and authorization, and incident response; (3) Developing and maintaining cybersecurity policies, procedures, and control techniques and incorporating security requirements into policies and procedures in other subject areas, as needed; (4) Overseeing Servicewide implementation of security controls in accordance with the Department’s security control standards; (5) Implementing continuous monitoring of the Service’s information resources and security controls and addressing any vulnerabilities or gaps discovered; (6) Coordinating with the Department’s CISO and other Departmental officials to carry out Departmentwide cybersecurity activities; (7) Leading all Servicewide FISMA reporting and compliance activities; (8) Ensuring system owners are aware of their security responsibilities and adequately implement applicable security requirements for information systems under their control; (9) Overseeing the Service’s response activities for audit compliance initiated by the Office of the Inspector General and other entities; (10) Developing the Service’s security incident response plan and leading, or delegating another employee to lead, the Service’s Computer Security Incident Response Team (CSIRT); (11) Ensuring cybersecurity considerations are integrated into the Service’s Information Management and Technology (IMT) planning, budgeting, acquisition, project management, and portfolio management processes and are incorporated throughout the lifecycles of information systems and IMT investments; (12) Developing and overseeing the Service’s A&A process for information systems in accordance with Departmental standards; (13) Assigning, or delegating the authority to assign, Information System Security Officers to Service information systems; and (14) Performing all duties assigned in Departmental policy and regulation. |
| E. Information System Security Officers (ISSO) | (1) Coordinating with the appropriate system owners to ensure the security of assigned information systems throughout the systems’ lifecycles; (2) Ensuring documentation required to receive and maintain an ATO is updated in accordance with organization-defined timeframes, including privacy impact assessments for systems that collect or maintain PII; (3) Assisting system owners with the implementation of security and privacy controls in alignment with the security categorization of the information system; (4) Maintaining a system component inventory for systems within their areas of responsibility; (5) Providing security briefings and updates to system owners throughout the lifecycles of their systems; (6) Providing the ACISO with briefings on any changes impacting the security posture of assigned information systems or the organization’s overall risk tolerance; (7) Attending information system project meetings while the system is under development or enhancement to ensure security requirements are appropriately incorporated; and (8) Collaborating with the APO and other members of the Service’s privacy program to ensure the security of information systems that maintain or collect PII. |
| F. System owners | (1) Coordinating with their ISSO to ensure the security of information systems under their control, including by implementing required security and privacy controls; (2) Planning and ensuring adequate resources are available throughout the lifecycles of their systems; (3) Reporting security costs, including the cost of implementing security controls, as required through the Department’s Capital Planning and Investment Control (CPIC) process in accordance with 270 FW 6, IMT Portfolio and Investment Management; (4) Coordinating with their ISSO to provide necessary information in response to Federal and Departmental audits, security control assessments, and other reporting requirements; (5) Receiving an ATO from the Service’s AO through the A&A process prior to deploying a system; (6) Ensuring assigned ISSOs are part of system development teams and aware of system changes prior to development and implementation in production; and (7) Serving as (or designating another employee to serve as) a Privacy Act System Manager for information systems that are also a Privacy Act system of records (see 204 FW 1, Privacy Act Program, for more information). |
| G. Managers/supervisors | (1) Ensuring all employees under their supervision: (a) Complete required security and privacy training, including Role-Based Security Training (RBST) and Role-Based Privacy Training (RBPT); (b) Adhere to Servicewide cybersecurity policies and procedures, including, but not limited to, those described in this chapter; and (c) Complete all necessary tasks to receive access to the Service network and information systems, including agreeing to and signing the Department’s Rules of Behavior; (2) Working with the Joint Administrative Operation’s Division of Human Capital to: (a) Ensure employees under their supervision have the requisite security clearances, training, and access privileges appropriate to their duties; and (b) Complete the exit clearance process in accordance with 223 FW 13, Exit Clearance for Fish and Wildlife Service Employees, and 223 FW 14, Exit Clearance for Non-Fish and Wildlife Service Employees, when the people they supervise separate from the Service; (3) Ensuring employees report suspected or actual security incidents through the appropriate reporting applicationor through the Enterprise Service Desk (ESD) (or by phone at 1-800-520-2433) if they don’t have network access; and (4) Ensuring position descriptions and performance standards for employees reference security responsibilities, as appropriate. |
| H. Employees | (1) Following applicable cybersecurity requirements in this chapter and related policies when accessing, handling, managing, and disposing of information resources; (2) Completing necessary requirements to gain and maintain access to the Service network and specific information systems; (3) Abiding by the Department’s Rules of Behavior; (4) Reporting any suspected or actual cybersecurity incidents to the Service’s CSIRT through the appropriate reporting application or through the ESD (or by phone at 1-800-520-2433) if they don’t have network access; and (5) Completing required security and privacy training, including RBST and RBPT, if applicable. |
SECURITY CONTROL STANDARDS
7.7 What are the security controls the Service must implement to protect information resources?
A. NIST defines Governmentwide security control families in NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations. To provide for standard implementation of these families, the Department issues a series of security control standards with implementation requirements and guidance.
