oversight

FISMA Evaluation

Published by the Farm Credit Administration, Office of Inspector General on 2003-09-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

Office of
Inspector General



                           Farm Credit Administration
            Federal Information Security Management
                              Act (FISMA) Evaluation
                                 Agreed-Upon Procedures




                                     September 10,2003
CONTENTS                                      PAGE




INDEPENDENT ACCOUNTANT'S REPORT ON APPLYING
 AGREED-UPON PROCEDURES                          1

FISMA REPORT                                     3
The Inspector General
Farm Credit Administration
Washington, D. C.


          Independent Accountant's Report on Applying Agreed-Upon Procedures


We have performed the procedures summarized below that were agreed to by the Farm Credit
Administration's Office of Inspector General, solely to assist you with the annual evaluation of
the Farm Credit Administration's (FCA) information security program and practices. This
engagement was conducted in accordance with consulting standards established by the American
Institute of Certified Public Accountants. The sufficiency of these procedures is solely the
responsibility of those parties specified in this report.. Consequently, we make no representation
regarding the sufficiency of the procedures described below either for the purpose for which this
report has been requested or for any other purpose.

Our procedures included determination of the critical elements which represent tasks that are
essential for establishing compliance with Federal Information Security Management Act
(FISMA), and guidelines issued by OMB, GAO, CIO Council, and NIST for each control
category, including:

•       documented security policies;
•       documented security procedures;
•       implemented security procedures and controls;
•       tested and reviewed security procedures and controls; and
•       fully integrated security procedures and controls.

For each control category, we determined the associated objectives, risks, and critical activities,
as well as related control techniques and evaluation concerns specific to FCA's information
technology environment.

We used the requirements and criteria found in GAO's Federal Information System Controls
Audit Manual (FISCAM), OMB Circular A-130, Appendix III, "Security of Federal Automated
Information Resources," current NIST guidance, and the CIO Council Framework.


                     Harper, Rains, Knight & Company, P.A. • Certified Public Accountants • Consultants
              One Hundred Concourse • 1052 Highland Colony Parkway, Suite 100 • Ridgeland, Mississippi 39157
                          Telephone 601.605.0722 • Facsimile 601.605.0733 • www.hrkcpa.com

                                                            1
In our review we considered the following mission critical systems:

   •   Federal Financial System (FFS)
   •   Consolidated Reporting System (CRS)
   •   Lotus Domino
   •   Personnel/Payroll System
   •   Windows 2000

We were not engaged to, and did not conduct an examination, the objective of which would be
the expression of an opinion on the FCA's information security program and practices.
Accordingly, we do not express such an opinion. Had we performed additional procedures, other
matters might have come to our attention that would have been reported to you.




September 10, 2003




                                               2
                     FISMA REPORT


  In accordance with Memorandum Reporting Instructions
  for the Government Information Security Reform Act and
Updated Guidance on Security Plans of Actions and Milestones




                             3
A.1 IT Security Spending to Protect Government Operations and Assets



    A.1. Identify the agency’s total IT security spending and each individual major operating division or bureau’s IT security
    spending as found in the agency’s FY03 budget enacted. This should include critical infrastructure protection costs that
    apply to the protection of government operations and assets. Do not include funding for critical infrastructure protection
    pertaining to lead agency responsibilities such as outreach to industry and the public.
                                                                                                     FY03 IT Security Spending
    Bureau Name                                                                                       ($ in thousands)
    To be Prepared by Agency Only                                                                            N/A

    Agency Total                                                                                             N/A

A.2 Identity and Number of Agency Programs and Systems and Those Reviewed


    A.2a. Identify the total number of programs and systems in the agency, the total number of systems and programs reviewed
    by the program officials and CIOs in FY03, the total number of contractor operations or facilities, and the number of
    contractor operations or facilities reviewed in FY03. Additionally, IGs shall also identify the total number of programs,
    systems, and contractor operations or facilities that they evaluated in FY03.


