HomeMy WebLinkAbout20122287.tiff RESOLUTION
RE: APPROVE INTERCONNECTION SECURITY AGREEMENT, ON BEHALF OF THE
WELD COUNTY JAIL, AND AUTHORIZE CHAIR TO SIGN - U.S. IMMIGRATION AND
CUSTOMS ENFORCEMENT, INFORMATION ASSURANCE DIVISION
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a request to renew the Interconnection
Security Agreement by the U.S. Immigration and Customs Enforcement (ICE) Information
Assurance Division, which is attached hereto and fully incorporated herein, and
WHEREAS, the Board previously authorized the Chair to sign the current
Interconnection Security Agreement in April 2009, which was to expire in three years, and
WHEREAS, the Interconnection Security Agreement allows ICE to have access to a
dedicated T1 data line inside the Weld County Jail, for the purpose of accessing ICE database
information, and
WHEREAS, ICE compensates Weld County for all costs associated with the T1 data
line, and ICE is the only entity which accesses the line, and Weld County desires to cooperate
with ICE in this matter.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Interconnection Security Agreement be, and hereby is,
approved.
BE IT FURTHER RESOLVED by the Board that the Chair is authorized to sign said
agreement.
CC, lA SU 2012-2287
c� � a-\a SO0033
INTERCONNECTION SECURITY AGREEMENT ON BEHALF OF THE WELD COUNTY JAIL -
U . S . IMMIGRATION AND CUSTOMS ENFORCEMENT, INFORMATION ASSURANCE
DIVISION
PAGE 2
The above and foregoing Resolution was, on motion duly made and seconded , adopted
by the following vote on the 27th day of August, A. D. , 2012.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
1
ATTEST: f�rw. EXCUSED
Sean P. yr nw hair
Weld County Clerk to the Board
� G�
" " William F. Garcia , Pro-Tern
BY: tik-- �/�J4�lb1 i ♦ //
Deputy C rktot4aBoard } / - /�;��L / /� 1AAfiar/ & ,
,t+ ,' . lea Kirkmeyer "'/// j
A . . .T'" EDA ORM : ( 1861 T . i` F cj
id E . Lon .
ounty Attorney
iougl : s Radem . cher
Date of signature : a -
2012-2287
SO0033
a
4 j TO: Board of County Commissioners
FROM: Bob Choate, Assistant Weld County Attorney
I C� DATE: August 15, 2012
SUBJECT: Renewed Interconnection Security Agreement with ICE
COLORADO
Commissioners,
We have received a request for renewal of an interconnection security agreement between the
County and the U.S. Immigration and Customs Enforcement(ICE). The previous agreement was
executed by Board Resolution 2009-0861 in April of 2009 to allow ICE to have TI data line
access in the jail, so they could access the ICE database. That agreement had a three year term,
and so ICE is now requesting the County execute a renewed agreement(attached). Sheriff
Cooke indicates that he has no issues with this, as ICE pays for the Ti access and only ICE has
access to that line and information.
2012-2287
IAD Staff Summary Sheet
TO: THROUGH: SUSPENSE DATE:
Jeffrey Eisensmith Rob Thorne ASAP
SUBJECT: Renewal 287(g) Interconnection Security Agreement(ISA)between for Weld County Jail,
2012-006.
EXECUTIVE SUMMARY:
1. Purpose:
This Interconnection Security Agreement(ISA)is to document a 287(g)connection between
ICE and the Weld County Jail where we have five(5)users utilizing one (1)workstations. The
attached ISA establishes individual and organizational security responsibilities for the protection
and handling of sensitive data and this interconnection. Any specific requirements of signatory
organizations are also included.
2. Discussion:
This is a renewal ISA covering the existing ICE connection to Weld County Jail. A ICE Tl
circuit is used to access DHS and the Federal Bureau of Investigations (FBI)systems and
applications. The access is needed to support the delegation of authority to the Weld County Jail
located at 2110"0" Street Greely, CO, 80631. The Ti connection is used for one(I)
workstation. This is not an ICE-controlled facility,but rather a sheriff's officet located in Greely
Colorado. This delegation of authority project has been approved by ICE Assistant Secretary
Clark in December 2005. This connection also covers the DHS Redundant Trusted Internet
Connection(RTIC)ingress and demarcation points.
