contractor responsible for housing and managing the infrastructure, such as servers, mainframes, T1 lines, etc. As part of C&A and compliance with FISMA, an agency will be required to provide a business continuity plan for the system. How do they accomplish this when the information is proprietary to each contractor and the contractors are less than willing to share that information with each other?
This issue has been made more confusing by identifying systems as either General Support Systems (GSS) or Major Applications (MA) and requiring separate documentation for each, as dictated in Circular A-130.48 A GSS is an “interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.” A MA is defined as an “application that requires special attention due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized, access to or modification of the information in the application.“ Isolating and categorizing these two systems creates a major disparity of information when agencies are working with multiple contractors.
Consider the example above where a GSS is in control of the hardware and the MA is in control of the application and its interfaces. If a GSS facility is completely wiped out and they move to their hot site, how do the GSS and MA quickly get back online and communicating when they have not shared and coordinated their disaster recovery or business continuity plans? This leaves the agency at risk.
Contractually it is likely in the agency’s authority to request both the GSS and MAs proprietary security documentation separately, eliminating the issue of sharing proprietary information between one contractor and the agency, but it does not solve this issue of communication and coordination between contractors. While the burden of splicing the documents into all encompassing plans might be accomplished by the agency, this burden is often overwhelming because of a lack of resources and knowledge within the agency. Moreover, once the all encompassing plan is created by the agency, it could not be shared with the contractors who, in the event of a disaster, would be tasked with recovery. This is quite likely to be a confusing issue for some time with no clear solution.
© SANS Institute 2004, Author retains full rights.
With the ever-changing world of technology comes the ever-presence of threats. And with the increase in threats comes legislation to deal with those threats both at government and private company levels. Federal IT legislation has evolved considerable over the last 20 years and will, of course, continue to evolve. The challenge for government agencies and their contractors will be in knowing which
OMB Circular A-130, Appendix II: Definitions
© SANS Institute 2004,
As part of the Information Security Reading Room
13 Author retains full rights.