** * * *

Chapter 6 Re-Initiating the ISA

* * * * *

6-2 When Re-ISA Is Required

[Revise introductory text to read every 5 years instead of every 3 years as follows:]

Re-ISA is required a minimum of every 5 years following the initial ISA of the application or for the following reasons:

* * * * *

6-3 Process

6-3.1 Requesting a Re-ISA

[Revise the first sentence of this section to read every 5 years instead of every 3 years as follows:]

Five years after an application's ISA or for one of the other reasons covered above, the executive sponsor addresses a letter to the manager, CISO, requesting a Re-ISA.***

* * * * *

- Corporate Information Security, Information Technology, 4-28-05

HANDBOOK AS-805 REVISION

Information Security

Handbook AS-805, Information Security, is revised as follows to streamline the application information security assurance (ISA) process.

We will incorporate these revisions into the next online update of Handbook AS-805 available on the PolicyNet Web site:

• Go to http://blue.usps.gov.

• Under "Essential Links" in the left-hand column, click on References.

• Under "References" in the right-hand column, under "Policies," click on PolicyNet.

• Then click on HBKs.

(The direct URL for the Postal Service PolicyNet Web site is http://blue.usps.gov/cpim.)

Handbook AS-805, Information Security

* * * * *

8 System, Applications, and Product Development

* * * * *

8-2 Roles and Responsibilities

* * * * *

[Revise title and text of 8-2.2 to read as follows:]

8-2.2 Vice President, Chief Technology Officer

The vice president, Chief Technology Officer (VP/CTO), is responsible for the following:

a. Ensuring the technical security controls required for business functionality are implemented.

b. Accepting residual risk to applications jointly with the vice president of the appropriate functional business area. The VP/CTO has delegated this responsibility to the applicable manager, business systems portfolio (portfolio manager).

c. Approving an application for deployment jointly with the vice president of the functional business area. The VP/CTO has delegated this responsibility to the applicable portfolio manager.

8-2.3 Vice Presidents, Functional Business Areas

Vice presidents of functional business areas are responsible for the following:

* * * * *

[Revise items d and e to read as follows:]

d. Accepting residual risk to applications jointly with the VP/CTO. The vice presidents of functional business areas have delegated this responsibility to the applicable executive sponsor.

e. Approving an application for deployment jointly with the VP/CTO. The vice presidents of functional business areas have delegated this responsibility to the applicable executive sponsor.

* * * * *

8-2.4 Manager, Corporate Information Security Office

The manager, Corporate Information Security Office (CISO), is responsible for the following:

* * * * *

[Add a new item d to read as follows:]

d. Reviewing the ISA documentation package and accrediting the application.

8-2.5 Executive Sponsors

*** In particular, executive sponsors are responsible for the following for each information resource within their purview:

* * * * *

[Add a new item g to read as follows:]

g. Working jointly with the portfolio manager to review the ISA documentation package and make one of the following decisions: accept the residual risk to an application and approve the application for production or return the application to the applicable lifecycle phase for rework.

[Revise title and text of 8-2.6 to read as follows:]

8-2.6 Portfolio Managers

Portfolio managers are responsible for the following:

a. Functioning as liaisons between executive sponsors and the information technology providers.

b. Supporting the executive sponsor in the development of an application and the documentation required by the ISA process, including the business impact assessment, risk assessment, security plan, security test and evaluation plan, and application disaster recovery plan.

c. Ensuring the application is entered into the Enterprise Information Repository (EIR) and updated as required.

d. Appointing, if desired, an information systems security representative (ISSR) to perform security-related activities.

e. Reviewing the ISA documentation package and completing a risk mitigation plan for risks identified as High or Medium.

f. Working jointly with the executive sponsor to review the ISA documentation package and make one of following decisions: accept the residual risk to an application and approve the application for production, or return the application to the applicable lifecycle phase for rework.

g. Ensuring that the application is registered in eAccess.

[Delete 8-2.7 and renumber current 8-2.8 through 8-2.17 as new 8-2.7 through 8-2.16.]