3. Risk Analysis:
Authorized personnel continue to access the DHS Authorized Data Center(ADC)via this ICE
T1 connection. The staff accessing the connection has been trained and made aware of ICE
security policies. All workstations accessing the connection will have an ICE image and are
separate from any existing systems at this location. The connection limits access to the DHS
ADC as listed in the 287G Standard Firewall Configuration table. In addition, all traffic across
the T1 connection is encrypted with a 256-bit encryption key.
Risk Level: Low.
4. Recommendation:
Request that Jeffrey Eisensmith,as the ICE CISO, sign the ISA agreement. USCIS and DHS
AO for OneNet are also co-signers of this ISA.
ORIGINATING OFFICE: OCIO IAD
ACTION OFFICER/OFFICE/EXTENSION: Carlos Vallejo DATE: 08/06/2012
o„mr,to 287(g) Renewal
4' . INTERCONNECTION SECURITY AGREEMENT
BETWEEN
U. . IMMIGRA
TION AND CUSTOMS
o�A-IND sti#' ENFORCEMENT (ICE)
AND
WELD COUNTY JAIL
GREELEY, CO
INFORMATION ASSURANCE DIVISION
AND
DHS REDUNDANT TRUSTED INTERNET
CONNECTION (RTIC)
IAD 2012-006
FINAL
August 6, 2012
Version 1.0
WARNING:This document is FOR OFFICIAL USE ONLY(FOUO). It contains
information that may be exempt from public release under the Freedom of Information
Act(5 U.S.C.552). It is to be controlled,stored,handled,transmitted,distributed,and
disposed of in accordance with DHS policy relating to FOUO information and is not to
be released to the public or other personnel who do not have a valid"need-to-know"
without prior approval of ICE and the Weld County Jail Disclosure Offices.
FOR OFFICIAL USE ONLY
CONTENTS
1.0 PURPOSE 2
1.1 Security Network Connectivity Policy 2
1.2 ISA Requirements for Types of System Interconnections 3
1.3 Scope 3
1.4 Points of Contact 4
1.5 References 4
2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS 6
2.1 LACSD LAN Staff Responsibilities 6
2.2 ICE Office of the Chief Information Officer(OCIO)Responsibilities 6
3.0 SECURITY CONSIDERATIONS 7
3.1 Formal Security Policy 7
3.2 General Information/Data Description 7
3.3 ISA Requirements Within and Across Organizational Boundaries 8
3.4 Physical Security and Environmental Controls 8
3.5 Data Sensitivity 8
3.6 Services Offered 8
3.7 Period of Operation 8
3.8 User Community 9
3.9 Information Exchange Security 9
3.10 Trusted Behavior/Rules of Behavior 9
3.11 Incident Reporting 10
3.12 System Monitoring 10
3.13 Security Audit Trail Responsibility 10
3.14 Specific Equipment/Service Restrictions 11
3.15 Dial-Up/Remote/Wireless Connectivity 11
3.16 Training and Awareness I1
3.17 Security Documentation 11
3.18 Change Control 11
3.19 Site or System Certification and Accreditation 11
4.0 TOPOLOGICAL DRAWING 13
5.0 SIGNATORY AUTHORITY 13
ATTACHMENT A-ALLOWED PORTS,PROTOCOLS,AND SERVICES
ATTACHMENT B-ICE ENGINEERING DRAWING
EXHIBITS
Exhibit 1: Systems and Applications 3
Exhibit 2: Points of Contact 4
August 6,2012 ii IAD 2012-006
FOR OFFICIAL USE ONLY
DOCUMENT CHANGE HISTORY
Version Date Description
1.0 February 28,2012 Initial Draft of renewed ISA(2009-008)
2.0 August 6,2012 FINAL DRAFT
•
August 6,2012 1 IAD 2012-006
FOR OFFICIAL USE ONLY
1.0 PURPOSE
This Interconnection Security Agreement(ISA)is required by Federal and Department of
Homeland Security(DHS)policy and establishes individual and organizational security
responsibilities for the protection and handling of DHS Sensitive-but-Unclassified(SBU)/For
Official Use Only(FOUO)information. All specific requirements by both signatory
organizations are also included in this ISA.
