General Support Systems an Ma!or Appl"#at"ons In$entory Gu"e 1 TABLE OF CONTENTS 1.0 OVERVIEW..........................................................................................................1 2.0 METHODOLOGY FOR DETERMINATION OF GSS AND MA INVENTORY..........3 3.0 CHANGES TO THE INVENTORY BETWEEN CYCLES........................................18 4.0 RELEVANT DEFINITIONS...................................................................................19 5.0 REFERENCES.....................................................................................................21 APPENDIX A GSS AND MA INVENTORY S!BMISSION FORM..............................1 APPENDIX B SAMPLE GSS AND MA INVENTORY S!BMISSION FORM................1 APPENDIX C SAMPLE MEMORANDA....................................................................1 APPENDIX D INFORMATION COVERED BY THE PRIVACY ACT " FREEDOM OF INFORMATION ACT #FOIA$ EXEMPTIONS.....................................1 2 1.0 OVERVIEW 1.1 P!RPOSE The purpose of this document is twofold. First, the document describes the process that will be used by the Hypothetical Government Agency to establish and maintain an inventory of general support systems G!!s" and ma#or applications $As". !econd, the document provides guidance to the %rincipal &ffices %&s" regarding the standards to be employed throughout this process. The concepts of G!!s and $As are defined in &$' (ircular A)1*+ Management of Federal Information Resources as follows, G!! is -an interconnected set of information resources under the same direct management control which shares common functionality,. $A is -an application that re/uires special attention to security due to the ris0 and magnitude of the harm resulting from the loss, misuse, or unauthori1ed access to or modification of the information in the application.. This process enables the Hypothetical Government Agency2s G!! and $A inventory to officially identify and document the security classifications of G!!s and $As in use by the Agency, in compliance with Federal re/uirements. This G!! and $A inventory is intended to complement e3isting Agencyal security initiatives, such as those under the Government 4nformation !ecurity 5eform Act G4!5A" 1 and (ritical 4nfrastructure %rotection mandates. 1.2 OB%ECTIVES " GOALS The primary ob#ective in developing a systematic approach for the inventory and classification of the G!!s and $As in the Agency is to ensure that automated information resources, which -include both government information and information technology,. 2 have ade/uate security to protect -information collected, processed, transmitted, stored, or disseminated by the Agency.. 3
6ithout an accurate assessment of what constitutes the Agency7s G!!s and $As, it is impossible to ensure that all automated information resources implement the appropriate level of protection. 6hile all automated information resources re/uire a level of security, some re/uire additional security controls due to the sensitivity of the information processed or criticality to the Agency2s missions. !uccessful completion of this G!! and $A inventory process will identify the G!!s and $As that re/uire additional security controls. This follows the tenet that applications that do not /ualify for inclusion in this G!! and $A inventory rely on the G!!s in which they operate for the provision of ade/uate security. 4t is therefore incumbent to accurately complete this G!! and $A inventory process to ensure that ade/uate security is applied to the entirety of the Agency2s automated information resources. The specific security re/uirements for the G!!s and $As included in the inventory can be found in the Agency2s (ertification and Accreditation related guidance. 1 Public Law 106-39! 2 "M# $ircular %-130! 3 "M# $ircular%-130& %''endi( III! 1 1.3 A!DIENCE This document is intended for the following Hypothetical Government Agency personnel, %rincipal &fficers 8 4n their capacity as the senior officials responsible for providing security for the information collected, processed, transmitted, stored, or disseminated by G!!s and $As under their control. ) (omputer !ecurity &fficers (!&s" 8 4n their capacity for maintaining the information security program within their respective %&s. !ystem owners 8 4n their capacity to provide security controls appropriate for the protection of Agency information. The (hief 4nformation &fficer (4&" 8 4n his9her capacity as the official responsible for providing guidance on information security throughout the Agency. 1.4 DOC!MENT STR!CT!RE This document is organi1ed into five sections, each discussing an aspect of the G!! and $A inventory process. The first section provides an overview of the Guide. The second section details the steps to be ta0en to complete the process along with standardi1ed definitions and criteria to be employed throughout the process. The third section includes guidance for ongoing maintenance of the G!! and $A inventory. The fourth section provides a listing of all applicable definitions. The fifth section is a list of references relevant to the creation and maintenance of the Agency2s G!! and $A inventory. Appendi3 A provides the G!! and $A 4nventory !ubmission Form that should be used to document and submit the results of the inventory process. Appendi3 ' provides a sample completed G!! and $A 4nventory !ubmission Form. Appendi3 ( then provides sample memoranda for %& and (4& validation of the G!! and $A inventory. Appendi3 : provides additional guidance related to the classification of information. ) Public Law 106-39& "ctober 30& 2000 2 2.0 METHODOLOGY FOR DETERMINATION OF GSS AND MA INVENTORY The following subsections provide detailed information on the five steps necessary for the Agency to create and maintain its G!! and $A inventory, *te' 1+ Identif, -**s and %''lications 8 :etermine the business functions that are automated and identify the automated information resources that support them a" 4dentify 'usiness Functions b" 4dentify Automated 4nformation 5esources c" (ategori1e Automated 4nformation 5esources as G!! or Applications *te' 2+ $lassif, -**s and %''lications 8 Ascertain the security needs of each based upon additional considerations *te' 3+ Identif, M%s 8 ;se security classifications to determine if an application /ualifies as an $A 8 those applications that re/uire special security considerations due to the nature of the information in the application. &nly applications determined to be $As will be included in the G!! and $A inventory< see !ection 2.*" *te' )+ *ubmit to $I" 8 %&s validate and ac0nowledge the G!! and $A inventory as accurate *te' .+ /ndorsement b, $I" 8 Generate the official G!! and $A 4nventory for the Agency. &nce steps 1)* are completed for a particular G!! or $A their results should be documented in the attached form in Appendi3 A and endorsed, with the entirety of the %&2s G!!s and $As, under cover of the sample memorandum in Appendi3 (. This process is highlighted in Figure 2)1. To retain a current and comprehensive list of the G!!s and $As, the inventory process will be underta0en semi)annually, with final validation of the G!! and $A inventory to occur on =anuary *1 and =uly *1. :uring each cycle, %&s will need to validate the inventory on record or update information on the G!!s and $As in their %&. (4& receipt of %& validation of the G!! and $A inventory will be re/uired no less than 2 wee0s prior to the final validation date. 4f, at any point during the G!! and $A inventory process, there is need for clarification, (!