* * * * *

[Revise title and text of 8-2.8 to read as follows:]

8-2.8 Accreditor

The manager, Corporate Information Security Office, functions as the accreditor and is responsible for the following:

a. Reviewing the risk mitigation plan and supporting ISA documentation package together with business requirements and relevant Postal Service issues.

b. Escalating security concerns or preparing and signing an accreditation letter that makes one of the following recommendations: accepting the application with its existing information security controls, requiring additional security controls with a timeline to implement, or deferring deployment until information security requirements can be met.

c. Forwarding the accreditation letter and ISA documentation package to the portfolio manager and executive sponsor.

[Revise title and text of 8-2.9 to read as follows:]

8.2-9 Certifier

The manager, Information Security Assurance, who is appointed by the CISO, functions as the certifier and is responsible for the following:

a. Managing and providing guidance to the information systems security officers (ISSOs).

b. Reviewing the ISA evaluation report and the supporting ISA documentation package.

c. Escalating security concerns or preparing and signing a certification letter.

d. Forwarding the certification letter and ISA documentation package to the portfolio manager.

e. Maintaining an inventory of all information resources that have completed the ISA process.

8-2.10 Information Systems Security Officers

[Revise the introductory text to read as follows:]

Information systems security officers (ISSOs) are assigned to portfolios by the manager, CISO. ISSOs are responsible for the following:

* * * * *

[Revise item f to read as follows:]

f. Preparing the evaluation report and forwarding the evaluation report and ISA documentation package to the certifier.

8-2.11 Information Systems Security Representatives

[Revise the introductory text to read as follows:]

Information systems security representatives (ISSRs), who are appointed in writing by the executive sponsors or portfolio managers, are responsible for the following:

* * * * *

[Revise items d and e to read as follows:]

d. Notifying the executive sponsor, portfolio manager, and ISSO of any additional security risks or concerns that emerge during development or acquisition of the information resource.

e. Developing or reviewing security-related documents required by the ISA process as assigned by the executive sponsor or portfolio manager.

* * * * *

Exhibit 8.2
System, Application, and Product Development Responsibilities

[Revise Exhibit 8.2 as follows:]

¹ Manager, ISA Process.

² Manager, Corporate Information Security Office (CISO)

Other organizations and managers with responsibilities for system, application, and product development include: chief inspector; inspector general; chief privacy officer; contracting officers and general council; and business partners (see Appendix A, Consolidated Roles and Responsibilities, for details).

8-3 General Development Concepts

* * * * *

8-3.6 Test Environment Restrictions

* * * * *

8-3.6.2 Testing with Nonsensitive Production Data

[Revise the first sentence to read as follows:]

Prior approval in writing is required from the executive sponsor and VP/CTO, if nonsensitive production data is to be used in a test environment, regardless of where the testing is conducted.***

8-3.6.3 Testing with Sensitive and Business-Controlled Sensitivity Production Data

[Revise the first sentence to read as follows:]

Prior approval in writing is required from the CPO, executive sponsor, and VP/CTO if sensitive data, business-controlled sensitivity data, Privacy Act data, personally identifiable information (PII), or any information identified as "RESTRICTED INFORMATION" is to be used in a test environment, regardless of where the testing is conducted.***

* * * * *

8-5 Information Security Assurance Process

[Revise text to read as follows:]

The ISA process is a formal security analysis and management approval process to assess residual risk before the resource is put into production. The ISA process is required for each information resource (i.e., application or infrastructure component).

8-5.1 What the ISA Process Covers

[Revise the first sentence to read as follows:]

The ISA process consists of five interrelated phases that are conducted concurrently with the development and deployment of new information resources and every 5 years during the life cycle of the information resource.***

* * * * *

[Revise title of 8-6 to read as follows:]

8-6 Application Information Security Assurance Phases

* * * * *

8-6.1 Phase 1 - Definition

* * * * *

Exhibit 8-6
Overview of ISA Phases for Applications

[Revise Exhibit 8-6 as follows:]

[See page 6 for chart.]