1.1 Security Network Connectivity Policy
DHS Sensitive Security Systems Policy Directive 4300A v8 establishes DHS policy for network
connectivity. The section on network connectivity(Section 5.4.3)states:
5.4.3.a. Components shall ensure that appropriate identification and authentication controls,
audit logging,and access controls are implemented on every network element.
5.4.3.b. Interconnections between DHS and non-DHS systems shall be established only through
controlled interfaces and via approved service providers. The controlled interfaces shall be
accredited at the highest security level of information on the network. Connections with other
Federal agencies shall be documented based on interagency agreements,memoranda of
understanding,service level agreements,or interconnection security agreements.
5.4.3.d. ISAs shall be reissued every three(3)years or whenever any significant changes have
been made to any of the interconnected systems.
5.4.3.e. ISAs shall be reviewed as a part of the annual Federal Information Security
Management Act(FISMA)self-assessment.
5.4.3.f. Components may complete a master ISA, (which includes all transitioning systems)as
part of their initial OneNet transition. After transition,each additional system or General
Support System(GSS)shall be required to have a separate ISA. Interconnections between DHS
Components(not including DHS OneNet) shall require an ISA whenever there is a difference in
the security categorizations for confidentiality,integrity,and availability between the systems or
when the systems do not share the same security policies. (In this context,"security policies"
refers to the set of rules that controls a system's working environment and not to DHS
information security policy.)ISAs shall be signed by each applicable Authorizing Official (AO).
5.4.3.g. Components shall document interconnections between their own and external(Non-
DHS)networks with an ISA for each connection.
5.4.3.h. The DHS Chief Information Officer(CIO)shall approve all interconnections between
DHS enterprise-level information systems and non-DHS information systems. The DHS CIO
shall ensure that connections with other Federal Government Agencies are properly documented.
A single ISA may be used for multiple connections provided that the security accreditation is the
same for all connections covered by that ISA.
5.4.3.m Interconnections between two accredited DHS systems do not require an ISA if the
interface characteristics, security requirements,nature of information communicated and
monitoring procedures for verifying enforcement of security requirements are accounted for in
the SSPs or are described in another formal document, such as an SLA or contract,and the risks
have been assessed and accepted by all involved AOs.
August 6,2012 2 IAD 2012-006
FOR OFFICIAL USE ONLY
5.4.3.n Granting the ability to log into one DHS system through another DHS system(such as
through a OneNet mist)does not require an ISA,when the requirements from Section 5.4.3.m
are met.
1.2 ISA Requirements for Types of System Interconnections
System interconnections may be characterized as either direct or networked. Direct connections
are single-purpose,point-to-point connections that support only the two connected systems.
Directly connected systems do not rely on another network for their connectivityy or security and
are physically and electronically isolated from other networks and systems. An example is a
stand-alone Local Area Network(LAN)with computers attached. Networked systems connect
via an intervening network that exists as a GSS,not a single-purpose connection. An example of
this is the ICE network connected through the DHS OneNet network to another Component. For
networked systems,the ISA must include the owner and AO of the network,as well as the
owners of the classified or unclassified systems. For directly connected systems,the ISA may
include only the owners and AOs of the connected systems themselves.
