enterprise infrastructure solutions (eis) risk management...

Enterprise Infrastructure Solutions

Volume 1—Technical Volume—EIS Risk Management Framework Plan

SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003

i

Company Proprietary

November 4, 2016

Data contained on this page is subject to the restrictions on the title page of this proposal.

Enterprise Infrastructure Solutions (EIS) Risk

Management Framework Plan (RMFP)

Systems in accordance with (IAW) C.1.8.7

November 4, 2016

Prepared by

CenturyLink Government Services, Inc. 4250 North Fairfax Drive

Arlington, VA 22203




ii

Company Proprietary

November 4, 2016


REVISION HISTORY Revision Number Revision Date Revision Description Revised by




iii

Company Proprietary

November 4, 2016


TABLE OF CONTENTS

EIS Risk Management Framework Plan (RMFP) Overview ............................................ 1 Purpose ................................................................................................................ 2 Related Plans ....................................................................................................... 3

Tier 1—Organization: CenturyLink ....................................................................... 4 Tier 2—Mission/Business Process: CenturyLink Risk Management for EIS ........ 6 Tier 3—Information Systems ................................................................................ 8

Information System RMFP Development Process ........................................................ 11

LIST OF FIGURES

Figure 1. Enterprise Security Risk Management Program .............................................. 3

Figure 2. Risk Management Framework Plan Steps. ...................................................... 9

LIST OF TABLES

Table 1. EIS Products and Services. ............................................................................... 7




1

Company Proprietary

November 4, 2016


EIS RISK MANAGEMENT FRAMEWORK PLAN (RMFP) OVERVIEW

CenturyLink follows industry-leading information security standards and best

practices to ensure the integrity of our services and confidentiality of customer and

company information. Comprehensive security policies and standards guide these

practices which include extensive controls in the areas of personnel, systems, and

facility security. CenturyLink maintains a hierarchy of information security-related

policies and standards, using the National Institute of Standards and Technology (NIST)

Special Publication (SP) 800 series as guidance. Authority for these policies is founded

in the CenturyLink code of conduct (available on the public Internet under our corporate

governance page), and corporate ethics and compliance program, as authorized by the

CenturyLink Board of Directors.

CenturyLink implements industry standard security to ensure data assurance,

integrity, and confidentiality of customer and company information in support of our

telecommunications services. These practices include implementing controls in the

areas of personnel, systems, and facility security. CenturyLink has also implemented

comprehensive Business Continuity and Disaster Recovery (BC/DR) measures and

controls to ensure the availability of customer and corporate networks.

To ensure that the security architecture stays current with best practices,

CenturyLink takes a lead role in developing standards, working with vendors, and

implementing innovative approaches to improve our products, including security

services.

In support of the General Services Administration (GSA) Networx Universal and

Enterprise contracts, CenturyLink has delivered system security plans and obtained

Department of Homeland Security (DHS) Cybersecurity Compliance Validation (CCV)

and Trusted Internet Connections (TIC) Compliance Validation (TCV) for the Managed

Trusted Internet Protocol Service (MTIPS) TIC Networx accreditation, annually, since

2009. CenturyLink will continue to maintain the systems security plans and

accreditations with the DHS and GSA under Enterprise Infrastructure Solutions (EIS).

CenturyLink operates and maintains several government-accredited facilities throughout

the U.S. These facilities are capable of processing and storing information at the top




2

Company Proprietary

November 4, 2016


secret/sensitive compartmented information (TS/SCI) security level. The facilities

support various government contracts, which include the DHS EINSTEIN 3 Accelerated

(E3A) program, and have a long history of commendable security compliance

assessments. This effectively demonstrates CenturyLink’s knowledge and ability to

apply the risk management framework.

Building a foundation on the CenturyLink processes and controls we have previously

used to reduce risk in information systems, we have developed a risk management

framework plan (RMFP) that consolidates our practices, standards, framework, and

processes across the system lifecycle.

PURPOSE

This CenturyLink RMFP addresses EIS requirements for security compliance in

accordance with the risk management framework and NIST SP 800-37 (Guide for

Applying the Risk Management Framework to Federal Information Systems: A Security

Life Cycle Approach, issued February 2010), as defined in Request for Proposal (RFP)

Section C.1.8.7, System Security Requirements. Our plan focuses on the processes

and practices we will use to ensure security compliance for the services provided under

EIS. We will implement our multi-tiered enterprise security program to achieve

compliance, as detailed in the CenturyLink Security Risk Management Program

depicted in Figure 1 below.

