4-8.4 Activities

4-8.4.1 Data Conversion

If required, a data conversion plan is defined which incorporates collecting, converting, and verifying data for completeness and integrity and resolving any errors found during conversion. A backup of all data is created prior to conversion, audit trails track the conversion, and there is a fallback and recovery plan in case the conversion fails. The backed up data conforms to the applicable data retention schedule.

4-8.4.2 Deploy Information Resource

All three approvals (i.e., certification, accreditation, and risk acceptance) are required before deploying the information resource. The project manager deploys the information resource into production with the security controls documented in the security plan and tested in the ST&E and with any restrictions documented in the approval letters.

4-8.4.3 Operate Information Resource

The information resource is operated with the security controls, processes, and procedures in place as documented in the security plan, ensuring that they remain fully functional and unaltered by maintenance procedures.

Note: To use production data in a test environment, you must have prior written approval (see Section 8-3.3, Testing Restrictions, in Handbook AS-805, Information Security, for specific requirements).

4-8.4.4 Test Information Resource Contingency Plans

The information resource contingency plans are tested and the test results and lessons learned are documented.

4-8.4.5 Maintain Information Resource

The information resource is placed under configuration control and all changes are documented.

The tools, techniques, and mechanisms used to maintain information resources must be properly controlled.

4-8.4.6 Reassess Risks and Upgrade Security Controls

Risks must be re-assessed any time significant changes are made to the information resource, if a serious security breach occurs, if significant audit findings regarding security are issued, at the request of management, or as part of the re-initiation of the C&A process. See Section 6-2, Criteria Forcing Security Recertification, for other examples of a significant change.

4-8.4.7 Monitor Operations and Enhance Security Posture

Information resource controls must be continually monitored to:

  1. Ensure the controls are working as intended.
  2. Ensure changes are controlled and documented in the configuration and change management system.
  3. Ensure the operating environment (e.g., physical, electronic, political, legal) has not introduced new vulnerabilities.
  4. Determine whether additional security controls need to be added or existing controls modified to properly secure the information resource in the changing environment.
  5. Ensure the information resource remains in compliance with the security-related plans and Postal Service information security policies.

Facility and platform related controls must also be monitored for compliance with Postal Service policies.

If the information resource security posture or controls change significantly, it is necessary to re-initiate the C&A process.

4-8.4.8 Periodically Test Security Controls

A subset of the information resource information security controls must be formally tested annually, the tests documented, and the results submitted to the ISSO. The security controls that are volatile or critical to protecting the information resource must be assessed at least annually. All other controls must be assessed at least once during the information resource’s accreditation cycle (e.g., for those information resources on a 2-year cycle test one half of the other controls each year and for those information resources on a 3-year cycle test one third of the other controls each year).

4-8.4.9 Update Certification and Accreditation Documentation Package

The C&A documentation package (including the Security Plan and Security Test and Evaluation Plan) must be updated throughout the life cycle process in response to the changing environment, changing technology, reassessed risks or vulnerabilities, and as part of the re-initiation of the C&A process. See Exhibit 4-10, C&A Templates and Exhibit 4-11, C&A Requirements for Information Resources.

4-8.4.10 Re-initiate C&A as Required

Re-initiating the C&A is required based on the information resource classification designation.

Re-initiating the C&A is also required for a significant change to the information resource, including new business requirements or a change to the information resource’s level of criticality or sensitivity, a significant audit finding, a significant security incident, or a request by management. See Section 6-2, Criteria Forcing Security Recertification, for other examples of a significant change.

Unresolved issues, new business requirements, new threats and vulnerabilities, operating environment changes, audit reports, and incidents must be appropriately addressed throughout the information resource life cycle. Also, certain changes to an information resource or its environment as well as business considerations could affect the security of the information resource and may require a re-initiation of the C&A process.

Exhibit 4-8 

Phase 8 Release and Production, (p. 1 of 3)

Exhibit 4-7, Phase 7 Relaease and Production (p. 1 of 3)

Exhibit 4-8 

Phase 8 Release and Production, (p. 2 of 3)

Exhibit 4-7, Phase 7 Relaease and Production (p. 2 of 3)

Exhibit 4-8 

Phase 8 Release and Production, (p. 3 of 3)

Exhibit 4-7, Phase 7 Relaease and Production (p. 3 of 3)