1.3 Scope
This is a renewal ISA covering the existing ICE connection to this location. A T1 circuit is used
to access DHS and the Federal Bureau of Investigations(FBI)systems and applications listed in
Exhibit 1 in order to support the delegation of authority to Weld County Jail (WCJ)located at
2110 "0" Street,Greeley,Co , 80631. The ICE TI connection at WCJ is used for ONE
workstation. This is not an ICE-controlled facility, but rather a sheriff's office located in
Colorado. This delegation of authority project has been approved by ICE Assistant Secretary
Clark on or around December 11, 2005. Exhibit 1 below lists the systems being accessed. This
connection also covers the DHS RTIC ingress and demarcation points of the DHS Redundant
Trusted Internet Connection(RTIC).
Exhibit 1: Systems and Applications
Acronym Systems/Applications
IDENT Automated Biometric Identification System(US VISIT)Read Only
ENFORCE Enforcement Case Tracking System(USICE)Read Only
IAFIS Integrated Automated Fingerprint Identification System(FBI)Read/Write
Only
INTRANET DHS Intranet Web Portals(USICE)Read Only
CIS Central Index System(USCIS)Read Only
CLAIMS 3 MF Computer Linked Application Information Management System 3 Mainframe
(USCIS)Read Only
EARM ENFORCE Alien Removal Module(USICE) Read Only
August 6,2012 3 IAD 2012-006
FOR OFFICIAL USE ONLY
1.4 Points of Contact
The established points of contact(POCs) for all issues associated with this agreement are
available in Exhibit 2:
Exhibit 2: Points of Contact
ICE Primary POC Name: Derek Lampe
Title: Northeast ITFO
Phone: 303-721-3116
E-mail: Derek.lampe@ice.dhs.gov
ICE Alternate POC Name: Ken Yu
Title: Northeast ITFO
Phone: 206-835-0636
E-mail: ken.Yu@ice.dhs.gov
Local Client 287(g)POC Name: Richard Curry
Title: Program Manager
Phone: 303-627-5901
E-mail: Richard.S.Curry@ice.dhs.gov
Local 287(g)Technical POC Name: Derek Lampe
Title: ITFO
Phone: 303-721-3116
E-mail: Derek.lampe@ice.dhs.gov
DHS ICE OCIO Program Manager for Name: Linda Sollinger
287(g) Title: 287g Program Manager
Phone: 202-732-7022
Cell: 202-603-6668
Email: Linda.sollinger@dhs.gov
DHS RTIC Primary POC Name: Clifford Tichenor
Title: Information System Security Manager
Phone: 703 921-7392
Email: Clifford.Tichenor@dhs.gov
DHS RTIC Secondary POC Name: Richard Wickersham
Title: Information System Security Officer
Phone: 703 921-7361
Email: Richard.Wickersham@dhs.gov
August 6,2012 4 IAD 2012-006
FOR OFFICIAL USE ONLY
1.5 References
The National Institute of Standards and Technology(NIST)Special Publication(SP)800-47,
Security Guide for Interconnecting Information Technology Systems, provides guidance in
preparing and establishing connectivity between networks. The key points are addressed in this
ISA. Consult the full document for additional information and examples of ISAs and
Memoranda of Understanding(MOUs).
NIST SP 800-53,Recommended Security Controls for Federal Information Systems,provides
guidelines for selecting and specifying security controls for information systems supporting the
executive agencies of the Federal government. The guidelines apply to all components of an
information system that process,store,or transmit Federal information. Other references used
within this ISA include:
• DHS Sensitive Systems Policy Directive 4300A
• DHS Sensitive Systems Handbook 4300A
• "Type Accreditation,"Attachment D to the DHS 4300A, Sensitive Systems Handbook
• "Incident Response and Reporting,"Attachment F to the DHS 4300A, Sensitive Systems
Handbook
• "Vulnerability Assessment Program,"Attachment O to the DHS 4300A, Sensitive
Systems Handbook
• NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
• NIST ITL Bulletin,"Secure Interconnections for Information Technology Systems"
• NIST SP 800-53, Rev. 2,Recommended Security Controls for Federal Information
Systems
• DHS Management Directive 11042, "Safeguarding Sensitive Information"
August6,2012 5 IAD 2012-006
FOR OFFICIAL USE ONLY
2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS
The intent of this ISA is to provide DHS ICE agents,contractors,and WCJ users with exclusive
ICE access to those systems listed in Exhibit 1. This ISA encompasses the connection of the
DHS wide area network(WAN)via a TI circuit connection to the Joint Enforcement Operations
Facility at WCJ 2110"0"Street Greeley, Colorado 80631. Personnel will utilize these systems
to process aliens and conduct investigations.