&s should * F&'()* 2+1, GSS -./ MA I.0*.12)3 P)24*55 consult with the &ffice of the (hief 4nformation &fficer &(4&" to ensure compliance with the applicable re/uirements. 2.1 STEP 1, IDENTIFY GENERAL S!PPORT SYSTEMS AND APPLICATIONS 2.1.1 STEP 1A: IDENTIFY BUSINESS FUNCTIONS The first step in creating and maintaining an inventory of G!!s and $As is to identify all automated information resources used by the %& to perform its business functions. All automated information resources in the %& are either a G!! or an application. !ee !ection 2.1.*" To begin, identify the business functions that occur within the %& 8 the wor0 the %& performs in support of the Agency2s mission, vision, and goals. This may include such functions as grants management, provision of public information, or human resources management. These functions should then be divided into the specific activities that support the overall business function. 2.1.2 STEP 1B: IDENTIFY AUTOMATED INFORMATION RESOURCES >ach business function identified may have certain associated automated processes. &nce these automated processes have been identified, the automated information resources that support these processes must be identified. Those automated information resources are included as candidates for the G!! and $A inventory. For each business function, identify and describe any automated process that supports it. 4dentify the automated information resources employed by the automated process including databases, stand)alone systems, communications systems, networ0s, and any other type of information technology)related support. Automated information resources that utili1e general)purpose software such as spreadsheets and word processing software are not included as candidates as their security is provided by the G!! on which they reside. 1
?ote, 4t is possible to have several automated information resources to support a single business function. 4t is also possible to have a single automated information resource support several business functions. 2.1.2.1 S6-)*/ R*52()4*5 " S351*7 I.1*)42..*41&0&13 1 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems @ &$' (ircular A)1*+ delineates the need for agencies to ensure -information is protected commensurate with the ris0 and magnitude of the harm that would result from the loss, misuse, or unauthori1ed access to or modification of such information,. regardless of its location or the owner of the automated information resource. Therefore, all automated information resources that support automated processes must be identified, including those that are owned, in whole or in part, by a party other than the Agency. All automated information resources that collect, process, transmit, store, or disseminate Agency information must be identified, regardless of ownership. For e3ample, if a payroll system is operated by another Federal agency but part of the system is loaded on the Agency2s computers to perform a business function, the Agency is responsible for ensuring appropriate security controls are in place for that automated information resource. 4f another agency runs a system that processes Agency information, an interagency agreement should be put in place to officially verify terms of agreement for the protection of information between the agencies as well as to ensure ade/uate security measures are instituted to protect the information. 2 (onsideration must also be given to all automated information resources operated by contractors in support of Agency wor0. &$' (ircular A)1*+ states that information technology and, thereby, automated information resources" includes those resources -used by a contractor under a contract with the e3ecutive agency which 1" re/uires the use of such e/uipment, or 2" re/uires the use, to a significant e3tent, of such e/uipment in the performance of a service or the furnishing of a product.. 2.1.2.2 A(127-1*/ I.82)7-1&2. R*52()4* B2(./-)&*5 An automated information resource is defined by constructing a logical boundary around a set of processes, communications, storage, and related resources. The elements within this boundary constitute a single automated information resource and must, 'e under the same direct management control Have the same function or mission ob#ective Have essentially the same operating characteristics and security needs, and 5eside in the same general operating environment. 3 2 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems 3 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems A 4s any business function supported by automated information resources not owned by the AgencyB Any automated information resource that receives federal funding must be considered as a candidate general support system or application. 2.1.2.3 A//&1&2.-9 C2.5&/*)-1&2.5 &. I/*.1&83&.' A(127-1*/ I.82)7-1&2. R*52()4*5 The following additional items are guidance to be considered during the process of defining the automated information resources. 2!1!2!3!1 Manual Processes The process described in this document is designed to identify and inventory the automated information resources that support automated processes. As such, manual processes or locations that support specific business functions, such as libraries and records archives, should be e3cluded.
2!1!2!3!2 Lifec,cle $onsiderations %roviding security is an ongoing process, conducted throughout the lifecycle. 4deally security is incorporated into the development of an automated information resource. As noted in &$' (ircular A) 1*+, Appendi3 444, -for security to be most effective, the controls must be part of day)to)day operations. This is best accomplished by planning for security not as a separate activity, but as an integral part of overall planning.. Additionally G4!5A, citing the (linger)(ohen Act and the (omputer !ecurity Act of 1CDE, directs the heads of agencies to -incorporate information security principles and practices throughout the lifecycles of the agency2s information systems.. Therefore, any automated information resource under development, at any stage, must be included in the list of candidates identified in this step. Automated information resources should be considered as they are planned to operate when fully functional, not necessarily how they currently operate. !ecurity should be planned for the data that will be processed, whether or not that data is yet processed by the automated information resource. 4t is understood that these classifications may change throughout the life of the automated information resource, but it is important to have accurate classifications at each stage of the life cycle, so that appropriate security controls will applied. As the need for changes to the data classifications arise, the inventory should be updated to accurately reflect the current state of the data sensitivity or mission criticality. !ee !ection 2.@" !imilarly, an automated information resource may not be e3cluded from the list of candidates if it is only scheduled for retirement. The automated information resource may not be removed from consideration unless it has been completely disconnected or shut down, information re/uiring protection is properly removed from F Are there any automated information resources under development to support business functionsB the automated information resource, and official confirmation of such action has been received by the (4&. This must include completion of the !ystem :isposal (hec0list, Appendi3 H of the I1 *ecurit, Ris2 %ssessment -uide. The consideration of automated information resources in all stages of the system development life cycle !:G(" is in direct correlation with the Agency2s I1 *ecurit, Ris2 %ssessment -uide, which provides specific guidelines for ensuring appropriate security for systems in all phases of the !:G(. 