                                                                                                                   FY03 Contractor
                                                                                                                    Operations or
                                                                       FY03 Programs        FY03 Systems              Facilities

                                                                      Total  Number   Total  Number   Total                 Number
    Bureau Name                                                       Number Reviewed Number Reviewed Number                Reviewed
    Farm Credit Administration                                             1           1         5           5          4              4

    Agency Total                                                           1           1         5           5          4              4



    b. For operations and assets under their control, have agency
    program officials and the agency CIO used appropriate
    methods (e.g., audits or inspections) to ensure that contractor
    provided services or services provided by another agency for
    their program and systems are adequately secure and meet
    the requirements of FISMA, OMB policy and NIST guidelines,
    national security policy, and agency policy?                            Yes            Yes

    c. If yes, what methods are used? If no, please explain why.                                 See Below
    d. Did the agency use the NIST self-assessment guide to
    conduct its reviews?                                                    Yes                              Yes

    e. If the agency did not use the NIST self-assessment guide
    and instead used an agency developed methodology, please
    confirm that all elements of the NIST guide were addressed in
    the agency methodology.                                                 N/A                              N/A


The Office of Inspector General (OIG), supported by a contract with Harper, Rains, Knight & Co. P.A.,
performed an independent evaluation of the Farm Credit Administration's (FCA or Agency) information
security program and practices.

A. General Overview

    FCA is an independent agency in the executive branch of the U. S. Government. It is responsible for
    the regulation and examination of the banks, associations, and related entities that collectively
                                                            4
comprise what is known as the Farm Credit System (FCS). FCA promulgates regulations to
implement the Farm Credit Act of 1971 (the Act), and examines System institutions for compliance
with the Act, regulations, and safe and sound banking practices. FCA has fewer than 300 employees.
The Agency headquarters are in McLean, Virginia. It has field examination offices in McLean,
Virginia; Bloomington, Minnesota; Dallas, Texas; Denver, Colorado; and Sacramento, California.


   1. Mission Critical Systems

       FCA is a single program agency with five mission critical systems. Mission critical systems
       are defined as any telecommunications or information system used or operated by an agency
       or by a contractor of an agency, or organization on behalf of an agency that processes any
       information, the loss, misuse, disclosure, or unauthorized access to or modification of, would
       have a debilitating impact on the mission of an agency. In FY03 and FY02, all mission
       critical systems were evaluated.

       In accordance with the Federal Information Security Management Act (FISMA) and OMB’s
       implementation guidance, we evaluated the following mission critical systems.

       Major Applications

       a. Federal Financial System (FFS)

         FFS is a major application that supports FCA’s entire core accounting functions including
         budget execution, accounts payable, disbursements, purchasing, travel, accounts receivable,
         general ledger, document tracking, project cost accounting, and external reporting. FFS is a
         mainframe computer financial management system. FFS is processed by the United States
         Geological Survey/National Business Center (NBC), and American Management Systems
         Inc. The FFS software is owned and maintained by American Management Systems.
         American Management System is responsible for providing development activities
         including regular upgrades, fixes, and requested enhancements to maintain the core FFS
         software. NBC personnel are responsible for defining and developing processes to retrieve
         or receive data from external sources to develop corresponding programs that enable FFS to
         load the data accordingly. FCA’s FFS security administrator, located in the Office of Chief
         Financial Officer is responsible for managing security access control to the FFS agency
         application. The FFS was placed in production in June 2001.

       b. Consolidated Reporting System (CRS)

         CRS is a major application that supports FCA operations. CRS is a database containing
         financial and statistical information on active and inactive Farm Credit Institutions. CRS
         contains three distinct subsystems that are Call Report, Loan Account Reporting System
         (LARS), and Web-based CRS Reports:

         • Call Report is comprised of financial information including a statement of condition,
           statement of income, and supporting schedules that is collected quarterly from the FCS
           Institutions. Call Report subsystem is monitored, analyzed, and assessed by FCA
           examiners and financial analysts to ensure that the integrity and confidentiality of
           financial data are maintained.

         • LARS database contains specific loans of FCS Lender Institutions. Institutions submit
           the data quarterly to the FCA.

         • Web-based CRS Reports is an FCA developed application. The reports are available on
           the FCA's Web site. The Freedom of Information Act (FOIA) versions of the reports are
           available to the public. The non-FOIA versions of the reports are available to users who
           are authorized to view their institution data.

                                               5
    c. Lotus Domino

        Lotus Domino (Notes) is a database system application owned and maintained by FCA.
        The application supports routine administrative tasks including e-mail, group discussion,
        calendaring and scheduling, database management, forms, and workflow.

        d. Payroll Services from National Finance Center (NFC)

        United States Department of Agriculture's (USDA) NFC located in New Orleans, Louisiana
        provides the Personnel/Payroll System to FCA. The NFC provides distributed application
        and telecommunications support for the remote site located in McLean, Virginia. NFC
        developed a "master security plan" for the general support system in New Orleans. FCA's
        Office of Chief Administrative Officer (OCAO) maintains a security plan for the remote
        system at FCA that incorporates provisions of the master security plan.

    General Support System

    FCA has one mission critical general support system.