[Revise title and text of 8-6.1.1 to read as follows:]

8-6.1.1 Initiate Application Information Security Assurance Process

The ISA process is initiated for all applications regardless of where they are located or whether they are controlled directly by the Postal Service or through a contractor or business partner.

8-6.1.2 Assign Information Systems Security Representative

[Revise text to read as follows:]

The executive sponsor or portfolio manager may assign in writing an information systems security representative (ISSR) to perform security-related activities.

8-6.1.3 Conduct Business Impact Assessment

[Revise text to read as follows:]

A BIA is completed (see Chapter 3) to determine the level of sensitivity and criticality, and the information security requirements for the application.

8-6.1.4 Define Security Requirements

[Revise text to read as follows:]

Security requirements are defined for all applications to secure the applications commensurate with the associated risks. Security requirements include the baseline security requirements for all applications and additional mandatory security requirements based upon the sensitivity and criticality of the applications (as defined by the ISA process). In addition, the ISSO may recommend additional discretionary security requirements, which the executive sponsor may agree to implement.

8-6.2 Phase 2 - Design and Integration

[Revise text to read as follows:]

Based on the baseline, mandatory, and selected approved discretionary security requirements from the BIA, the security controls and processes for the application are defined and implemented. The information security activities of Phase 2 are as follows:

8-6.2.1 Document High-Level Architecture

[Revise text to read as follows:]

A high-level architectural diagram (e.g., hardware, communications, security devices, and interconnected resources) is developed for all applications. The architectural diagram is submitted to the manager, SIS, for review and determination of the impact on the infrastructure and the need for additional security controls for the application (e.g., enclave).

8-6.2.2 Document Information Resources in the Enterprise Information Repository

[Revise text to read as follows:]

All applications are documented in the Enterprise Information Repository (EIR).

8-6.2.3 Conduct Risk Assessment

[Revise text to read as follows:]

A risk assessment is conducted for sensitive, critical, and business-controlled applications to identify security concerns (threats, vulnerabilities, control weaknesses), risk ranking, additional countermeasures, and residual risk (see Chapter 4).

8-6.2.4 Identify Security Controls

[Revise text to read as follows:]

Security controls are identified for potential threats and vulnerabilities as a result of the risk assessment process (see Chapter 4). Security controls, when appropriately implemented, provide protection of applications from threats and vulnerabilities.

8-6.2.5 Perform Controls Analysis

[Revise text to read as follows:]

An analysis of identified controls (safeguards) is conducted to determine their potential effectiveness to remove, transfer, or otherwise mitigate risk to applications. The controls analysis identifies any residual risk to the application.

8-6.2.6 Perform Cost Benefit Analysis

[Revise text to read as follows:]

A cost benefit analysis is performed and documented to facilitate the implementation of cost-effective protection for applications and continuity of business operations.

* * * * *

8-6.2.8 Develop Security Plan

[Revise text to read as follows:]

A security plan is developed for sensitive, critical, and business-controlled applications. A security plan is a blueprint for designing, building, and maintaining an application that can be defended against threats, including intruders, both internal and external. The security plan covers both the development and production environment and describes all information security controls that have been implemented or planned.

* * * * *

8-6.2.10 Harden Information Resources

[Revise text to read as follows:]

Information resources hosting applications are hardened to meet or exceed the requirements documented in Postal Service hardening standards. Hardening refers to the process of implementing additional software, hardware, or physical security controls.

[Renumber current 8-6.2.11 through 8-6.2.15 as new 8-6.2.12 through 8-6.2.16. Add new 8-6.11 to read as follows:]

8-6.2.11 Conduct Vulnerability Scan

A vulnerability scan is recommended for all information resources and applications and is required for some information resources and applications (see Handbook AS-805-A, Application Information Security Assurance (ISA) Process).

