Security Planning Policy and Procedures
Security Planning Policy for 18F
Agency Security Policy and Procedures
Security Planning Policy is included in CIO P 2100.1 - GSA IT Security Policy, Chapter 3. Policy on Management Controls. It states, "All information systems must be covered by a security plan in accordance with the current version of NIST SP 800-18 Revision 1 “Guide for Developing Security Plans for Information Technology Systems."
GSA OCISO ISP also defined agency-wide security assessment and authorization procedures in IT Security Procedural Guide: Managing Enterprise Risk, Security Assessment and Authorization, Planning and Risk Assessment (CIO-IT Security-06-30)
18F Program Policy
The 18F Program Office develops, documents, and disseminates to all 18F staff, The 18F Security Planning Policy which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and procedures to facilitate the implementation of the security planning if information systems and associated planning controls. The 18F Audit and Accountability policy is listed within 18F’s private GitHub repository https://github.com/18F/compliance-docs/blob/master/PL-Policy.md that is accessible to all 18F staff.
The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms).
The 18F Program Office will review and update the current 18F Security Planning Policy at least every 3 years and any documented procedures at least annually.