    •    Windows 2000

         FCA migrated from Windows NT 4.0 operating system to Windows 2000 during FY
         2003. Windows 2000 is the core program of a computer, which allows the other
         programs and applications to operate. The operating system is installed on agency
         servers. Windows 2000 is fully integrated with networking capabilities. Windows 2000
         was designed for client/server computing, that facilitates user workstation connections to
         servers and the sharing of information and services among computers.

The system reviews were performed in accordance with NIST Self-assessment guide. The OIG,
supported by Harper, Rains, Knight & Co. P.A., the independent evaluator, determined the
critical elements that represent essential tasks for establishing compliance with FISMA, and the
guidelines issued by OMB, GAO, CIO Council, and NIST for each control category, including:

•   documented security policies;
•   documented security procedures;
•   implemented security procedures and controls;
•   tested and reviewed security procedures and controls; and
•   fully integrated security procedures and controls.

For each control category, the evaluator determined the associated objectives, risks, and critical
activities, as well as related control techniques and evaluation concerns specific to FCA's
information technology environment.

The review was conducted in accordance with the requirements and criteria found in GAO's
FISCAM, OMB Circular A-130, Appendix III, "Security of Federal Automated Information
Resources," current NIST guidance, and the CIO Council Framework. We used this information
to evaluate FCA's practices and addressed the above five control areas to be considered in
determining compliance with FISMA. For each critical element, the evaluator made a summary
determination as to the effectiveness of FCA's related controls. If the controls for one or more of
each category's critical elements were found ineffective, then the controls for the entire category
are not likely to be effective. The evaluator exercised its professional judgment in making such
determinations.

The evaluation focused on the actual performance of the Agency's security program and practices
and not on how the Agency measures its performance in its own annual reviews. The Agency's
security controls were evaluated for programs and practices including testing the effectiveness of
security controls for Agency systems or a subset of systems as required. The evaluator performed

                                             6
FISMA evaluations in accordance with Federal guidance, e.g, NIST Self-Assessment Guide for
Information Technology Systems.

2. Services Provided by Contractors or Other Agencies

    a. FFS

         FFS is provided by the Department of the Interior, National Business Center. FFS is
         proprietary financial management system software owned and maintained by American
         Management Systems, Inc. The FFS is made available to FCA through an inter-agency
         agreement with the Department of the Interior, National Business Center. The FFS is a
         mainframe computer financial management system that meets the requirements of OMB
         Circular A-127, Financial Management Systems. FCA relies on annual SAS 70 and other
         operational reviews to ensure that National Business Center’s program and systems are
         adequately secure and meet the requirements of FISMA, OMB policy and NIST
         guidelines, national security policy, and agency policy.

    b. Payroll Services from National Finance Center (NFC)

         USDA's NFC located in New Orleans, Louisiana provides the Personnel/Payroll System
         to FCA. The NFC provides distributed application and telecommunications support for
         the remote site located in McLean, Virginia. A "master security plan" was developed for
         the general support system in New Orleans by the responsible NFC organization. The
         security plan developed by the FCA's OCAO for the remote system at FCA references
         the master security plan.

         FCA's Personnel/Payroll System provides connectivity to the applications and resources
         located at the NFC in New Orleans. This permits designated employees of FCA's OCAO
         to perform the data input and output functions necessary to record personnel actions and
         accurately calculate pay for employees. The Personnel/ Payroll System at FCA rely on a
         secure tunnel to exchange information with the NFC in New Orleans via the Internet.
         Dial-in capabilities are accomplished through the FCA firewall. Security requirements
         associated with dial-in are addressed in the NFC security plan. FCA relies on annual
         SAS 70 and other operational reviews to ensure that NFC’s program and systems are
         adequately secure and meet the requirements of FISMA, OMB policy and NIST
         guidelines, national security policy, and agency policy.

    c.   The Electronic Certification System

         The Electronic Certification System (ECS) is maintained by the Department of Treasury
         (Treasury), Financial Management Service. ECS is a system that agencies use to certify
         proper payments to Treasury. The FFS electronically transmits data to Treasury. FCA
         uses ECS to confirm that payment information is correct and can be released by Treasury
         to the recipients. The ECS is proprietary financial management payment system software
         owned and maintained by Treasury.