2!1!2!3!3 Information 1ec3nolog, $a'ital Planning (onsistent with !ection 2.1.2.*.2, Gifecycle (onsiderations, all automated information resources that receive consideration during the information technology capital planning process must also be included among the list of candidates for the G!! and $A inventory even if they are only in a developmental state. 4f the automated information resource does not receive funding during the process, the inventory may be updated to reflect this decision. !ee !ection *.+" 2.1.3 STEP 1C: CATEGORIZE AUTOMATED INFORMATION RESOURCES AS GSS OR APPLICATION %er the guidance of &$' (ircular A)1*+, Appendi3 444, Federal agencies are directed to provide ade/uate security for all automated information resources, which includes both government information and information technology. >ach automated information resource identified in !ection 2.1.2 must be reviewed to determine its status as a G!! or application. This status should be determined by applying the following definitions. N21*, E-46 -(127-1*/ &.82)7-1&2. )*52()4* :&99 ;* *&16*) - GSS 2) -. -<<9&4-1&2.. E G20*).7*.1 &.82)7-1&2. is information created, collected, processed, disseminated, or disposed of by or for the Federal Government. I.82)7-1&2. 1*46.292'3 includes computers, ancillary e/uipment, software, firmware and similar procedures, services including support services", and related resources. 2.1.3.1 G*.*)-9 S(<<2)1 S351*7 A G!! is -an interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for e3ample, a local area networ0 GA?" including smart terminals that supports a branch office, an agency)wide bac0bone, a communications networ0, a Agencyal data processing center including its operating system and utilities, a tactical radio networ0, or a shared information processing service organi1ation 4%!&".. )
2.1.3.2 A<<9&4-1&2. An application is -the use of information resources to satisfy a specific set of user re/uirements.. . 4dentification as an $A is based upon the classifications in !ection 2.2 and is fully e3plained in !ection 2.*. N21*, O.93 -<<9&4-1&2.5 &/*.1&8&*/ -5 MA5 :&99 ;* &.49(/*/ &. 16* 8&.-9 GSS -./ MA &.0*.12)3. 2.2 STEP 2, CLASSIFY GSS AND APPLICATIONS To support the development and maintenance of appropriate security controls for G!!s and $As on the inventory, it is necessary to identify security classifications for each and the information it handles. This section will describe and define several sets of security classifications to be applied to the G!!s and applications identified in !ection 2.1 to appropriately evaluate the level of security re/uired for each. 4f, in !ection 2.1.*, the automated information resource was determined to be a GSS, it will be included in the G!! and $A inventory and re/uires the classifications outlined in the following sections. 4f, in !ection 2.1.*, the automated information resource was determined to be an application, the classifications outlined in the following sections should be used to determine if it /ualifies as an $A see !ection 2.*". O.93 -<<9&4-1&2.5 /*1*)7&.*/ 12 ;* MA5 :&99 ;* &.49(/*/ &. 16* 8&.-9 GSS -./ MA &.0*.12)3. 2.2.1 INFORMATION SENSITIVITY To appropriately protect information, its relationship to and impact on the mission of the Agency must be understood. Therefore, it is ) "M# $ircular %-130& %''endi( III . "M# $ircular %-130& %''endi( III D !ome automated information resources may be identified as both a General !upport !ystem and an application., as in the case where a database is run from a stand)alone computer. 4s the automated information resource used by other automated information resources to transmit or store dataB 4s the automated information resource a local or wide)area networ0B :oes the automated information resource support multiple other automated information resourcesB necessary to 0now the re/uirements of the data to be protected from specific ris0s to apply appropriate security controls. The 0I*1 *ecurit, *elf %ssessment -uide for I1 *,stems !% D++) 2F", uses three basic protection re/uirements in order to determine the information sensitivity )) confidentiality, integrity which, for the purposes of the Guide, includes non)repudiation and authenticity", and availability. (onfidentiality 8 %rotection from unauthori1ed disclosure 4ntegrity 8 %rotection from unauthori1ed, unanticipated, or unintentional modification ?on)repudiation 8 Herification of the origin or receipt of a message Authenticity 8 Herification that the content of a message has not changed in transit Availability 8 Available on a timely basis to meet mission re/uirements or to avoid substantial losses. >ach area must be rated on the scale of High, $edium, or Gow, using the following guidance from ?4!T !% D++)1D, -uide for 4e5elo'ing *ecurit, Plans for Information 1ec3nolog, *,stems, and ?4!T !% D++)2F, *ecurit, *elf %ssessment -uide for Information 1ec3nolog, *,stems, for ma0ing the determination. H&'6, A critical concern for the automated information resource >3tremely grave in#ury accrues to ;.!. interests if the information is compromised< could cause loss of life, 7-=2) 8&.-.4&-9 9255 #')*-1*) 16-. >1 7&99&2.$? 2) )*@(&)* 9*'-9 -41&2. (< 12 &7<)&52.7*.1 82) 42))*41&2.. M*/&(7, An important concern, but not necessarily paramount in the organi1ation2s priorities !erious in#ury to ;.!. interests if the information is compromisedA 42(9/ 4-(5* 5&'.&8&4-.1 8&.-.4&-9 9255 #>100?000 12 >1 7&99&2.$ 2) )*@(&)* 9*'-9 -41&2. 82) 42))*41&2.. L2:, C N21*, The Agency does not have automated information resources that could cause in#ury to ;.!. interests. Thus, the financial and legal ramifications should be used as a guide to determine information sensitivity. !ome minimal level of security is re/uired, but not to the same degree as the previous two categories. 4n#ury accrues to ;.!. interests if the information is compromised< :2(9/ 4-(5* 2.93 7&.2) 8&.-.4&-9 9255 #9*55 16-. >100?000$ 2) )*@(&)* 2.93 -/7&.&51)-1&0* -41&2. 82) 42))*41&2.. 2.2.1.1 C2.8&/*.1&-9&13 To determine the appropriate level of confidentiality, an application or G!! must ta0e into consideration the need for its information to be protected from unauthori1ed disclosure. The level of confidentiality depends on the nature of the information. For e3ample, information that is widely available to the public has a low level of confidentiality because it re/uires only minimal, or perhaps no, protection from disclosure. However, there are certain types of information that must be protected from disclosure due to the e3pectation or assurance of privacy, or because unauthori1ed disclosure could result in a loss to the Agency. Information that includes financial, proprietary, or personal information should be protected at a high or medium level of confidentiality. The Privacy Act makes it clear that the Agency is not allowed to disclose any record that is contained in a system of records, by any means of communication, to any person or agency, except pursuant to a written authorization. Although an application or G!! may not meet %rivacy Act criteria, it may still contain information that should be protected at a high or medium level of confidentiality. F&4A provides access to federal agency records e3cept those that are protected from disclosure by any of nine e3emptions and three special law enforcement record e3clusions in the Act. For the Agency, only three of these e3emptions are applicableI 4nformation related solely to the internal personnel rules and practices of an agency, but does not include business contact information of employees or contractors Trade secrets, commercial information, or financial information obtained from a person that is privileged or confidential %ersonal or medical information or information that would constitute a clearly unwarranted invasion of personal privacy. 