To ensure that Information Technology (IT) resources are inventoried and configured in compliance with IT security policies, standards, and procedures.
SSC Science Program Collaboration and Emerging Technologies team shall:
Develop, document, and maintain under configuration control, a current baseline configuration of the cloud environment or information systems.
Review and update the baseline configuration of the cloud environment or information system quarterly.
Review and update the baseline configuration of the cloud environment or information system when required as an integral part of information system component installations and upgrades.
Retain three previous versions of baseline configurations of the cloud environment or information systems to support rollback.
SSC Science Program Collaboration and Emerging Technologies team shall:
Determine the types of changes to the cloud environment or information system that are configuration-controlled.
Review proposed configuration-controlled changes to the cloud environment or information system and approve or disapprove such changes with explicit consideration for security impact analyses.
Document configuration change decisions associated with the cloud environment or information system.
Implement approved configuration-controlled changes to the cloud environment or information system.
Retain records of configuration-controlled changes to the cloud environment or information system.
Audit and review activities associated with configuration-controlled changes to the cloud environment or information system.
Coordinate and provide oversight for configuration change control activities through Microsoft Teams and code repository pull requests.
Test, validate, and document changes to the cloud environment or information system before implementing the changes on the operational system.
SSC Science Program Collaboration and Emerging Technologies team shall:
Establish and document configuration settings for cloud environment or information technology products employed within the environment using cloud polices that reflect the most restrictive mode consistent with operational requirements.
Implement the configuration settings.
Identify, document, and approve any deviations from established configuration settings or polices based on operational requirements.
Monitor and control changes to the configuration settings in accordance with policies and procedures.
SSC Science Program Collaboration and Emerging Technologies team shall:
Configure the cloud environment or information system to provide only essential capabilities.
Review the cloud environment or information system quarterly to identify unnecessary and/or non-secure functions, ports, protocols, and services.
Disable functions, ports, protocols, and services within the cloud environment or information system deemed to be unnecessary and/or non-secure.
Prevent program execution in accordance with policies regarding software program usage and restrictions and rules authorizing the terms and conditions of software program usage.
Identify software programs not authorized to execute on the cloud environment or information systems.
Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.
Employ a deny-all 3rd party marketplace items, approve-by-exception policy for the cloud environment. This includes controlling a private marketplace that allows only approved software following the Marketplace Approval Process.
Review and update the list of unauthorized and authorized software programs annually.
¶ CLOUD ENVIRONMENT & INFORMATION SYSTEM COMPONENT INVENTORY
SSC Science Program Collaboration and Emerging Technologies team shall:
Document any components that are not already tracked as part of the cloud portal (ex: software installs).
Update the inventory of components as an integral part of component installations, removals, and information system updates.
Employ automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system.
Take the following actions when unauthorized components are detected and verified:
Disable network access by such components, or Isolate the components and notifies the security operator and system owner.
Move the subscription to the quarantine management group
Rebuild any virtual machines or containers that are deemed compromised.
Verify that all components within the authorization boundary of the cloud environment or information system are not duplicated in other information system component inventories.
SSC Science Program Collaboration and Emerging Technologies team shall develop, document, and implement a configuration management plan for the cloud environment or information system that:
Addresses roles, responsibilities, and configuration management processes and procedures.
Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.
Defines the configuration items for the information system and places the configuration items under configuration management.
Protects the configuration management plan from unauthorized disclosure and modification.
SSC Science Program Collaboration and Emerging Technologies team shall:
Use software and associated documentation in accordance with contract agreements and copyright laws.
Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.
Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Ensure all cloud components and information systems are used for government use.
SSC Science Program Collaboration and Emerging Technologies team shall:
Establish policies governing the installation of software by users.
Enforce software installation policies through controlling privileged access and blocking the execution of files using policy applied by directory service and/or application whitelisting.
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties.
Requests for exceptions to this policy shall be reviewed by the SSC Science Program Collaboration and Emerging Technologies team and the Director. Departments requesting exceptions shall provide such requests to the SSC Science Program Collaboration and Emerging Technologies team in writing. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the IT Department, initiatives, actions and a time-frame for achieving the minimum compliance level with the policies set forth herein. The SSC Science Program Collaboration and Emerging Technologies team shall review such requests; confer with the requesting department.
The table below lists current exemptions:
Name
Description
Rational
Date of exemption
Experimental / Sandbox work
Any work that is done in the experimental / sandbox space
This work is meant for short lived software trials, learning cloud environments and business transformation so full documentation and monitoring may not be required. Private marketplace restrictions still apply for contracting restrictions.