[Revise title and text of 8-6.2.12 to read as follows:]

8-6.2.12 Develop Application Disaster Recovery Plan

An application disaster recovery plan (ADRP) is developed for critical applications and for business-controlled criticality applications (see Chapter 12, Business Continuance Management).

8-6.2.13 Develop Facility Recovery Plan

[Revise text to read as follows:]

A facility recovery plan is developed for facilities designated by the VP/CTO as major information technology sites (see Chapter 12, Business Continuance Management).

8-6.2.14 Develop Standard Operating Procedures

[Revise text to read as follows:]

Standard operating procedures (SOPs) for emergencies, normal operations, exception processing, manual processes, etc., are developed for sensitive, critical, and business-controlled applications.

8-6.2.15 Incorporate Security Requirements in SLAs and Trading Partner Agreements

[Revise text to read as follows:]

Service level agreements (SLAs) are developed for all applications. Trading partner agreements are developed for all externally managed and/or developed applications. Information security requirements are addressed in all SLAs and trading partner agreements.

[Revise title and text of 8-6.2.16 to read as follows:]

8-6.2.16 Develop Operational Security Training

Appropriate materials are developed for training users, system administrators, managers, and other personnel on the correct use of the application and its security controls.

8-6.3 Phase 3 - Testing

* * * * *

8-6.3.1 Develop Security Test Plan

[Revise text to read as follows:]

A security test plan is developed for sensitive, critical, and business-controlled applications. The security test plan evaluates the technical and nontechnical security controls and other safeguards to establish the extent to which the application meets the security requirements for its mission and operational environment. The security test plan also addresses hardware, operating system, networking and telecommunications, physical security, personnel security, and computer operations and manual processes.

[Revise title and text of 8-6.3.2 to read as follows:]

8-6.3.2 Conduct Operational Security Training

Using the training materials developed in the prior phase, users, system administrators, managers, and other personnel are trained on the correct use of the application and its security safeguards.

8-6.3.3 Conduct Security Code Review

[Revise the first two paragraphs of this section to read as follows:]

To protect the infrastructure, a documented security code review is required for any externally facing, publicly available, or demilitarized zone (DMZ)-hosted application containing custom programming or scripting, regardless of the designation of sensitivity or criticality.

A code review is required for sensitive and critical applications that contain active content code or CGI scripts. A code review is recommended for business-controlled applications that contain active content code or CGI scripts.

* * * * *

8-6.3.5.2 Criteria for Conducting an Independent Security Code Review

An independent security code review is recommended by the ISSO during the BIA process for the following resources:

* * * * *

[Revise item b to read as follows:]

b. COTS products or applications containing custom programming or scripts that support a sensitive or critical application.

* * * * *

[Revise the first note in item d to read as follows:]

Note: An independent code review may be required at any time by the VP/CTO; manager, CISO; or vice president of the functional business area.***

* * * * *

8-6.3.6 Conduct Security Testing and Document Results

[Revise text to read as follows:]

Security testing is performed for sensitive, critical, and business-controlled applications. The executive sponsor must ensure that security testing is conducted using the approved security test plan. The platform and application technical mechanisms and the surrounding administrative controls are evaluated to establish the extent to which the application meets the security requirements.

8-6.3.7 Conduct Independent Penetration Testing and Vulnerability Scans

* * * * *

8-6.3.7.2 Criteria for Conducting Independent Penetration Testing and Vulnerability Scans

[Revise text to read as follows:]

Independent penetration testing and vulnerability scans are recommended by the ISSO during the BIA process for information resources hosting the following types of applications:

a. Sensitive, critical, and business-controlled applications.

b. Publicly accessible (externally facing) applications.

c. Applications that have access to or communicate through an untrusted network.

d. Applications developed, hosted, or managed primarily by non-Postal Service personnel.

Note: Independent penetration testing and vulnerability scans may be required at any time by the VP/CTO; manager, CISO; or vice president of the functional business area.