1+ How severe a loss would occur as a result of disclosure of dataB 4f an application or G!! contains social security numbers, the confidentiality level should be no less than High. 4f the G!! or application contains any information protected by the %rivacy Act or the Freedom of 4nformation Act FOIA), then the confidentiality level should be no less than Medium. S** A<<*./&B D 82) 72)* &.82)7-1&2. 2. 16* P)&0-43 A41 -./ FOIA *B*7<1&2.5. If an application or GSS has information covered under the Privacy Act, the system owner should contact the Agency Privacy Officer to ensure compliance through the completion of a Privacy Act questionnaire. EB-7<9* C2.8&/*.1&-9&13 C2.5&/*)-1&2.5 H&'6 The application or G!! contains information such as proprietary business information, financial information, or personal information i.e., social security numbers", which, if disclosed to unauthori1ed sources, could adversely impact the Agency, resulting in over J1 million dollars in damages or leading to legal action with the potential of a #ail sentence. This level indicates that security re/uirements for assuring confidentiality are of high importance. For e3ample, an application that 0eeps trac0 of letters sent to various offices within the Agency scans higher priority letters and stores them as an image in case the letter is lost or destroyed. General information such as the sender7s name and address is often captured in the image. However, some letters contain social security numbers. !ince unauthori1ed disclosure of social security numbers could result in identity theft, the confidentiality re/uirement is high. As a second e3ample, an application is re/uired to provide sensitive structured personnel and payroll information for the Agency. %rogram offices are sta0eholders in the analysis and usage of this information. ;nauthori1ed disclosure or modification of this information could result in fraud or loss of public confidence. 4f the information were to be disclosed, the financial impact could be over J1 million dollars. Therefore, the confidentiality re/uirement for this application is high. M*/&(7 The application or G!! contains only information that could only moderately impact the Agency if disclosed. A G!! or application with information specifically covered by the %rivacy Act or a F&4A e3emption see Appendi3 :" should have a confidentiality re/uirement of no less than $edium. ;nauthori1ed disclosure of information could result in between J1++,+++ and J1 million dollars in damages or lead to legal action without the potential of a #ail sentence. This level indicates that security re/uirements for assuring confidentiality are of moderate importance. 11 For e3ample, an application that manages grant abstracts for the Agency contains home addresses and other sensitive information that should not be disclosed to unauthori1ed individuals. Although a personal identifier cannot retrieve the addresses, the information should still be protected by some means such as an application) specific password or privileges that determine access level. Financially, a breach in confidentiality could result in damages between J1++,+++ to J1 million. !ince the confidentiality of the data is of some importance, the level of confidentiality for this application is medium. L2: The application or G!! contains general information that is widely available to the public and, if disclosed, could not have an impact on the Agency. ?one of the information on the application or G!! re/uires protection against disclosure. The impact on the Agency2s assets and resources could be minor, resulting in less than J1++,+++ in damages or leading to administrative penalties. This level indicates that security re/uirements for assuring confidentiality are of low importance. For e3ample, an application designed to disseminate information to the public, such as a database of regulations, contains no proprietary data or data that re/uires protection under the %rivacy Act or a F&4A e3emption. :isclosure of data could not result in any unfair advantage in activities performed or decisions made resulting from the revelation of that information. 2.2.1.2 I.1*')&13 To determine the appropriate level for integrity, consider the needs of the information to be protected from unauthori1ed, unanticipated, or unintentional modification. This includes, but is not limited to, consideration of authenticity, non)repudiation, and accountability re/uirements can be traced to the originating entity". As an e3ample, the nature of the loan information processed by the Agency may cause it to be targeted for unauthori1ed modification. 4ncluded in this decision should be how the G!! or application is employed in the business process. For e3ample, if the data in the G!! or application is not the sole source of input into the business process and the normal course of business is to chec0 data provided electronically against the original source, the need for data integrity would be generally lower than if the data is fully relied upon to complete the business function. However, merely having a bac0up source of data does not fit this criteria< the data chec0 must e3ist as a regular part of the business process. 12 How severe a loss would occur if the data were incorrectB The following e3amples from ?4!T !% D++)1D can be used as guidance in ma0ing this determination. EB-7<9* I.1*')&13 C2.5&/*)-1&2.5 H&'6 The application is a financial transaction system. ;nauthori1ed or unintentional modification of this information could result in fraud, under or over payments of obligations, fines, or penalties resulting from late or inade/uate payments, and loss of public confidence. M*/&(7 Assurance of the integrity of the information is re/uired to the e3tent that destruction of the information could re/uire significant e3penditures of time and effort to replace. Although corrupted information could present an inconvenience to the staff, most information, and all vital information, is bac0ed up by either paper documentation or on dis0. L2: The G!! or application mainly contains messages and reports. 4f these messages and reports were modified by unauthori1ed, unanticipated, or unintentional means, employees would detect the modifications< however, these modifications would not be a ma#or concern for the organi1ation. 2.2.1.3 A0-&9-;&9&13 To determine the appropriate level for availability, consider the needs of the information to be available on a timely basis to meet mission re/uirements or to avoid substantial losses. Availability also includes ensuring that resources are used only for intended purposes. T6* -0-&9-;&9&13 )*@(&)*7*.1 562(9/ ;* ;-5*/ 2. 16* <*)&2/ 28 2<*)-1&2. /()&.' :6&46 16* GSS 2) -<<9&4-1&2. &5 7251 4)&1&4-9 12 16* ;(5&.*55 8(.41&2. &1 *.-;9*5. For instance, if a G!! or application operates only one month a year, consider the availability re/uirement for that month. The following e3amples from ?4!T !