         FCA ensures that the system has adequate security by reviewing the “Electronic
         Certification Reference Guide" prepared by Treasury. Both FCA and Treasury also
         separate duties to reinforce security.

    d. Data Security

         A contractor provides offsite storage services for FCA's backup tapes. In 2002 the
         vendor completed construction and placed into operation a new tape storage facility. The
         contractor is a recognized leader in data security services that has been protecting
         business records since 1951 for a diversified customer base, which includes more than
         half of the Fortune 500 companies. The contractor operates over 50 dedicated data
                                            7
                  protection facilities in the United States. These sites are staffed with more than 1,200
                  trained personnel. For over 30 years, the contractor has provided secure, offsite vaulting
                  for disaster recovery and archival data. It serves more than 25,000 companies in over 50
                  locations.

A.3 Material Weaknesses Identified and Reported Under Existing Law

   There were no material weaknesses identified for the fiscal year ended September 30,
   2002 or September 30, 2001.


   A.3. Identify all material weakness in policies, procedures, or practices as identified and required to be reported under
   existing law in FY03. Identify the number of material weaknesses repeated from FY02, describe each material weakness, and
   indicate whether POA&Ms have been developed for all of the material weaknesses.

                                                                            FY03 Material Weaknesses

                                                                Total Number                                       POA&Ms
                                                       Total    Repeated from Identify and Describe Each Material developed?
   Bureau Name                                        Number        FY02                   Weakness                  Y/N

   Farm Credit Administration                        None      None                          N/A                    N/A


   Agency Total                                      None      None                          N/A                    N/A

   FCA does not currently have any identified material weaknesses or significant
   deficiencies requiring plans of action and milestones (POA&M). FCA’s current
   security organization structure and program do provide the foundation for an
   effective POA&M program in the event that significant deficiencies in policies,
   procedures or practices are identified.




                                                         8
B. Responsibilities of Agency Head


    B.1. Identify and describe any specific steps taken by the agency head to clearly
    and unambiguously set forth FISMA's responsibilities and authorities for the
    agency CIO and program officials. Specifically how are such steps implemented
    and enforced?                                                                          See Below

    B.2. Can a major operating component of the agency make an IT investment
    decision without review by and concurrence of the agency CIO?                          See Below

    B.3. How does the head of the agency ensure that the agency’s information
    security plan is practiced throughout the life cycle of each agency system?            See Below

    B.4. During the reporting period, did the agency head take any specific and direct
    actions to oversee the performance of 1) agency program officials and 2) the CIO to
    verify that such officials are ensuring that security plans are up-to-date and
    practiced throughout the lifecycle of each system?                                     See Below

    B.5. Has the agency integrated its information and information technology
    security program with its critical infrastructure protection responsibilities, and
    other security programs (e.g., continuity of operations, and physical and
    operational security)?                                                                 See Below


    B.6. Does the agency have separate staffs devoted to other security programs, are
    such programs under the authority of different agency officials, if so what specific
    efforts have been taken by the agency head or other officials to eliminate
    unnecessary duplication of overhead costs and ensure that policies and
    procedures are consistent and complimentary across the various programs and
    disciplines?                                                                           See Below


 B.1 Responsibilities and Authorities for the Agency CIO and Program Officials

        The Agency-wide information security program is documented in the Policy and Procedure
        Manual (PPM) number 902. FCA maintains current Agency-wide application and support system
        security plans in accordance with OMB Circular A-130, Appendix III. The security plans are
        reviewed and updated annually by considering data sensitivity and data integrity as well as risks
        of unauthorized internal and external users who may attempt to compromise the system. FCA has
        established security management that serves as a focal point for the Agency in evaluating the
        appropriateness and effectiveness of computer related controls on a day-to-day basis.

        FCA has established a security organization structure. The CIO is responsible for developing and
        obtaining approval from the FCA leadership team for an overall policy on the level of security to
        be achieved in FCA operations. The CIO is responsible for establishing a computer security plan
        that conforms to security policies established by the FCA Board, and complies with current
        Federal laws, regulations, standards, and guidelines. The CIO maintains the management control
        processes to ensure that appropriate administrative, physical, and technical safeguards are
        incorporated into all newly developed computer applications, and into existing systems when
        significant modifications are made. The CIO is responsible for periodically reviewing the security
        of each computer installation and system operated or used by the Agency. The review includes
        analysis to ascertain that security is commensurate with the risk and magnitude of harm resulting
        from the loss, misuse or unauthorized access to the Agency information.

        FCA’s Agency-wide security program addresses the ability to respond rapidly when security
        breaches occur, and maintains procedures that provide continuity of data processing support when
        other incidents arise that affect the availability of FCA computers and systems. The security
        program also provides procedures to ensure that appropriate steps are taken to prevent a
        reoccurrence.


