1. Purpose.To provide State Workforce Agencies (SWAs) with specific information on the National Institute of Standards and Technology's (NIST) Information Technology (IT) security guidelines and a software tool to conduct a security self-assessment of Unemployment Insurance (UI) computer systems.
2. References. ET Handbook No. 336, 17th Edition, the Unemployment Insurance State Quality Service Planning and Reporting Guidelines (SQSP), Chapter 1, Section VI, C, SBRs and Chapter 1, Section VII, J, Assurances of Automated Information System Security.
3. Background.Over the last ten (10) years, there has been an increasing need to improve the security of IT systems that support UI. The U.S. Department of Labor's (DOL) Office of Inspector General (OIG) recently conducted IT security audits in seven SWAs. The audits were conducted pursuant to the Federal Information Security Management Act (FISMA) of 2002 (Homeland Security Act of 2002, Title X -- Information Security). The OIG found security weaknesses in each state that need to be addressed, and DOL concludes that the remaining 46 states have similar security weaknesses.
4. IT Security Guidance. Under FISMA, NIST has the responsibility to develop security standards and guidelines for sensitive (unclassified) Federal IT systems and to work with industry to help improve the security of commercial IT products. The mission of NIST's Computer Security Division is to improve information systems security by:
- Raising awareness of IT risks, vulnerabilities, and protection requirements, particularly for new and emerging technologies;
- Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
- Developing standards, metrics, tests and validation programs:
- to promote, measure, and validate security in systems and services,
- to educate consumers, and
- to establish minimum security requirements for Federal systems; and
- Developing guidance to increase secure IT planning, implementation, management, and operation.
NIST has developed numerous documents and guides that provide a comprehensive approach to sound IT security policies and practices. The NIST guidance is used by government and industry to insure the security of IT systems. To assist SWAs in using these documents, DOL has incorporated them in a CD, titled "Unemployment Insurance Information Technology Security," which is being sent under separate cover to the SWA Administrators. All of these documents are also posted on the NIST website (http://csrc.nist.gov/publications/nistpubs/index.html) and can be downloaded at any time.
Also included on the CD is a NIST software tool called "Automated Security Self-Assessment Tool" (ASSET) that SWAs can use to conduct a valid self-assessment on their IT systems following the NIST Special Publication (SP) 800-26 titled, "Security Self-Assessment Guide for Information Technology Systems." DOL strongly encourages every SWA to conduct an IT security self-assessment that follows the NIST guidelines as a way to evaluate their security. The results of this self-assessment can be used each year as a basis for providing the assurance referenced in SQSP, Chapter 1, Section VI, C, SBRs and Chapter 1, Section VII, J, Assurances of Automated Information System Security.
SWAs can use the "UI IT Security" document as a reference while conducting the self- assessment to find the specific law, regulation, or NIST Special Publication to help answer their questions. The self-assessment is based on criteria and guidance established from those sources. In order for the SWAs to meet those criteria and conduct a self-assessment on the security controls they have in place, the security controls should conform to the different laws, regulations, and NIST Special Publications.
DOL plans to provide funds during FY 2004 to selected SWAs to address UI IT security weaknesses. These funds will be limited to resolving weaknesses that have been identified by an OIG IT security audit, an internal state IT security audit, or an IT security self-assessment following the guidelines provided by NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems.
5. Action. SWAs are encouraged to:
- Review the NIST IT security documents and guidelines;
- Perform the self-assessment evaluation which complies with NIST SP 800-26; and
- Seek supplemental funds to address any weaknesses found.
6. Inquiries. Direct questions to your Regional Office or in the National Office to Paul Bankes at 202-693-3053 or bankes.paul@dol.gov or Jagruti Patel at 202-693-3059 or patel.jagruti@dol.gov.
7. Separate Cover. A paper titled,
Unemployment Insurance Information Technology Security and a "CD" titled
Unemployment Insurance Information Technology Security will be sent directly to State Workforce Agencies under separate cover.
| RESCISSIONS | EXPIRATION DATE |
| None | June 30, 2005
|