% D++)1D can be used as guidance in ma0ing this determination. EB-7<9* A0-&9-;&9&13 C2.5&/*)-1&2.5 1* How severe a loss would occur if the information were not available as neededB H&'6 The application contains personnel and payroll information concerning employees of the various user groups. Unavailability of the application could result in an inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The application requires 24-hour access. M*/&(7 Information availability is of moderate concern to the mission. Availability would be required within the four to five-day range. Information backups maintained at off-site storage would be sufficient to carry on with limited office tasks. L2: The GSS or application has a duplicate from which the information can be accessed and processed, causing no interruption in the continuity of business functions. 2.2.2 MISSION CRITICALITY $ission criticality, or how integral the G!! or application is to carrying out the mission of the agency 6 , must also be considered in this inventory process. ;sing the current Agency definitions below, each must be evaluated to be $ission (ritical, $ission 4mportant, or $ission !upportive. N21*, 16* 4)&1&4-9&13 28 527* GSS5 -./ -<<9&4-1&2.5 82) <*)82)7&.' - ;(5&.*55 8(.41&2. 7-3 ;* 72)* 4)&1&4-9 /()&.' 4*)1-&. <*)&2/5 28 2<*)-1&2.. D*1*)7&.* 16* 7&55&2.+4)&1&4-9&13 ;-5*/ 2. 16* <*)&2/ 28 2<*)-1&2. /()&.' :6&46 &1 &5 7251 *55*.1&-9 82) 16* ;(5&.*55 8(.41&2. 12 ;* 42./(41*/. $ission criticality will be validated by employing the Agency2s $ission >ssential 4nfrastructure >valuation !urvey. This evaluation will provide a more ob#ective, repeatable means of determining mission criticality, based on answering a range of /uestions related to the critical missions of the Agency. All candidate G!!s and applications must complete the $>4 >valuation !urvey to determine mission criticality. The resultant data will be considered as the official Agency list of $ission (ritical, $ission 4mportant, and $ission !upportive G!!s and applications. 4n future inventory cycles, the $>4 >valuation !urvey will serve as the sole source of mission criticality data. 2.2.2.1 M&55&2. C)&1&4-9 6 *ee $ritical Missions and Mission-/ssential Infrastructure %ssets& Ma, 16& 2001 1@ $ission critical G!!s and applications are those automated information resources whose failure would preclude the Agency from accomplishing its core business operations. A G!! or application is assessed as mission critical if it meets any of the following criteria, !upports core Agency business functions %rovides the single source of Agency mission critical data $ay cause immediate business failure upon its loss. 2.2.2.2 M&55&2. I7<2)1-.1 $ission important G!!s and applications are those automated information resources whose failure would not preclude the Agency from accomplishing core business processes in the short term, but would cause failure in the mid to long term * days to 1 month". A G!! or application determined not to be mission critical would be mission important if it meets any of the following criteria, !erves as a bac0up source for data that is mission critical 6ould have impact on business over an e3tended period of time. 2.2.2.3 M&55&2. S(<<2)1&0* $ission supportive G!!s and applications are those automated information resources whose failure would not preclude the Agency from accomplishing core business operations in the short to long term more than 1 month", but would have an impact on the effectiveness or efficiency of day)to)day operations. A G!! or application will be considered mission supportive only if it meets the following criteria, Trac0s or calculates data for organi1ational convenience 6ould only cause loss of business efficiency and effectiveness for the owner. 1A 4s the system or the data processed re/uired to complete the Agency7s missionB 4f the G!! or application were unavailable for * business days to 1 month, would it seriously affect the ability to perform core business functions through non) automated meansB (an the core business operations be accomplished through manual means, even if less efficient, if the G!! or application is unavailable for more than 1 monthB 4f the G!! or application were unavailable for up to @D business hours, would it seriously affect the ability to perform core business functionsB 2.3 STEP 3, IDENTIFY MA%OR APPLICATIONS %er &$' (ircular A)1*+, an application should be considered an $A when it -re/uires special attention to security due to the ris0 and magnitude of the harm resulting from the loss, misuse, or unauthori1ed access to or modification of the information in the application. ?ote, All Federal applications re/uire some level of protection. (ertain applications, because of the information in them, however, re/uire special management oversight and should be treated as ma#or. Ade/uate security for other applications should be provided by the security of the G!! in which they operate.. 6
?ote, The term ma#or application is not synonymous with the term -ma#or information system,. defined in &$' (ircular A)1*+ as -an information system that re/uires special management attention because of its importance to an agency mission< its high development, operating, or maintenance costs< or its significant role in the administration of agency programs, finances, property, or other resources.. The status of an application as a ma#or information system also does not preclude it from being a ma#or application. 2.3.1 DETERMINATION OF STATUS AS MAJOR APPLICATION An application will be considered an $A if it meets one of the following criteria, :etermined to be $ission (ritical or $ission 4mportant :etermined to be $ission !upportive, but for which at least one of the 4nformation !ensitivity categories is rated as $edium or High. O.93 -<<9&4-1&2.5 /*1*)7&.*/ 12 ;* MA5 -)* &.49(/*/ &. 16* GSS -./ MA &.0*.12)3. 2.3.2 MAJOR APPLICATION-GENERAL SUPPORT SYSTEM LINKAGES 4f the application meets the definition of an $A, it is necessary to identify the G!! upon which it resides. 4dentifying these lin0ages will assist with the application of more appropriate security controls to both the $As and the G!!s. Additionally, due to the e3istence of these lin0ages, a G!! must be rated, at a minimum, at the same levels as the highest)rated $A that resides on that G!!. Therefore, if the highest)rated $A receives a High for (onfidentiality, the G!! must also receive a High rating< if the highest)rated $A receives a $edium for Availability, the G!! must receive at least a $edium rating. 2.4 STEP 4, S!BMIT TO CIO All G!!s and $As included in the G!! and $A inventory must include #ustification for their respective information sensitivity classifications. The documentation should be submitted to the (4& via the G!! and $A 4nventory !ubmission Form Appendi3 A" accompanying an official, signed memorandum by the %rincipal &fficer ac0nowledging ownership of and responsibility for the security of those G!!s and $As see Appendi3 ( for sample memorandum". 6 "M# $ircular %-130& %''endi( III 1F 4t is highly recommended that the G!! and $A 4nventory !ubmission Form be completed for all other applications as well, to document the reasoning for not considering them $As. &nce this documentation is provided for every G!! and $A, future cycles
of the G!! and $A