8-6.3.8 Conduct Independent Validation of Security Testing

8-6.3.8.1 Independent Validation of Security Testing Description

[Revise text to read as follows:]

The independent security test validation addresses the appropriateness and effectiveness of the security controls and corroborates the previously conducted security test results. The scope of the independent security test validation depends on the application, its hosting information resources, its environment, and the associated threats and vulnerabilities. The independent security test validation is usually carried out at the development or test site.

8-6.3.8.2 Criteria for Conducting Independent Validation of Security Testing

[Revise text to read as follows:]

An independent security test validation is recommended by the ISSO during the BIA process for the following applications:

a. Publicly accessible (externally facing) applications.

b. Applications that have access to, or communicate through, an untrusted network.

c. Applications developed, hosted, or managed primarily by non-Postal Service personnel.

Note: An independent security test validation may be required at any time by the VP/CTO; manager, CISO; or vice president of the functional business area.

8-6.3.9 Address Outstanding Issues

[Revise text to read as follows:]

Outstanding issues are addressed and the residual risk for applications is identified and documented. The residual risk is that portion of risk that remains after the security safeguards and countermeasures have been applied.

8-6.4 Phase 4 - Evaluation

[Revise text to read as follows:]

Phase 4 consists of activities described below that culminate in the certification, risk mitigation plan, accreditation, acceptance of residual risk, and approval to deploy an application:

a. ISA Evaluation Report

The ISSO evaluates the ISA documentation, prepares an ISA evaluation report that details the findings, and escalates security concerns or forwards the ISA evaluation report and the ISA documentation package to the certifier.

b. Certification

The certifier reviews the ISA evaluation report and ISA documentation package, escalates security concerns or certifies the application by preparing and signing a certification letter, and forwards the certification letter and ISA documentation package to the portfolio manager.

c. Risk Mitigation

The portfolio manager analyzes the ISA and business documentation, escalates security concerns or prepares a risk mitigation plan which addresses High and Medium risks, and forwards the risk mitigation plan and ISA documentation package to the accreditor.

d. Accreditation

The accreditor analyzes ISA and business documentation, escalates security concerns or prepares an accreditation letter, and forwards the accreditation letter and ISA documentation package to the executive sponsor and portfolio manager.

e. Acceptance of Residual Risk and Approval of Application for Deployment

The executive sponsor and portfolio manager jointly review the ISA and business documentation and return the application to the applicable ISA phase for rework or approve the application for deployment in the production environment by preparing and signing an acceptance letter.

The information security activities of Phase 4 are as follows:

8-6.4.1 Develop ISA Documentation Package

[Revise text to read as follows:]

Sensitive, critical, and business-controlled applications require an ISA documentation package. The package is a consolidation of the designation of sensitivity and criticality and associated protection requirements (BIA); threats, vulnerabilities, additional controls, and residual risks (risk assessment); protection mechanisms (security plan and ADRP); and the security test and evaluation results.

8-6.4.2 Review ISA Documentation Package and Write Evaluation Report

[Revise text to read as follows:]

The ISSO reviews the ISA documentation package and writes an ISA evaluation report highlighting the findings and recommendations. The ISSO escalates security concerns or forwards the ISA evaluation report and supporting documentation to the certifier for review.

[Renumber current 8-6.4.3 through 8-6.4.5 as new 8-6.4.5 through 8-6.4.7. Add new 8-6.4.3 and 8-6.4.4 to read as follows:]

8-6.4.3 Escalate Security Concerns or Certify Application

The certifier (manager, ISA process) reviews the ISA evaluation report and the supporting ISA documentation package, escalates security concerns or prepares and signs a certification letter, and forwards the certification letter and ISA documentation package to the portfolio manager.

8-6.4.4 Escalate Security Concerns or Prepare Risk Mitigation Plan

The portfolio manager reviews the certification letter and the supporting ISA and business documentation, and escalates security concerns or prepares a risk mitigation plan for any residual risks rated as Medium or High, recommending whether the risks should be accepted, transferred, or further mitigated. The accreditor then forwards the risk mitigation plan and ISA documentation package to the accreditor.