The access to DHS and FBI systems(refer to Exhibit 1) from WCJ will be a network connection
between the DHS WAN and the ICE DHS LAN, which consists of a separate TI network
connection via DHS ICE.
The 287(g)equipment related to this connection is owned by ICE, and WCJ has the
responsibility to secure the location of the equipment. Both organizations are authorized to
perform on-site verification to the extent necessary to confirm compliance with this agreement.
2.1 WCJ LAN Staff Responsibilities
The WCJ LAN staff responsibilities include:
• Limiting workstation logon access only to cleared and authorized 287(g)users.
2.2 ICE Office of the Chief Information Officer(OCIO) Responsibilities
The OCIO staff responsibilities include:
• Setting up user accounts to support 287(g)activities. (ICE OCIO Operations)
• Enabling stringent identification and authorization enforcement,using DHS password
and system inactivity standards(e.g., Windows password-protected screen saver)as
described in Section 3.10 of this document. (ICE OCIO Engineering)
• Utilizing the ICE image,which includes a hardened operating system, rigorous
patch/service patch, and anti-virus management. (ICE OCIO Engineering)
The approval of this ISA does not include the ability for the outside client agency to unilaterally
establish user accounts. DHS ICE security policies and procedures must be followed for
clearances and written authorization for user accounts must be obtained from DHS. See Section
3.10 of this ISA for additional information.
System administration and maintenance of ICE-owned networking devices and workstations are
the sole responsibility of the ICE OCIO staff, including the Firewall Staff, Enterprise Operations
Center(EOC)(routers and switches),and other ICE offices as necessary and appropriate.
August 6,2012 6 IAD 2012-006
FOR OFFICIAL USE ONLY
3.0 SECURITY CONSIDERATIONS
3.1 Formal Security Policy
ICE,the Task Force Office(TFO),the Jail Enforcement Office(JEO),contractors,and DHS
personnel must comply with existing Federal security and privacy laws and regulations in order
to protect Federal systems and data. Additionally, ICE,in the protection of DHS systems and
data,will utilize the DHS and ICE Information Assurance Division(IAD)documents listed in
Section 1.5. TFO personnel,JEO personnel,and contractors shall comply with their own
internal agency security policies as well as the higher-level requirements applicable to their
operations. Additionally,TFO personnel,JEO personnel,and contractors agree to the
requirements set forth by ICE. Circuits associated with this ISA are required by DHS 4300A to
enforce and maintain Federal Information Processing Standards(FIPS) 140-2 level encryption.
3.2 General Information/Data Description
The Central Index System(CIS)is a database system originally developed by the legacy
Immigration and Naturalization Service(INS). CIS contains information on the status of 57
million applicants/petitioners seeking immigration benefits. These applicants/petitioners
include: lawful permanent residents,naturalized citizens, aliens who illegally entered the U.S.,
aliens who have been issued employment authorization documents, individuals who petitioned
for benefits on behalf of family members,and other individuals subject to the provisions of the
Immigration and Nationality Act(NA). Information in the system includes name,date of birth,
class of admission,and country of birth. CIS information may also include the following
information: Social Security Number,Finger Print CD Number,Derivative Citizenship Number,
Naturalization Certificate Number, Mother's name,Father's name, first and last names for
aliases,Port of Entry,and driver's license number(if available).