inventory process will re/uire all %&s to validate the inventory by reviewing those G!!s and $As under their responsibility as listed in the published G!! and $A inventory. This review will determine whether changes need to be made or the inventory is accurate. &nce the process is completed, an official, signed memorandum must be submitted to the (4& by the %rincipal &fficer to verify that the G!! and $A inventory is accurate. This memorandum will also ac0nowledge responsibility for the security of those G!!s and $As. 4f a changes" must be made, a G!! and $A 4nventory !ubmission Form, with the changes" incorporated, including #ustification for the changes", must accompany this memorandum. The G!! and $A 4nventory !ubmission Form will include the following information, %rincipal &ffice Automated 4nformation 5esource ?ame %oints of (ontact Type of automated information resource 8 G!! or $A :escription of data and business function supported by G!! or $A and technical information 4n development or operational $ission (riticality including #ustification" 4nformation !ensitivity including #ustification" in the areas of ) (onfidentiality ) 4ntegrity ) Availability 4nterconnectivity (omments. 13e -** and M% in5entor, 5alidation 'rocess will be com'leted semi-annuall,& on 7anuar, 31 and 7ul, 31& wit3 $I" recei't of P" 5alidation of t3e -** and M% in5entor, no less t3an 2 wee2s 'rior to t3e final 5alidation date! 1E 2.5 STEP 5, ENDORSEMENT BY THE CIO 2.5.1 OCIO REVIEW OF INVENTORY Following receipt of the %rincipal &fficers2 submission and prior to official publication, &(4& will review the lists and the supporting classifications using the criteria outlined above to ensure the validity and completeness of the lists. 4f any issue is uncovered, &(4& will wor0 with the appropriate %rincipal &fficer to resolve any and all outstanding /uestions. 2.5.2 PUBLISING TE INVENTORY Following receipt of the %rincipal &fficers2 submission and the completion of the review process, (4& will officially publish the comprehensive G!! and $A inventory on the Agency2s intranet to ensure it is accessible for reference. The (4& will send an endorsement memorandum to each %rincipal &fficer and will also publish a statement ac0nowledging the G!! and $A inventory and the previous endorsements of the %rincipal &fficers, as highlighted in Figure 2)2. 3.0 CHANGES TO THE INVENTORY BETWEEN CYCLES The information included in the G!! and $A inventory, and even those G!!s and $As included, may change between inventory cycles. ?otification of these changes must be made to &(4& to maintain the appropriate level of security controls for respective G!!s and $As. >dits to the G!! and $A inventory may occur for any number of reasons including changes in the nature of the information processed or a change in dependence on a G!! or $A. These changes may also include system birth and death or changes to the mission criticality or information sensitivity levels. For guidance on automated information resource birth and death, see !ection 2.1.2.*.2< for guidance on changes to mission criticality or information sensitivity levels, see !ection 2.2 and its subsections. 1D F&'()* 2+2, R*0&*: -./ E./2)5*7*.1 28 GSS -./ MA I.0*.12)3
PO Specific Endorsement Memo to CIO PO Specific GSS & MA Submission Forms CIO Endorsement Memo CIO Endorsement Memo 4.0 RELEVANT DEFINITIONS Application The use of information resources to satisfy a specific set of user re/uirements. Automated 4nformation 5esource 'oth government information and information technology. (apital planning and investment control process A management process for ongoing identification, selection, control, and evaluation of investments in information resources. The process lin0s budget formulation and e3ecution, and is focused on agency missions and achieving specific program outcomes. General !upport !ystem G!!" An interconnected set of information resources under the same direct management control, which shares common functionality. A G!! normally includes hardware, software, information, data, applications, communications, and people. A G!! can be, for e3ample, a local area networ0 GA?" including smart terminals that supports a branch office, an agency)wide bac0bone, a communications networ0, a Agencyal data processing center including its operating system and utilities, a tactical radio networ0, or a shared information processing service organi1ation 4%!&". Government information 4nformation created, collected, processed, disseminated, or disposed of by or for the Federal Government. 4nformation Any communication or representation of 0nowledge such as facts, data, or opinions in any medium or form, including te3tual, numerical, graphic, cartographic, narrative, or audiovisual forms. 4nformation life cycle The stages through which information passes, typically characteri1ed as creation or collection, processing, dissemination, use, storage, and disposition. 4nformation resources 'oth government information and information technology. 4nformation technology Any e/uipment or interconnected system or subsystem of e/uipment that is used in the automatic ac/uisition, storage, manipulations, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an e3ecutive agency. This includes computers, ancillary e/uipment, software, firmware and similar procedures, services including support services", and related resources. 1C $a#or Application $A" An application that re/uires special attention to security due to the ris0 and magnitude of the harm resulting from the loss, misuse, or unauthori1ed access to or modification of the information in the application. $a#or 4nformation !ystem An information system that re/uires special management attention because of its importance to an agency mission< its high development, operating, or maintenance costs< or its significant role in the administration of agency programs, finances, property, or other resources. 2+ 5.0 REFERENCES This is a listing of legislation, &$' guidance, and ?4!T documents relevant to the maintenance of an inventory of G!!s and $As. LAWS (linger)(ohen Act, %ublic Gaw 1+@)1+F %aperwor0 5eduction Act, %ublic Gaw 1+@)1* Freedom of 4nformation Act, %ublic Gaw 1+@)2*1 Government 4nformation !ecurity 5eform Act, %ublic Gaw 1+F)*CD (omputer !ecurity Act of 1CDE, %ublic Gaw 1++)2*A %rivacy Act, %ublic Gaw C*)AEC OMB CIRCULARS &$' (ircular A)1*+, Management of Federal Information Resources &$' (ircular A)11, Planning& #udgeting& %c8uisition of $a'ital %ssets& *trategic Plans& Performance Plans NIST GUIDANCE ?4!T !% D++)12, %n Introduction to $om'uter *ecurit,+ 13e 0I*1 9andboo2 ?4!T !% D++)1D, -uide for 4e5elo'ing *ecurit, Plans for Information 1ec3nolog, *,stems ?4!T !% D++)2F, *elf %ssessment -uide for Information 1ec3nolog, *,stems ?4!T !% A++)1FE, Information Management 4irections+ 13e Integration $3allenge AGENCY GUIDANCE Interim I1 *ecurit, Polic, I1 *ecurit, Program and Management Plan 4raft I1 *ecurit, $ertification and %ccreditation -uide I1 *ecurit, Ris2 %ssessment -uide. 21 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A =uly 2++2 HYPOTHETICAL GOVERNMENT AGENCY GENERAL S!PPORT SYSTEMS AND MA%OR APPLICATIONS INVENTORY, A!!"#$%& A' GSS (#$ MA I#)"#*+,- S./0%11%+# F+,0
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A H3<216*1&4-9 G20*).7*.1 A'*.43 G*.*)-9 S(<<2)1 S351*7 #GSS$ " M-=2) A<<9&4-1&2. #MA$ I.0*.12)3 S(;7&55&2. F2)7 :ate, %rincipal &ffice, Automated 4nformation 5esource ?ame, %oints" of (ontact, C27<(1*) S*4()&13 O88&4*) ?ame, %hone K, A(127-1*/ I.82)7-1&2. R*52()4* O:.*)#5$ ?ame, %hone K, ?ame, %hone K, A(127-1*/ I.82)7-1&2. R*52()4* M-.-'*)#5$ ?ame, %hone K, ?ame, %hone K, A)1 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A The following form should be completed for every G!! and $A within the %rincipal &ffice. 4n addition, completion of this form is highly recommended for each application in order for each %rincipal &ffice to document that all automated information resources are properly evaluated. %lease fill in the columns labeled -(ategory. and ->3planation. for each area. For each of the areas addressed, there should be at least one chec0 in the -(ategory. column. The ->3planation. column should include your e3planation as to why the selected answer in the -(ategory. column was provided. >3planations should be based on Federal laws and guidance as well as the appropriate Agency guidance as indicated in the -5eference. section. !pecific references to the definitions provided in the Hypothetical Government Agency G!! and $A 4nventory Guidance should be included in the e3planation. The -5eference. column is provided solely for guidance and does not re/uire a response. A)2 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4* A U T O M A T E D