                                                              9
     FCA has integrated its Information Resource Management (IRM) operational and strategic
     planning with the process of inventorying, classifying and security planning for all Agency
     hardware and software assets. Staff receives training via an annually updated security module,
     and periodic news articles and alerts. In short, FCA has approached its security program as one
     inclusive of, and one that actively engages the entire agency in planning, budgeting, conducting
     and performing their individual and unit roles within a comprehensive Agency computer security
     program.

     FCA's security program is integrated with the Agency's IRM program. The implementation of
     planned IRM initiatives has a high profile because these are also documented in the annual IRM
     planning cycle, approved by the IRM Operations Committee (IRMOC) and senior management,
     and monitored via monthly and quarterly reports to management. All deliverables are identified
     along with the resources required to produce them.

     The training of staff is conducted and formally tracked by individual, completion date, and a
     course evaluation is documented from each individual receiving training. For those with specific
     security responsibilities, training requirements are documented in the individual's development
     program and employees sent to off site courses as appropriate to their responsibilities.

     The actual performance of the information security program is identified in monthly reports to
     management, quarterly performance measure reports, assessment of the degree to which
     completion timeframes mandated by the Agency's program are met and in the results of audits
     completed.

B.2 IT Investment Decisions Without CIO Review and Concurrence

     All major IT investment decisions must have review and concurrence by the CIO. The IRM
     Planning Process controls the IT investment process. Equipment purchases, system maintenance
     projects and new system requests are submitted to the IRMOC for approval.

B.3 Ensure Security Plan is Practiced

     The FCA Chairman and Chief Executive Officer measure the performance of the information
     security plan through the annual IRM planning process. The performance measures stated in the
     IRM plan are monitored via monthly and quarterly reports, which are distributed to management.
     Security plans are updated annually for the mission critical systems. During the FISMA
     evaluation, the independent reviewers verified that the security plans for the mission critical
     systems were current.

B.5 Integration of FCA Information Technology Security Program

     FCA integrates its information and information technology security program with its critical
     infrastructure protection responsibilities in two main ways. First, the computer disaster recovery
     plan is integrated into the Continuity of Operations Plan (COOP) produced by the OCAO.
     Second, the OCIO reviews operating unit submissions to ensure that equipment required for
     protecting critical infrastructure is included in the IRM Planning Call and is budgeted for
     appropriately.

     FCA’s official COOP was last updated in conjunction with Y2K contingency preparations. A
     draft COOP dated May 2003 currently exists, however at the time of this evaluation, the draft plan
     had not been approved and officially adopted by FCA.


                                                10
      The COOP is the result of the business continuity planning process designed to reduce FCA’s risk
      for an unexpected disruption of its critical functions, no matter whether these are manual or
      automated, and assure continuity of the minimum level of services necessary for critical
      operations. The planning is primarily the responsibility of senior management, as they are
      entrusted with the safeguarding of both the assets and the viability of FCA. Additionally, the
      COOP drives OCIO plans to recover information processing capabilities, as well as other unit
      plans to recover operational capabilities. The IS recovery plan must be consistent with and
      support the overall plan of the organization.

      FCA’s OCIO and other operating offices have prepared continuity and recovery plans that provide
      the capabilities to support all of the services identified by senior management in the draft COOP.
      However, senior management should complete the draft COOP and ensure that it is adopted as the
      official plan for FCA.

      Without an authorized COOP based on current business continuity planning considerations, FCA
      cannot be sure that OCIO and other operating unit disaster recovery plans will provide the
      services that top management deems critical for operations.

B.6 Coordination of Security Staff, Policies and Procedures

      FCA has established a security organization structure. The CIO is responsible for developing and
      obtaining the approval from the FCA leadership team for an overall policy on the level of security
      to be achieved in FCA operations. The CIO is responsible for establishing a computer security
      plan that conforms to security policies established by the FCA Board, and complies with current
      Federal laws, regulations, standards, and guidelines. The CIO maintains the management control
      processes to ensure that appropriate administrative, physical, and technical safeguards are
      incorporated into all newly developed computer applications, and into existing systems when
      significant modifications are made. The CIO is responsible for periodically reviewing the security
      of each computer installation and system operated or used by the Agency. The review includes
      analyses to ascertain that security is commensurate with the risk and magnitude of the harm
      resulting from the loss, misuse or unauthorized access to the Agency information.

      FCA has Agency-wide security plans that ensure policies and procedures are consistent across
      systems and FCA security personnel report directly to the CIO. As a result, the Agency
      eliminates unnecessary duplication of overhead costs.