The Computer Linked Application Information Management System 3 Mainframe(CLAIMS 3
MF)is a mainframe database-centered major application that supports processing of USCIS
applications and petitions for various immigrant benefits(e.g.,change of status,employment
authorization,and extension of stay). CLAIMS 3 MF also serves as the repository for all data
processed through daily batch runs in the CLAIMS 3 LAN systems at the four Service Centers,
the National Benefits Center,the Administrative Appeals Office(AAO)and the Baltimore
District Office(BAL). CLAIMS 3 MF has two primary components: (1)an online data entry,
query,and adjudication system;and(2)a system of batch runs,which extract and report data and
provide interfaces with other systems. The Marriage Fraud Amendment System(MFAS)is a
subsystem of CLAIMS 3 MF. The MFAS supports and maintains casework for petitions for
Legal Permanent Residency by aliens who have previously been granted Conditional Permanent
Residency under the terms of the Marriage Fraud Amendment,including entrepreneurs. The
MFAS facilitates the adjudication and notification process for this program.
The Enforcement Case Tracking System(ENFORCE)is the primary administrative case
management system for ICE. Information found in the records includes biographical data,which
may include,but is not limited to: name,aliases,date of birth,phone numbers,addresses,
nationality,and personal descriptive data. It may also include biometric data,including but not
limited to,photographs. ENFORCE also may have information or data related to the subject
individual's case, including immigration history,alien registration,and other identification or
record numbers. Information gathered from admission screening includes biographical data,
August 6,2012 7 IAD 2012-006
FOR OFFICIAL USE ONLY
biometric data,and encounter data, including time,place, location,and travel document
information.
The ENFORCE Alien Removal Module(EARM)is a module that is used to assist in the tracking
of the removal of aliens. The system maintains name and biographical information,biometric
information,arrest information(including initial immigration charges,criminal charges,and
detainer information.) It also has case information,including category and status information,
case comments, information about hearing actions and decisions, information about custody and
bonds actions and decisions,and encounters linked to the case.
The Integrated Automated Fingerprint Identification System(IAFIS)is a national fingerprint and
criminal history system that is maintained by the Federal Bureau of Investigation(FBI). The
application provides automated fingerprint search capabilities, latent searching capabilities,
electronic image storage, and electronic exchanges of fingerprints and responses.
The Automated Biometric Identification System(IDENT) is the primary repository of biometric
information held by DHS in connection with its several and varied missions and functions. It is a
centralized and dynamic DHS-wide biometric database that also contains limited biographic and
encounter history information needed to place the biometric information in proper context.
3.3 ISA Requirements Within and Across Organizational Boundaries
See Section 2.0.
3.4 Physical Security and Environmental Controls
Physical security,at a minimum,will be governed by DHS 4300A Sensitive Systems Policy
Section 4.2, "IT Physical Security,"and NIST SP 800-53 controls. Both DHS and the client
organizations shall provide physical security and system environmental safeguards adequate to
provide protection of the system components.
3.5 Data Sensitivity
The data that is passed between DHS and WE1D County via the DHS connection is considered to
be at the FIPS 199 combined rating of"High."
3.6 Services Offered
The 287(g)client workstation will utilize Dynamic Host Configuration Protocol(DHCP)for
accessing systems. Technical details are provided in the high-level illustration in Section 4.0 and
the business case requirements table maintained by the ICE IAD staff.
The interconnections between the WCJ that traverse the DHS RTIC WAN are supported by
MPLS and Dynamic Multipoint Label Switching routers deployed and managed by DHS RTIC
service provider (Verizon). These routers are placed at the 287g data center and provide an
Ethernet cable handoff to the 287g datacenter. The MPLS router establishes an AES 256
encrypted tunnel to the DHS DCl and DC2 endpoints. All data traversing this interconnection is
encrypted. Please refer to the topological drawing to depict this interconnection.
3.7 Period of Operation
Systems/applications accessed are available 24 hours a day, seven days a week. This ISA is
valid for a three-year period from the date of the last signature. As the three-year period closes,a
renewal ISA agreement will be initiated by ICE and require signatures by both parties.