I N F O R M A T I O N
R E S O U R C E G*.*)-9 S(<<2)1 S351*7 #GSS$ M-=2) A<<9&4-1&2. #MA$ 4dentified as, mission)critical or important< or mission)supportive and an 4nformation !ensitivity category rated as L$edium2 or LHigh2 A<<9&4-1&2. 4dentified as mission)supportive and all 4nformation !ensitivity categories rated as LGow2 B(5&.*55 F(.41&2., D-1-, H-)/:-)*, H-)/:-)* L24-1&2., S281:-)*, S281:-)* L24-1&2., I. /*0*92<7*.1 2) 2<*)-1&2.-9, 4nclude business processes that the automated information resource accomplishes, such as the type of data it contains and technical information hardware, hardware location, software, software location, etc.". Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.1.2 4dentify Automated 4nformation 5esources !ection 2.1.* (ategori1e Automated 4nformation 5esources as G!! or Application !ection 2.*. 4dentify $As I N F O R M A T I O N
C2.8&/*.1&-9&13 High $edium Gow Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.2.1 4nformation !ensitivity I.1*')&13 High $edium Gow Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory, Appendi3 A 8 4nventory %rocess !ection 2.2.1 4nformation !ensitivity A)* Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4* S E N S I T I V I T Y A0-&9-;&9&13 High $edium Gow Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory, Appendi3 A 8 4nventory %rocess !ection 2.2.1 4nformation !ensitivity M I S S I O N
C R I T I C A L I T Y (ritical 4mportant !upportive Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory, Appendi3 A 8 4nventory %rocess !ection 2.2.2 $ission (riticality I N T E R C O N N E C T I V I T Y 4f an application or ma#or application, list the G!! on which it resides :oes the automated information resource have interconnectivity with other G!!s or applicationsB Mes ?o A)@ Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A A)A Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' HYPOTHETICAL GOVERNMENT AGENCY GENERAL S!PPORT SYSTEMS AND MA%OR APPLICATIONS INVENTORY, A!!"#$%& B' S(0!2" GSS (#$ MA I#)"#*+,- S./0%11%+# F+,0
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' H3<216*1&4-9 G20*).7*.1 A'*.43 G*.*)-9 S(<<2)1 S351*7 #GSS$ " M-=2) A<<9&4-1&2. #MA$ I.0*.12)3 S(;7&55&2. F2)7 :ate, :ec 2D, 2++1 %rincipal &ffice, &ffice of Governmental Furniture Automated 4nformation 5esource ?ame, 4maginary (hair Trac0ing !ystem (hT!" %oints" of (ontact, C27<(1*) S*4()&13 O88&4*) ?ame, 4.'. !ecurityNNNNNNNNNNNNNNNNNNNNNNN %hone K, 111)2222NNNNNNNNNNNNNNNNNNNNN A(127-1*/ I.82)7-1&2. R*52()4* O:.*)#5$ -./ M-.-'*)#5$ ?ame, 'ob !mithNNNNNNNNNNNNNNNNNNNNNNNNN %hone K, 111)AF2ANNNNNNNNNNNNNNNNNNNNN ?ame, NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN %hone K, NNNNNNNNNNNNNNNNNNNNNNNNNNNN A(127-1*/ I.82)7-1&2. R*52()4* M-.-'*)#5$ ?ame, %hone K, ?ame, >than Allen %hone K, 111)AFD@ ')1 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' The following form should be completed for every G!! and $A within the %rincipal &ffice. 4n addition, completion of this form is highly recommended for each application in order for each %rincipal &ffice to document that all automated information resources are properly evaluated. %lease fill in the columns labeled -(ategory. and ->3planation. for each area. For each of the areas addressed, there should be at least one chec0 in the -(ategory. column. The ->3planation. column should include your e3planation as to why the selected answer in the -(ategory. column was provided. >3planations should be based on Federal laws and guidance as well as the appropriate Agency guidance as indicated in the -5eference. section. !pecific references to the definitions provided in the Hypothetical Government Agency G!! and $A 4nventory Guidance should be included in the e3planation. The -5eference. column is provided solely for guidance and does not re/uire a response. ')2 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4* A U T O M A T E D
I N F O R M A T I O N
R E S O U R C E G*.*)-9 S(<<2)1 S351*7 #GSS$ M-=2) A<<9&4-1&2. #MA$ 4dentified as, mission)critical or important< or mission)supportive and an 4nformation !ensitivity category rated as L$edium2 or LHigh2 A<<9&4-1&2. 4dentified as mission)supportive and all 4nformation !ensitivity categories rated as LGow2 B(5&.*55 F(.41&2., !upports a %&)wide activity limited to #ust the &ffice of Governmental Furniture. The database helps produce an annual report on the chairs in the %&(. 4t is used to assist in the assignment of new chairs. &GF tests all 0inds of Governmental Furniture. There are more chairs to be tested than any other type of furniture. &GF assigns a particular chair to one staff member for one month and then the chair is rotated to another staff person for another month. The database trac0s the initial delivery of the chair and its pertinent information, and then follows the chair through five staff assignments. &nly >3ecutive &ffice staff can assign chairs, but everyone must complete their chair evaluations in the database. A wee0ly chair status report is prepared for the >3ecutive &fficer. A monthly report and briefing is prepared for the Assistant !ecretary. D-1-, !pecific details about the chairs such as, color, brand, model number, category arm, side, table", or fabric. :etails about where the chair is currently assigned such as staff name, room number, and date assigned. There is no privacy act information. The last four digits of the !!? are used in con#unction with the staff name as a staff 4: number. There is not %rivacy Act, financial or proprietary data contained in the (hT!. C())*.193 2<*)-1&2.-9 H-)/:-)*, AG>?(M GA? Application !erver 8 (ompa/ *+++ and AG>?(M GA? :>GG wor0stations used by &GF staff. H-)/:-)* L24-1&2., AG>?(M GA? server room in AG>?(M H>A:O;A5T>5 ';4G:4?G, the 5A! server in AG>?(M H>A:O;A5T>5 ';4G:4?G for those dialing into AG>?(M GA?" and &GF offices in AG>?(M !AT>GG4T> ';4G:4?G. S281:-)*, Access CE S281:-)* L24-1&2., Two Access CE database files forms and tables" reside on AG>?(M GA? server PPFileand %rint !erverP!hared AreaP&G%"< access CE is launched off of local AG>?(M GA? wor0stations and connect to the forms database that accesses lin0ed tables from the tables database. 4nclude business processes that the automated information resource accomplishes, such as the type of data it contains and technical information hardware, hardware location, software, software location, etc.". Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.1.2 4dentify Automated 4nformation 5esources !ection 2.1.* (ategori1e Automated 4nformation 5esources as G!! or Application !ection 2.*. 4dentify $As ')* Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4* I N F O R M A T I O N