[Revise title and text of 8-6.4.5 to read as follows:]

8-6.4.5 Escalate Security Concerns or Accredit Application

The accreditor (manager, CISO) reviews the risk mitigation plan and the supporting ISA documentation, escalates security concerns or prepares and signs an accreditation letter, and forwards the accreditation letter and final ISA documentation package to the executive sponsor and portfolio manager.

[Revise title and text of 8-6.4.6 to read as follows:]

8-6.4.6 Make Decision to Deploy (or Continue to Deploy) or Return for Rework

[Change the title of this section as previously noted and revise this section to read as follows:]

The executive sponsor and portfolio manager review the accreditation letter, risk mitigation plan, and supporting ISA documentation package. They will issue a joint decision on whether to accept the residual risk and approve the application for deployment with what restrictions, if any.

If they decide not to approve deployment, they will indicate the ISA Phase to return to for rework. If they decide to approve and deploy, they will prepare and sign an acceptance letter.

[Revise title and text of 8-6.4.7 to read as follows:]

8-6.4.7 Deploy Application

When the application is deployed, the security controls for the application are implemented as documented in the security plan and the acceptance letter.

8-6.5 Phase 5 - Production

[Revise text to read as follows:]

Phase 5 is the operation and maintenance period of the application and includes activities to ensure that chosen security controls and procedures are functioning properly and that security controls are modified or added as needed to continue to protect the application. The information security activities for Phase 5 are as follows:

8-6.5.1 Follow Security-Related Plans and Continually Monitor Operations

[Revise text to read as follows:]

The security-related plans are executed as required during deployment, operation, and maintenance. The application is continually monitored for compliance with the security-related plans.

8-6.5.2 Periodically Review, Test, and Audit

[Revise text to read as follows:]

Applications are periodically reviewed and audited for compliance with Postal Service policies. Plans related to facility recovery or business continuity are tested to ensure that these plans meet business and security objectives (see Chapter 12, Business Continuance Management).

8-6.5.3 Re-assess Risks and Upgrade Security Controls

[Revise text to read as follows:]

Risks are re-assessed every 5 years, at any time major changes are made to the application, if a serious security breach occurs, or if audit findings regarding security are issued. Security controls are upgraded as necessary to protect the application and assure business continuity.

* * * * *

8-6.5.5 Re-initiate ISA

[Revise text to read as follows:]

Re-initiating the ISA is required a minimum of every 5 years following the initial ISA of the application. Re-initiating the ISA may result in re-certification, re-accreditation, re-acceptance of risk, and re-approval for deployment. Re-initiating the ISA could also be required for the following reasons:

a. Significant changes to the operating environment or the business requirements of the application. Significant changes may include, but are not limited to:

(1) Change in the primary functions of the application or data that alters the criticality or sensitivity designation of the application.

(2) Change from one major application to another, such as BroadVision to WebObjects.

(3) Change from one database application to another, such as Oracle to MS-SQL.

(4) Change in the hosting location, such as from a Postal Service facility to an out-sourced, non-Postal Service location.

(5) Change in the operating environment resulting from discovery of a new vulnerability or threat that significantly alters the risk to the application.

b. A significant information security incident that violates an explicit or implied security policy, compromising the integrity, availability, or confidentiality of an application (e.g., a critical disruption or monetary loss, the unauthorized modification of sensitivity or criticality information, or the release of sensitive or business-controlled sensitivity information).

c. Significant finding of an audit or other external assessment.

d. A request by the VP/CTO; the manager, CISO; the vice president of the functional business area; or the executive sponsor.

* * * * *

Appendix A Consolidated Roles and Responsibilities

* * * * *

2 Vice President, Chief Technology Officer

The vice president, Chief Technology Officer (VP/CTO), is responsible for the following:

* * * * *

[Revise item f to read as follows:]

f. Together with the vice president of the functional business area, accepting, in writing, residual risk of applications and approving deployment. The VP/CTO has delegated this responsibility to the applicable portfolio manager.

