4-2.4 Activities

4-2.4.1 Review Documentation

The C&A core team reviews documentation that they receive. Some of the documentation could include the following:

  1. Original business needs statement, business case, request for proposals, statement of work, and TSLC requirements documentation.
  2. Contracts and POA&M.
  3. Policies, procedures, standards, and any other applicable documentation that may affect the information resource.

4-2.4.2 Document Application Characteristics

The Project Manager or ISSR document the application characteristics which includes the following steps:

  1. Answering the development environment section questions.
  2. Answering the testing environments (both SIT and CAT) section questions.
  3. Answering the production environment section questions.
  4. Answering the non Postal Service environment section questions.
  5. Answering the network connectivity characteristics section questions.
  6. Documenting the sensitive and sensitive-enhanced data elements.
  7. Developing a high-level architectural diagram.
  8. Identifying application internal and external dependencies to document how a given application interfaces with the rest of the Postal Service applications and infrastructure. The project manager and ISSR may need to meet with developers, system administrators, network administrators, database administrators, the Business Relationship Management portfolio manager, and customer representatives to complete the internal and external dependencies table. A system is dependent if it CANNOT function without the input or connection to the other system or portal. For example, applications which by themselves are not critical may have a higher designation because they provide data to an application with a higher criticality designation.

4-2.4.3 Conduct Business Impact Assessment

The ISSO coordinates the completion of the BIA, which includes the following steps:

  1. Completing the privacy section.
  2. Determining sensitivity (i.e., sensitive-enhanced, sensitive, or nonsensitive).
  3. Determining criticality, (i.e., critical-high, critical-moderate, or noncritical [low]).
  4. Determining security requirements. Security requirements are defined for all information resources to secure the information resources commensurate with the risk. Security requirements include:
    1. Baseline security requirements for all information resources.
    2. Additional security requirements based upon the sensitivity and criticality of the information resource and industry requirements.
    3. Additional conditional requirements based on request by senior management or specific criteria.
    4. Additional security requirements recommended by the ISSO based on generally accepted industry practices, the operating environment, and the risks associated with the information resource.
  5. Signing Acceptance of Responsibility and Verification sections of BIA. (The Business Relationship Management portfolio manager or their designee, the executive sponsor or their designee, privacy official, and ISSO sign these sections relevant to their function.)

Note: Some information resources are developed under the direction of one executive sponsor in one organization and transferred to an executive sponsor in another organization for Phase 7 of the C&A process (Release and Production).

4-2.4.4 Update Plan of Action and Milestones and Enterprise Information Repository

Once the BIA is completed, the Business Relationship Management portfolio manager ensures that the EIR is updated and amends the POA&M to include integrating information security controls in the information resource and the deliverables associated with the C&A process.

The POA&M, a key document in the security certification and accreditation package, describes actions taken or planned by the executive sponsor to correct deficiencies in the security controls and to address remaining vulnerabilities in the information resource. The POA&M identifies:

  1. Tasks needing to be accomplished to address vulnerabilities.
  2. Resources required to accomplish the elements in the plan.
  3. Milestones in meeting the plan.
  4. Scheduled completion dates for the milestones.

The POA&M is updated throughout the information resource lifecycle for changes to the hardware, software, firmware, and the surrounding computing environment.

Exhibit 4-2 

Phase 2, Requirements

Exhibit 4-2, Phase 2, Requirements