S E N S I T I V I T Y C2.8&/*.1&-9&13 High $edium Gow There is no privacy act or proprietary data to protect. ?o vendor or cost information is trac0ed on the chairs, only brand and model. 4f a non)authori1ed person read data that they are not -allowed. to see, administrative action such as suspension or a letter of reprimand" would be the most severe conse/uence. 4f the chair ratings were discovered by outside chair competitors, the financial impact would be under 1++,+++ dollars. Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.2.1 4nformation !ensitivity I.1*')&13 High $edium Gow The data maintained on the chair ratings does affect recommendations for particular chairs. !ince entire school districts use these recommendations, the financial impact of manipulated ratings could be between J1A+,+++ and J*++,+++, but less than a million dollars. Anyone involved with such data manipulation would possibly be sued but not sent to #ail. Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.2.1 4nformation !ensitivity A0-&9-;&9&13 High $edium Gow The reports are much easier to prepare with the database and it would be very inconvenient if the database were unavailable to /uic0ly locate a specific chair. However, manual inspection of invoices for receipt information" and office space to locate chairs" could be used. The conse/uences of the database being unavailable would probably never be even administrative. The e3tra manpower re/uired to manually prepare the reports would be less than J1++,+++ since at worst, a contractor could be hired to prepare the most important reports for JEA,+++. Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory Guide !ection 2.2.1 4nformation !ensitivity M I S S I O N
C R I T I C A L I T Y (ritical 4mportant !upportive 4t ma0es &GF more efficient and e3pedites their reports but does not directly support one of the D primary Agency missions as identified under %::F*". Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory, Appendi3 A 8 4nventory %rocess !ection 2.2.2 $ission (riticality ')@ Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ' C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4* I N T E R C O N N E C T I V I T Y 4f an application or ma#or application, list the G!! on which it resides :oes the automated information resource have interconnectivity with other G!!s or applicationsB Mes ?o The (hT! does not give or receive any data to any other $A or G!!. 4t resides on AG>?(M GA? as its G!!, but otherwise does not interface with any other system. 4t is accessed from local &GF wor0stations. &GF staff may access this database when they connect remotely either through analog dialup to the 5A! server or through the H%? connection. Hypothetical Government Agency General !upport !ystem and $a#or Applications 4nventory, Appendi3 A 8 4nventory %rocess !ection 2.*.2 $a#or Application)General !upport !ystem Gin0ages ')A Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ( HYPOTHETICAL GOVERNMENT AGENCY GENERAL S!PPORT SYSTEMS AND MA%OR APPLICATIONS INVENTORY, A!!"#$%& C ' S(0!2" M"0+,(#$(
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ( SAMPLE MEMORAND!M FROM THE CHIEF INFORMATION OFFICER To, Q%54?(4%AG &FF4(>5 ?A$>R %rincipal &fficer for Q%& ?A$>R From, (hief 4nformation &fficer !ub#ect, >ndorsement of Q%& ?A$>R2s General !upport !ystem and $a#or Application 4nventory. As the (hief 4nformation &fficer for the Hypothetical Government Agency, 4 hereby ac0nowledge that the following General !upport !ystem G!!" and $a#or Application $A" inventory is accurate and comprehensive 8 consistent with the re/uirements of the &ffice of $anagement and 'udget &$'" (ircular A)1*+, Management of Federal Information Resources, the (linger)(ohen Act 1 , the Government 4nformation !ecurity 5eform Act G4!5A" 2 , and the (omputer !ecurity Act of 1CDE 3 8 as of Q:AT> &F !;'$4!!&?R for the Q%& ?A$>R. G!!9$A ?ame Type G!! or $A" $ission (riticality 4nformation !ensitivity Gast 4nventory ;pdate (onfidentiality 4ntegrity Availability $y point of contact for the maintenance of this G!! and $A inventory is 1 Public Law 10)-106 2 Public Law 106-39 3 Public Law 100-23. Hypothetical Government Agency G!! and $A 4nventory, Appendi3 ( SAMPLE MEMORAND!M FROM PRINCIPAL OFFICERS TO THE CHIEF INFORMATION OFFICER VALIDATING THE GSS AND MA INVENTORY To, (hief 4nformation &fficer From, Q%54?(4%AG &FF4(>5 ?A$>R %rincipal &fficer for Q%& ?A$>R !ub#ect, >ndorsement of Q%& ?A$>R2s General !upport !ystem and $a#or Application 4nventory. As the %rincipal &fficer for the Q%& ?A$>R, 4 hereby ac0nowledge that the following General !upport !ystem G!!" and $a#or Application $A" inventory and the attached inventory submission forms for each G!! and $A is accurate and comprehensive 8 consistent with the re/uirements of the &ffice of $anagement and 'udget &$'" (ircular A)1*+, Management of Federal Information Resources, the (linger)(ohen Act ) , the Government 4nformation !ecurity 5eform Act G4!5A" . , and the (omputer !ecurity Act of 1CDE 6 , as of Q:AT> &F !;'$4!!&?R for the Q%& ?A$>R. G!!9$A ?ame Type G!! or $A" $ission (riticality 4nformation !ensitivity Gast 4nventory ;pdate (onfidentiality 4ntegrity Availability $y point of contact for the maintenance of this G!! and $A inventory is Q%&( ?A$> S ?;$'>5R. Attachments Q?R inventory submission forms ) Public Law 10)-106 . Public Law 106-39 6 Public Law 100-23. Hypothetical Government Agency G!! and $A 4nventory, Appendi3 : HYPOTHETICAL GOVERNMENT AGENCY GENERAL S!PPORT SYSTEMS AND MA%OR APPLICATIONS INVENTORY, A!!"#$%& D ' I#3+,0(*%+# C+)","$ /- *4" P,%)(5- A5* 6 F,""$+0 +3 I#3+,0(*%+# A5* 7FOIA8 E&"0!*%+#1 Hypothetical Government Agency G!! and $A 4nventory, Appendi3 : (onfidential information transmitted, stored, or processed on the G!! or $A, may include, but is not limited to, financial, proprietary and personal information. TYPES OF CONFIDENTIAL INFORMATION F%#(#5%(2 I#3+,0(*%+# ' FOIA E&"0!*%+# 9 !ales statistics %rofit and loss data &verhead and operating costs 5eports on financial condition (apital e3penditures 'udgets Financial information falls under commercial or financial information obtained from a person that is privileged or confidential. The term TpersonT refers to a wide range of entities, including corporations, ban0s, state governments, agencies of foreign governments, and ?ative American tribes or nations. This protects the interests of both the government and submitters of information. P,+!,%"*(,- I#3+,0(*%+# ' FOIA E&"0!*%+#1 2 6 9 'usiness plans or technical designs 5esearch and development data :ata labeled -For &fficial ;se &nly. %roprietary information falls under information related solely to the internal personnel rules and practices of an agency. This includes a Ttrade secret,T which is a broad term e3tending to virtually any information that provides a competitive advantage. P",1+#(2 I#3+,0(*%+# ' FOIA E&"0!*%+# : !ocial security numbers (redit history Goan history %ersonal addresses %erformance appraisal data %ersonal financial information %ersonal information falls under personnel or medical information or information that would constitute a clearly unwarranted invasion of personal privacy. An individual7s name and address may not be sold or rented by an agency unless specifically authori1ed by law. &n the other hand, no agency shall withhold names and addresses that are otherwise permitted to be made public. Any contractor or employee of a contractor is considered to be an employee of the agency. TYPES OF NON+CONFIDENTIAL INFORMATION Grantee name >mployee names, titles, grades, salaries, duty stations or office phone numbers (ontractor names, e)mail addresses or business contact information 4nformation that is submitted with no e3pectation of privacy should be considered non)confidential information. QF&4A >3emption FR :)1