August 6,2012 8 IAD 2012-006
FOR OFFICIAL USE ONLY
3.8 User Community
The user community will be restricted to staff having an appropriate background investigation,
and authorization from the ICE POC as per DHS/ICE standards/requirements. See Exhibit 1 for
access permissions for each respective system. DHS 4300A policy also states in Section 4.1.1.e
that,"Components shall ensure that only U.S. Citizens are granted access to DHS systems
processing sensitive information. Exceptions to the U.S. Citizenship requirement may be
granted by the Component senior official or designee with the concurrence of the Office of
Security and the DHS CIO or their designees."
3.9 Information Exchange Security
The information accessed by the 287(g)site is considered to be at the"High"sensitivity level.
The information must be protected in accordance with DHS 4300A Sensitive Systems Policy and
marked,stored,and disposed of in accordance with DHS MD 11042.1.
3.10 Trusted Behavior/Rules of Behavior
In compliance with DHS ICE 4300A Sensitive System Policy Rules of Behavior,each
workstation accessing ICE information under the 287(g)program shall use and maintain the ICE
image that is provided by ICE OCIO Engineering(the Deployment Team).
Each agency shall protect the information shared under this agreement. Each agency shall
implement the following security controls:
a) Anti-Virus—Workstations must include the ICE-approved anti-virus software with current
definitions.
b) Clearance—DHS will restrict system access to authorized DHS ICE Special Agents or
employees and 287(g)personnel, who must be U.S.citizens with favorable background
investigations who require this information in the course of official DHS ICE duties.
c) Data Storage-287(g)personnel are not permitted to replicate or store any system
information in a separate database or in any other electronic format,unless approved by the
system owner.
d) Disabled Sessions—Workstations shall be configured to automatically disable inactive
sessions after no more than 20 minutes of inactivity. Authentication must be required to re-
establish the session,either through unlocking a screensaver or logging onto the workstation.
e) Notification—The 287(g)Technical Point of Contact(TPOC)must notify the ICE TPOC
immediately upon the termination or departure of any approved 287(g)user. The 287(g)
TPOC must then notify the local Password Issuance and Control System (PICS)officer at the
Special Agent in Charge(SAC)office of this change.
f) Passwords—All 287(g)personnel are to go to the 287(g)Project Management Officer at
their site. The Officer will set up the process for 287(g)training including acquisition of
User IDs and passwords. For subsequent password changes during the course of the year,
287(g)personnel should go to the local PICS officer at the Special Agent in Charge(SAC)
office or the Field Office Director(FOD)at the Enforcement and Removal Office(ERO).
The 287(g)TPOC must also submit password changes to the ICE Service Desk at 1-888-347-
7762 or via the Internet at http://remedyweb.ice.dhs.gov/help. All 287(g)users must utilize
the following policy for passwords. Passwords must:
August 6,2012 9 IAD 2012-006
FOR OFFICIAL USE ONLY
— Be at least eight characters in length.
- Contain a combination of alphabetic, numeric, special characters (such as
(.,!@#$%)), and not contain any dictionary word.
- Contain no more than two identical consecutive characters in any position from
previous password.
- Not be the same as the previous eight passwords.
— Contain a combination of upper and lower case alphabetic letters.
— Not be shared among users under any circumstances(including DHS ICE and
non-ICE personnel).
All 287(g)personnel accessing data must complete a DHS/ICE 287(g) Access Request Form
covering each system. The 287(g)users then must submit the 287(g) Access Request Form
to the local PICS Officer at the SAC or FOD. If possible, please hand-deliver the completed
287(g) Access Request Form to the local PICS Officer. If it must be sent via e-mail, please
note that due to the inclusion of Social Security Number information on the 287(g)Access
Request Form,this form must be compressed, encrypted, and password-protected using
WinZip or equivalent software and then e-mailed. The password for this form must be
delivered in a separate e-mail. If the form is faxed, coordination of fax transfer should be
made prior to the transmission by calling the following number: (202) 732-2074. Users can
submit these forms to the ICE fax number, (202) 732-2073.
g) Printing—Output of 287(g) information is permitted for management use only.
h) Privacy—In accordance with the Privacy Act of 1974, 287(g) client agency may not disclose
information obtained from the system to a third party without written permission from ICE.