B.7 Identification of Critical Operations and Assets and their Interdependencies and Interrelationships


  B.7. Identification of agency's critical operations and assets (both national critical operations and assets and mission
  critical) and the interdependencies and interrelationships of those operations and assets.
  a. Has the agency fully identified its critical operations and assets, including their
  interdependencies and interrelationships?                                                 Yes

  b. If yes, describe the steps the agency has taken as a result of the review.                          See Below
  c. If no, please explain why.                                                                              N/A


 FCA has five mission critical systems and their interdependencies and interrelationships are identified
 through the annual planning and budget process.

 The OCIO issues a Call for Agency input on future information resource needs including hardware,
 software, development, maintenance, and training. The IRMOC reviews the IRM Call submissions
 and assigns a numeric rating to each proposed project and investment based on criteria derived from
 OMB guidance. The investment review process considers both risk and anticipated return and
                                                           11
 includes a review of each project's alignment with and impact on FCA's enterprise architecture (EA).
 This rating identifies and prioritizes critical assets within the EA including interdependencies,
 interrelationships and links to external systems. Based on the relative levels of each proposed project
 or investment, the IRMOC recommends approval of the higher priority items to senior management.
 The CIO submits the recommended initiatives and the IRM budget to senior management for approval
 of the Plan. The EA is updated annually to reflect changes due to completed IT investments and
 projects.

 Ongoing identification and reassessment of critical assets, especially the applications and general
 support systems, is also conducted during the annual planning process. OCIO maintains an inventory
 of systems and applications. This inventory is updated each year during the IRM Planning Call. The
 sponsor of each system indicates whether the system is still required, needs revision, or is no longer
 needed. The sponsor, in consultation with OCIO staff, determines whether a system is a major
 application. OCIO staff uses a technical committee approach to determine which systems are general
 support systems. In addition, OCIO ensures that all systems are either provided adequate security by
 the general support systems, or are identified as a major application with a unique security plan.

B.8 Documented Procedures for Reporting Security Incidents & Sharing Information on Common
     Vulnerabilities


  B.8. How does the agency head ensure that the agency, including all components, has documented procedures for
  reporting security incidents and sharing information regarding common vulnerabilities?


  a. Identify and describe the procedures for external reporting to law enforcement authorities and to         See Below
  the Federal Computer Incident Response Center (FedCIRC).
  b. Total number of agency components or bureaus.
                                                                                                                   1
  c. Number of agency components with incident handling and response capability.
                                                                                                                   1
  d. Number of agency components that report to FedCIRC.
                                                                                                                   1
  e. Does the agency and its major components share incident information with FedCIRC in a timely
  manner consistent with FedCIRC and OMB guidance?

                                                                                                                  Yes
  f. What is the required average time to report to the agency and FedCIRC following an incident?
                                                                                                                24 hours
  g. How does the agency, including the programs within major components, confirm that patches           Logged & Monitored in
  have been tested and installed in a timely manner?                                                       “Network Security
                                                                                                         Vulnerability Database”

  h. Is the agency a member of the Patch Authentication and Distribution Capability operated by
  FedCIRC?                                                                                               Yes


  i. If yes, how many active users does the agency have for this service?                                5
  j. Has the agency developed and complied with specific configuration requirements that meet their
  own needs?                                                                                             Yes


  k. Do these configuration requirements address patching of security vulnerabilities?                   Yes


 FCA has documented their incident handling procedures. The FCA Computer Security Officer
 (CSO) is notified of all security incidents and provides coordination of the incident response to higher
 levels within FCA or for reporting to external entities when appropriate. Several staff may be
 involved in the response to an incident depending on its type and severity. System, Network, and
 Database Administrators or other staff are directed to respond to the incident as appropriate. FCA has
 specific incident procedures for viruses, worms, hackers/crackers and responding to identified
                                                         12
 security vulnerabilities. Minor incidents may only require the actions of an administrator to resolve
 the issue while severe incidents may entail more staff assistance and may ultimately invoke the
 Disaster Recovery Plan.

 Information regarding the release of a security incident is controlled. The site specific information
 such as account or system names, network addresses or program specific information is not released
 to outside agencies. All reporting of incidents is performed by the CSO. All release of information
 regarding an incident must be reviewed and authorized by the CIO and the CSO.

 It is the Agency's policy to report all potential threats to the Federal Computer Incident Response
 Center (FedCIRC) and the National Infrastructure Protection Center. Incidents involving fraud,
 system penetration, theft of Agency assets, or other suspected criminal activity is reported to the
 Federal Bureau of Investigation or other duly appointed authority, such as the U.S. Secret Service. In
 addition, all suspected criminal activity is reported to FCA's Office of General Counsel and OIG.