3 Manager, Corporate Information Security Office

***The manager, CISO, is responsible for the following:

* * * * *

[Delete items e, f, and h. Reletter current items g through aj as new items e through ag and revise new item e to read as follows:]

e. Reviewing the ISA documentation package and accrediting the application.

* * * * *

5 Vice Presidents, Functional Business Areas

The vice presidents of Postal Service functional business areas are responsible for the following:

* * * * *

[Revise item d to read as follows:]

d. Together with the VP/CTO, accepting, in writing, residual risks associated with information resources under their control and approving deployment. The vice presidents of functional business areas have delegated this responsibility to the applicable executive sponsor.

* * * * *

10 Executive Sponsors

Executive sponsors, as representatives of the vice president of the functional business area, are the business managers with oversight (funding, development, production, and maintenance) of the information resource and are responsible for the following:

* * * * *

[Reletter current items aa through ab as new items ab through ac. Add new item aa to read as follows:]

aa. Working jointly with the portfolio manager to review the ISA documentation package, accept the residual risk to an application, and approve the application for production or return the application to the applicable lifecycle phase for rework.

11 Portfolio Managers

[Revise text to read as follows:]

Portfolio managers are responsible for the following:

a. Functioning as the liaison between executive sponsors and IT providers.

b. Supporting the executive sponsor in the development of information resources and the ISA process, including the BIA, risk assessment, and BCM.

c. Appointing, if desired, an information systems security representative (ISSR) to perform security-related activities.

d. Ensuring that the application is entered in the Enterprise Information Repository (EIR) and updated as required.

e. Providing coordination and support to executive sponsors for all matters relating to disaster recovery (DR) processes, e.g., coordinating and supporting DR costing models.

f. Functioning as the liaison between executive sponsors and DR service providers in the planning and execution of DR requirements.

g. Reviewing the ISA documentation package and completing a risk mitigation plan for risks identified as High or Medium.

h. Working jointly with the executive sponsor to review the ISA documentation package, accept the residual risk to an application, and approve the application for production or return the application to the applicable lifecycle phase for rework.

i. Ensuring that the application is registered in eAccess.

* * * * *

[Revise title and text of Appendix 29 to read as follows:]

29 Accreditor

The manager, Corporate Information Security Office, functions as the accreditor and is responsible for the following:

a. Reviewing the risk mitigation plan and supporting ISA documentation package together with business requirements and relevant Postal Service issues.

b. Escalating security concerns or preparing and signing an accreditation letter that makes one of the following recommendations: accepting the application with its existing information security controls, requiring additional security controls with a timeline to implement, or deferring deployment until information security requirements can be met.

c. Forwarding the accreditation letter and ISA documentation package to the portfolio manager and executive sponsor.

[Renumber current Appendices 30 through 35 as new 31 through 36. Add new Appendix 30 to read as follows:]

30 Certifier

The manager, Information Security Assurance, who is appointed by the CISO, functions as the certifier and is responsible for the following:

a. Managing and providing guidance to the information systems security officers (ISSOs).

b. Reviewing the ISA evaluation report and the supporting ISA documentation package.

c. Escalating security concerns or preparing and signing a certification letter.

d. Forwarding the certification letter and ISA documentation package to the portfolio manager.

e. Maintaining an inventory of all information resources that have completed the ISA process.

* * * * *

33 Information Systems Security Representatives

***ISSRs are responsible for the following:

* * * * *

[Revise item d to read as follows:]

d. Notifying the executive sponsor, portfolio manager, and ISSO of any additional security risks or concerns that emerge during development or acquisition of the information resource.***

* * * * *

- Corporate Information Security, Information Technology, 4-28-05

NOTICE

FAST to Replace DSAS - Technical Webinars and User Training Begin Soon

National deployment of Facility Access and Shipment Tracking (FAST) begins in June, but there is still time to obtain a FAST ID, register for user training, and learn more about the technical aspects of using FAST via Web Services.

