1. Purpose.To provide State Workforce Agencies (SWAs) with additional information on the National Institute of Standards and Technology's (NIST) Information Technology (IT) security guidelines and a new version of the software tool to conduct a security self-assessment of unemployment insurance (UI) computer systems.
2. References. Unemployment Insurance Program Letter (UIPL) 24-04, ET Handbook No. 336, 17th Edition, the Unemployment Insurance State Quality Service Planning (SQSP) and Reporting Guidelines, Chapter 1, Section VI, C, SBRs and Chapter 1, Section VII, J, Assurances of Automated Information System Security.
3. Background. UIPL 24-04 provided SWAs with IT security guidance via distribution of a CD, titled IT Security Information, which was sent under separate cover to SWA administrators. This UIPL is issued to provide a CD which includes the NIST Special Publications including new releases and the new version of the NIST software tool called "Automated Security Self-Evaluation Tool" (ASSET). SWAs can use it to conduct a valid self-assessment on their IT systems using the NIST Special Publication (SP) 800-26 titled, "Security Self-Assessment Guide for Information Technology Systems."
The U.S. Department of Labor (DOL) strongly encourages each SWA to conduct an IT security self-assessment in accordance with the NIST guidelines. The results of this self-assessment can be used each year as a basis for providing the assurance referenced in the SQSP, Chapter 1, Section VI, C, SBRs and Chapter 1, Section VII, J, Assurances of Automated Information System Security.
SWAs can use the "UI IT Security" document as a reference while conducting the self- assessment to find the specific law, regulation, or NIST Special Publication to help answer their questions. The self-assessment is based on criteria and guidance established by NIST and specified in the Special Publications. SWAs can conduct a self-assessment on the UI systems to verify that the security controls conform to the different laws, regulations, and the guidance established by NIST.
DOL plans to provide funds during FY 2005 to selected states to address UI IT security weaknesses. These funds will be limited to resolving weaknesses that have been identified by an Office of Inspector General IT security audit, an internal state IT security audit, or an IT security self-assessment following the guidelines provided by NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems.
4. Action. SWAs are encouraged to:
- Review the NIST IT security documents and guidelines;
- Perform the self-assessment evaluation which complies with NIST SP 800-26; and
- Seek supplemental funds to address any weaknesses found
5. Inquiries. Direct questions to your Regional Office or in the National Office to Paul Bankes at 202-693-3053 or bankes.paul@dol.gov or Jagruti Patel at 202-693-3059 or patel.jagruti@dol.gov.
6. Separate Cover. A paper titled, Unemployment Insurance Information Technology Security and a "CD" titled IT Security Information will be sent directly to SWAs under separate cover.
| RESCISSIONS | EXPIRATION DATE |
| None | March 31, 2006 |