B.9 Security Incidents Reported During FY 2003


  B.9. Identify by bureau, the number of incidents (e.g., successful and unsuccessful network penetrations, root or user
  account compromises, denial of service attacks, website defacing attacks, malicious code and virus, probes and scans,
  password access) reported and those reported to FedCIRC or law enforcement.

                                                                          Number of incidents reported externally to FedCIRC or
  Bureau Name                  Number of incidents reported               law enforcement
  Farm Credit Administration                                                                     None



 During the reporting period, FCA was not the target of attacks other than those considered routine.
 FCA was not adversely affected, or embarrassed, due to any security incident, routine or otherwise.

 The bulk of the incidents fell into the category of viruses, worms, etc., proliferated by malicious
 e-mails and their associated attachments. These were predominantly handled by FCA’s total virus
 defense implementation.

 The OCIO firewall logs reflected a significant increase in various types of scans. None constituted
 successful attempts to gain access to unauthorized services. The activity did not result in penetration
 of FCA’s firewall or rise to the level of persistence or volume that OCIO thought warranted reporting
 to FedCIRC or law enforcement.

 While not actually security incidents, FCA did forward hundreds of various Internet scam type
 fraudulent e-mail solicitations to the U.S. Secret Service.




                                                              13
C.1 Risk Assessment, Appropriate Level of Security, Security Planning & Evaluation of Controls


C.1. Have agency program officials and the agency CIO: 1) assessed the risk to operations and assets under their control; 2)
determined the level of security appropriate to protect such operations and assets; 3) maintained an up-to-date security plan
(that is practiced throughout the life cycle) for each system supporting the operations and assets under their control; and 4)
tested and evaluated security controls and techniques? By each major agency component and aggregated into an agency
total, identify actual performance in FY03 according to the measures and in the format provided below for the number and
percentage of total systems.




                                                                 Number of
                                                                 systems with    Number of
                       Number of                                 security        systems for                      Number of
                       systems          Number of     Number of control costs    which security                   systems for
                       assessed for     systems that systems     integrated      controls have      Number of     which
                       risk and         have an up- certified    into the life   been tested        systems with contingency
                       assigned a level to-date IT    and        cycle of the    and evaluated      a contingency plans have
            Total      or risk          security plan accredited system          in the last year   plan          been tested
            Number
Bureau      of           No. of   % of
Name        Systems     Systems Systems   No.    %     No.   %      No.     %      No.      %        No.     %     No.    %
FCA              5         5      100     5     100     *     *      5     100      5      100        4     80     4      80




Agency
Total            5         5      100     5     100     *     *      5     100      5      100        4     80     4      80


    *FCA does not have a formal certification and accreditation (C&A) process. FCA relies on its
    system security plan update procedures to provide the assurances required for system certification
    and accreditation. While FCA does not have a formal C&A process, its current procedures do
    ensure that management, operational, and technical controls are assessed by management prior to
    a system being placed in service and that those controls are reevaluated on a periodic basis.
    Additionally, FCA’s current procedures ensure that the minimum security controls, required by
    OMB Circular A-130, that must be in place prior to authorizing a system for processing are
    present. FCA management continues to evaluate the need for a formal C&A process in
    conjunction with evolving guidance from OMB and NIST.

    The assessment of risk at FCA is done at multiple levels both strategic and operational, and the
    program entails review of pertinent factors on at least an annual basis. Security plans for all
    major applications are being updated annually, and a risk assessment component is associated
    with each update. The security plans conform to NIST SP 800-18 guidelines, which include
    sections on information sensitivity, risk assessment and management, review of security controls,
    operations and technical controls.

    The security plans provide an overview of security requirements, describe the controls in place,
    delineate responsibilities, and expected behavior of all individuals who access the system. The
    plans address the sensitivity and criticality of the information stored in, processed by, or
    transmitted via FCA systems. This assessment of system information provides a basis for
    determining major systems and is one of the core factors in risk management. The risk analysis
    considers availability, integrity and confidentially of the information. Under each of the three
    categories, the risks are High, Medium and Low. Each security plan identifies threats;
    vulnerabilities and security measures required to adequately mitigate the risk to systems or assets
    posed by those threats and vulnerabilities.



                                                       14
        FCA's risk cycle includes testing and evaluating controls, analyzing the results, and adopting
        appropriate countermeasures to improve security. Security is tested and evaluated periodically by
        FCA staff and outside vendors.

        OCIO maintains a Lotus Notes database to collect information on publicly announced security
        vulnerabilities relating to the software and hardware currently in use within the Agency.