There are a number of goals for CenturyLink’s RMFP:

Document the three-tiered approach for risk management to address risk-related

concerns at each level of the hierarchy:

– The organization level addresses risk from an organizational perspective

with the development of a comprehensive governance structure and

organization-wide risk management strategy

– The mission and business process level defines and prioritizes the core

missions and business processes for the organization and defines the types

of information processed




3

Company Proprietary

November 4, 2016


– The information system level determines the definition of a boundary and

ultimately selects and applies appropriate safeguards and countermeasures

Define the required six (6) risk management framework steps at the information

system level: Categorize, Select, Implement, Assess, Authorize, Monitor

Provide a process for creating information system risk management framework

plans on a task order (TO) basis as demonstrated with the Business Support

Systems (BSS) and MTIPS RMFPs

CenturyLink will maintain and periodically update this plan with the benefit that

revisions to this plan will be at no cost to the government.

RELATED PLANS

The following risk plans will also be developed and provided as indicated in the chart

below:

Plan RFP Reference Relationship to this Plan

Draft Supply Chain Risk Management Plan G.6.3 Documents procedures for handling supply chain and third-

party risk within the overall EIS risk framework

Draft BSS Risk Management Framework Plan G.5.6.2 Information system-specific risk plan for the BSS

Draft MTIPS Risk Management Framework

Plan

C.2.8.4.5.2 Information system-specific risk plan for MTIPS

Figure 1. Enterprise Security Risk Management Program




5

Company Proprietary

November 4, 2016


Information security-related functions are performed in collaboration with CenturyLink’s

operations organizations, as follows:

Corporate Security/information security (InfoSec): Provides end-to-end

governance and policymaking; maintains comprehensive processes for

measuring InfoSec risk and managing those risks within acceptable levels

through clear policy-setting, assessments, and compliance management.

Business continuity planning: Provides planning efforts, including facilitating

the development, testing, and training of BC/DR plans to ensure that CenturyLink

and our customers are prepared to effectively manage disaster situations.

Risk assessment: Maintains a risk inventory to highlight the risk and potential

exposure status for key infrastructure elements, including extensive monitoring

and analysis of numerous sources for newly published vulnerabilities. Monitors

compliance with CenturyLink policies and standards using key industry and

international standards as guidance. CenturyLink conducts ongoing risk

assessments of individual systems and network elements.

Vulnerability management: CenturyLink has a number of threat intelligence

feeds that provide vulnerability notifications. Threats are evaluated, and threat

information, including vulnerability information, is distributed to appropriate

operations teams through multiple methods.

Strategic security planning with hardware and software suppliers: Reveals

risk dependencies between systems and risk pinch points. Establishes strong

relationships for vulnerability notification and remediation.

Building compliance-based security into CenturyLink networks: Records

and tracks risk remediation activity. Collects and collates data about incidents

affecting information systems, highlighting root causes and business impact with

appropriate follow-up.

Operations/corporate infrastructure and systems sphere: Operational teams

focus on information technology (IT) areas including internal CenturyLink

computing and network components.




8

Company Proprietary

November 4, 2016


Information and Information Systems to Security Categories. The overall system

categorizations are derived from the different information system types.

The following security categorizations are applied to specific EIS information

systems that have an established, identified, and agreed-to information system

boundary with the GSA, and where GSA personnel have performed the FIPS 199

security category.

EIS BSS Gateway FIPS 199 Moderate Impact

EIS MTIPS FIPS 199 High Impact

EIS FedRAMP Services FIPS 199 Moderate Impact

RFP Section C.1.8.7.2 specifies the minimum FIPS 199 security category as FIPS

199 moderate impact level due to the data that will be processed and held within the

CenturyLink-provided EIS services and resultant solutions and systems. More restrictive

or higher impact levels can be stated within awarded TOs.

TIER 3—INFORMATION SYSTEMS

Information systems that initiate their lifecycles under the EIS program will inherit

policies, processes, and technical control implementations from Tier 1 as appropriate.

Each will comply with Tier 2 security directives; inherit control implementations,

monitoring and tailoring from Tier 2 as appropriate; and address additional cybersecurity

requirements and specific control tailoring directives in accordance with the agency

policy and requirements that are issued within the TO under EIS.

At this tier, all six steps of the risk management framework must be addressed

across the system lifecycle and documented in a system-specific risk plan using the

CenturyLink EIS RMFP process provided in Figure 2 below as applicable per the

agency TO.