Customers will be required to use both FAST and Drop Shipment Appointment System (DSAS) during the 6-month phased deployment period, depending on which sites are scheduled to receive drop shipments. Once a Postal ServiceTM facility is activated for FAST, customers will no longer be able to make appointments for that facility through DSAS.

User training sessions are specifically for current DSAS Web users. The "webinar" sessions are targeted to customers who require knowledge of batch processing.

Customer Registration for a FAST ID Is in Progress

Current DSAS users must register for FAST through PostalOne! DSAS sign-on IDs will not work in FAST. Customers can log on to PostalOne! at www.usps.com/postalone and follow the instructions to create a new account. For customers who already have a PostalOne! account, FAST registration begins with a call to the PostalOne! Customer Care Center at 800-522-9085.

FAST Customer Train-the-Trainer Sessions Begin on May 9

The Postal Service is offering FAST Train-the-Trainer classes in May and June at select Postal Service training facilities around the country. During these instructor-led sessions, customers will learn about FAST functionality and get hands-on practice in a simulated FAST training environment. These classes are designed for people who currently make appointments in DSAS.

Companies may select up to five people to participate in the Train-the-Trainer classes. The Customer Training Registration Form is included on page 15 of this Postal Bulletin and can also be downloaded from the Rapid Information Bulletin Board System (RIBBS) at http://ribbs.usps.gov.

FAST Train-the-Trainer Classes for Postal Service Employees

Train-the-Trainer classes for Postal Service employees are being coordinated through the area FAST coordinators (previously DSAS coordinators).

FAST Technical Webinars Begin on April 28

The Postal Service will also offer FAST Technical "Webinars", beginning April 28. A webinar is a Web-based conference that provides participants an opportunity to see presentation materials, hear directly from the FAST team, and ask questions verbally or online. These webinars are intended for technical people who conduct analysis of technical and functional requirements for software design, implement software designs, and manage software implementations within their companies. Job titles may include systems analysts, software developers, and IT project managers.

The FAST Technical Webinar Series includes the following three sessions:

Session 1: April 29, 1 P.M. EST: FAST Technical Overview for Technical People in Customer Organizations

• Introduction to FAST

• PostalOne! Data Exchange, PostalOne! FAST Interface, PostalOne! FAST Web Services

• IDEAlliance

• Technical Development Startup Steps and Resources for Customers

• Questions and Answers

Session 2: May 6, 1 P.M. EST: FAST for Software Vendors Supporting Web Services Customers

• Introduction to FAST

• PostalOne! Data Exchange, PostalOne! FAST Interface, PostalOne! FAST Web Services

• IDEAlliance

• Technical Development Startup Steps and Resources for Vendors

• Questions and Answers

Session 3: May 13, 1 P.M. EST: Details To Be Announced

To attend, follow the webinar instructions posted on RIBBS. Each session will be recorded and available for playback for those not able to participate on the original date.

Additional Information on RIBBS

To learn more now, visit the RIBBS FAST/Surface Visibility Link at http://ribbs.usps.gov. Under "RIBBS Links," click FAST/Surface Visibility then Click Here for Additional Information in the Document Repository. There you will find the following:

• FAST Overview

• FAST Customer Train-the-Trainer Registration Information

• Webinar Instructions

• Technical Information for Web Services, and more.

Look for ongoing FAST updates in the Postal Bulletin.

- Logistics Systems,
Operations, 4-28-05

Instructions

The Postal Service is offering FAST Customer Train-the-Trainer Sessions in May and June in selected cities around the country. During these instructor-led sessions, customers will learn about FAST functionality and receive hands-on practice in a simulated FAST training environment.
From the Training Schedule (pictured below), select your first, second, and third choices. Base your selection on the city closest to you. Write your selected training session numbers in the box below. All classes are scheduled from 9:00 A.M. through 5:00 P.M.

E-mail this completed form to FAST_Training@usps.gov or send it via facsimile to: 240-465-1496.
You will receive confirmation and training facility address information within 1 week of your request.