        FFS, Lotus Notes, Personnel/Payroll System and Windows 2000 have contingency plans. The
        recovery time of CRS, after an unplanned disruption, is not time critical. FCA may have up to 30
        days to recover. As a result, CRS does not have a documented contingency plan.

 C.2 Maintain Agency-Wide IT Security Program, Ensure Effective Implementation & Evaluate
 Performance



  C.2. Identify whether the agency CIO has adequately maintained an agency-wide IT security program and ensured the
  effective implementation of the program and evaluated the performance of major agency components.


                                                       How does the agency       Has the agency CIO         Do agency POA&Ms
  Has the agency CIO       Did the CIO evaluate the    CIO ensure that bureaus   appointed a senior         account for all known
  maintained an agency-    performance of all agency   comply with the agency-   agency information         agency security
  wide IT security         bureaus/components?         wide IT security          security officer per the   weaknesses including all
  program? Y/N             Y/N                         program?                  requirements in FISMA?     components?
            Yes                      Yes                      See Below                    Yes                        N/A



 The CIO has adequately maintained an agency-wide security program. As stated earlier, the
 Agency-wide program is documented in the PPM number 902. FCA maintains current Agency-wide
 application and system security plans in accordance with OMB Circular A-130, Appendix III. The
 security plans are reviewed and updated annually. FCA has established a security organizational
 structure and security program that is integrated with the Agency's IRM plan.

C.3 Ensure Security Training and Awareness for all Employees and Contractors


  C.3. Has the agency CIO ensured security training and awareness of all agency employees, including contractors and those
  employees with significant IT security responsibilities?


                                                           Agency employees with
  Total       Agency employees  Total number of            significant security
  number of   that received IT  agency employees           responsibilities that                                            Total costs
  agency      security training in
                                with significant IT        received specialized                                             for providing
  employees   FY03              security                   training                                                         training in
  in FY03     Number Percentage responsibilities           Number      Percentage Briefly describe training provided        FY03
  280         268       96           14                    13          93             See Below                              $31,000



     FCA provided an in-house training course presented to all employees during December 2002. To
     further employee awareness of security, FCA awarded the employees a token and conducted a
     reception after conclusion of the training session. For those with specific security responsibilities,
     training requirements are considered in the individual's development program and the employees
     are sent to off site courses as appropriate to their responsibilities. New employees are provided
     security awareness training during an orientation session. FCA provided additional emphasis on
     security awareness through articles in the employee newsletter and e-mail alerts.

                                                             15
C.4 Integrate Security into the Capital Planning and Investment Control Process


    C.4. Has the agency CIO fully integrated security into the agency’s capital planning and investment control process? Were
    IT security requirements and costs reported on every FY05 business case (as well as in the exhibit 53) submitted by the
    agency to OMB?

                                      Did the agency program official      Did the agency CIO plan and            Are IT security costs
                Number of business    plan and budget for IT security      budget for IT security and             reported in the agency's
    Bureau      cases submitted to    and integrate security into all of   integrate security into all of their   exhibit 53 for each IT
    Name        OMB in FY05           their business cases? Y/N            business cases? Y/N                    investment? Y/N
    FCA                 None                          N/A                                  N/A                                N/A



    The CIO is responsible for ensuring that agency security programs integrate fully into the Agency's
    EA and capital planning and investment control processes. Security is built into and funded as part of
    the system architecture. The CIO develops security policy and level of security to be achieved. The
    Chairman and FCA Board approve the policy. The CIO develops an overall plan to achieve the
    security objectives and to comply with current law, regulations, and guidance.

    The CIO's overall security program integrates the security program into the IRM Planning Process
    and into the life cycle management of each system. Before any system can be developed or modified,
    the Program Offices must submit a proposal during the IRM Planning Call. The IRMOC reviews the
    IRM Call submissions and recommends approval or disapproval of equipment purchases and system
    maintenance projects. It also prioritizes proposed development projects and enhancements to existing
    systems using criteria derived from OMB guidance. These evaluations include a review of each
    project's alignment with and impact on FCA's EA. Security risks and demands on the network are
    carefully analyzed. The budgeted costs of security appear as line items in the OCIO budget and are
    cross-referenced to the costs of meeting strategic goals and to the costs of specific operating Office
    hardware and software requests.

    In addition, OCIO maintains an inventory of systems and applications. This inventory is updated
    each year during the IRM Planning Cycle. The sponsor of each system indicates whether it is still
    required, needs revision, or is no longer needed. The security level of each system is reviewed and
    revised as necessary during this review.




                                                             16