B. Table 7-2 describes basic requirements associated with each NIST control family. Depending on the control, the requirements may be met at a Servicewide or individual information system level. System owners must work with their ISSO to document control implementation within their information systems. The ACIO may issue additional guidance describing how to meet these security control requirements in accordance with 270 FW 1, IRTM Senior Leadership and Governance.
Table 7-2: Information Security Control Families and Requirements
| Control Family | Basic Requirements |
| (1) Access control | (a) Define and document a process for provisioning accounts to authorized system users and permit only authorized accounts to access systems. (b) Assign appropriate permissions to accounts. (c) Ensure system users are only able to access the information and systems needed to perform their job functions in accordance with the principles of least privilege and separation of duties. |
| (2) Awareness and training | (a) Employees must complete annual training to maintain access to information systems so that they are aware of requirements for appropriate use, protection, and security of information. (b) Employees with defined cybersecurity responsibilities must complete RBST and RBPT. |
| (3) Audit and accountability | (a) Systems must be capable of creating audit records and event logs in response to events such as password changes, failed logons, administrative privilege usages, and more. (b) A process must exist for reviewing audit records and event logs at an appropriate interval or in response to any suspicious activities. |
| (4) Assessment, authorization, and monitoring | (a) Create Servicewide and system-specific continuous monitoring plans for security controls in accordance with Departmental continuous monitoring policy. (b) Assess the security controls of information systems and provide the results to the AO. (c) Ensure the AO provides an ATO before the system enters the operation phase. (d) Document any security deficiencies or vulnerabilities within a Plan of Action and Milestones (POAM) that describes planned remedial actions. |
| (5) Configuration management | (a) Ensure information systems comply with established baseline configurations. (b) Develop and maintain component inventories, including hardware, software, and firmware. (c) Create a process for reviewing, approving, and documenting changes to information systems and system components. |
| (6) Contingency planning | (a) Establish and maintain plans for emergency response, backup operations, and post-disaster recovery. (b) Test contingency plans at least annually. |
| (7) Identification and authentication | (a) Appropriately identify user accounts and devices permitted to access system resources. (b) Authenticate (or verify) users or devices before system access is granted. |
| (8) Incident response | (a) The cybersecurity program must have an operational incident handling capability. (b) Track, document, and report incidents to appropriate organizational officials and authorities in accordance with an established incident response plan. (c) Provide employees with training for reporting and responding to security incidents. |
| (9) Maintenance | (a) Ensure maintenance on IT is performed periodically in accordance with manufacturer or vendor recommendations. (b) An appropriate Service employee must authorize and monitor maintenance activities whether in person or remote. |
| (10) Media protection | (a) Ensure Service information in storage media (both paper and digital) is protected from loss, alteration, or theft and is appropriately labeled. (b) Only use approved removable storage media to store Service information, including refraining from using personally owned removable storage media. (c) Sanitize digital storage media prior to the media leaving Service control. |
| (11) Physical and environmental protection | (a) Limit physical access to information systems, equipment, and operating environments to authorized individuals. (b) Protect assets against unauthorized use, theft, environmental hazards, or inadvertent destruction. (c) Implement environmental controls including emergency shutoffs, emergency power, and emergency lighting. |
| (12) Planning | (a) Maintain system security plans and review them at least annually. (b) Ensure system security plans describe the security controls in place or planned for the information systems. |
| (13) Program management | (a) Implement Departmental requirements for critical infrastructure, risk management, insider threats, security workforce, continuous monitoring, enterprise architecture, POAMs, and other similar policies and plans. (b) Document and implement additional Service-specific policies, procedures, plans, and requirements for the aforementioned areas. |
| (14) Personnel security | (a) Ensure employees (including contractors and other service providers) are trustworthy and meet established security criteria for their positions. (b) Terminate system access of separated employees and contractors promptly to prevent unauthorized or malicious access. (c) Develop formal sanctions for personnel failing to comply with organizational security policies and procedures. |
| (15) Risk assessment | (a) Conduct risk assessments in accordance with applicable NIST guidance. (b) Review risk assessments on a periodic basis or whenever there are significant changes to an information system. (c) Conduct periodic vulnerability scans of information systems. |
| (16) System and services acquisition | (a) Allocate sufficient resources to protect information systems as part of the CPIC process. (b) Incorporate cybersecurity requirements and considerations throughout the lifecycles of information systems, including when acquiring, developing, managing, and decommissioning a system. (c) Incorporate security requirements into the appropriate acquisition documents such as statements of work and contracts, including supply chain risk management clauses. (d) Ensure third-party providers employ adequate security measures to protect outsourced information, systems, applications, and services. |
| (17) System and communications protection | (a) Monitor, control, and protect organizational communications (i.e., information that our systems transmit or receive) at the external boundaries and key internal boundaries of those systems. (b) Employ architectural designs, software development techniques, and engineering principles that promote effective information security. |
| (18) System and information integrity | (a) Employ processes to identify, report, and correct information and information system flaws in a timely manner, including through patch management and other means. (b) Protect information systems from malicious code or other vulnerabilities. |
| (19) Supply chain risk management | (a) Protect against risks associated with IT supply chains including insertion or use of counterfeits, tampering, theft, insertion of hardware and software, and poor manufacturing and development. (b) Incorporate required elements into contracting documents in accordance with Departmental policy. |