Personally Identifiable Information (PII)must be controlled and safeguarded according to
Federal guidelines. This data is only to be used by those having an authorized purpose and
must be destroyed after 90 days unless being used in an ongoing investigation.
i) System Modifications—Refer to Exhibit 1 for a list of systems and access privileges.
3.11 Incident Reporting
Any security incidents involving DHS/ICE equipment or data must be reported to ICE through
the DHS ICE Service Desk at (888) 347-7762 or the ICE Computer Incident Response Center
(CSIRC) at ice.csircnn,dhs.gov. Incidents also include the loss of any Federal property or data.
3.12 System Monitoring
The systems/networks included in this interconnection are monitored by the owning
agencies. Within ICE, the Enterprise Operations Center(EOC) and the Security Operations
Center(SOC) are the primary offices to perform network monitoring.
3.13 Security Audit Trail Responsibility
Auditing of the system transactions is the responsibility of the owner of the DHS systems listed
in Exhibit 1. Audit logs will be retained for 90 days on-line and available for at least one year.
August 6,2012 10 IAD 2012-006
FOR OFFICIAL USE ONLY
3.14 Specific Equipment/Service Restrictions
Government Furnished Equipment(GFE)supporting the 287(g)sites shall be configured and
maintained to current ICE Image Lab standards. Special purpose circuits,routers,servers,and
workstations will be configured and maintained in compliance with current mandatory security
polices.
All DHS ICE equipment,at or with access,to 287(g)sites or connections must be located in a
secured area not accessible to the public and must be restricted to only cleared and authorized
staff.
3.15 Dial-Up/Remote/Wireless Connectivity
Dial-up and remote connectivity are not allowed for this agreement.
3.16 Training and Awareness
The DHS ICE 287(g)program manager shall ensure that DHS and 287(g)personnel with access
to DHS ICE systems have documented participation in mandatory ICE Information Assurance
Awareness Training. These sessions shall be taken initially and annually.
3.17 Security Documentation
ICE System Security Plans(SSPs)and other Security Authorization(SA)documentation will be
updated by ICE and provided to the ICE Information Assurance Division(IAD)for systems
accessed. The client organization's managerial and technical security policies and procedures
may be requested and reviewed by the DHS/ICE IAD on a periodic basis.
In order to ensure the required protection of DHS/ICE information, ICE reserves the right to
inspect ICE IT assets at the client site with a seven(7)work day notice to the client organization.
This coordinated inspection will include,but is not limited to,a complete physical walk-through
of areas housing ICE workstations or other workstations accessing ICE data,and a Blue Team
scanning of ICE IT assets to include data storage.
3.18 Change Control
Significant changes to the system architecture,documentation,or configurations will be
reviewed,approved, and documented in accordance with the ICE configuration/change control
process.
Please see Attachment A for policy statements concerning ports,protocols, and services.
3.19 Site or System Security Authorization
ICE and DHS SSPs and all other security-related documents are updated to reflect the changed
security environment brought about by ICE and the 287(g)interconnection.
All future changes relating to the security architecture of the ICE interconnection will be updated
within the corresponding security documents. The ICE SA documentation(e.g., SSP,
Contingency Plan, Risk Assessments, Security Assessments, ISAs,etc.)and all other security-
related documents will be made available upon request to each party for review and
acceptance. C&A documentation will be updated to reflect the establishment of this
interconnection and whenever a significant system change occurs. This ISA shall be updated
should any significant information contained within change. The following information,at a
August 6,2012 11 IAD 2012-006
FOR OFFICIAL USE ONLY
minimum,will be maintained accurately within this ISA and any Memoranda of Understanding
or Memoranda of Agreement:
• Names of interconnected systems
• Organizations owning all systems involved in the connection
All future changes relating to the security architecture of either system will be updated within the
corresponding security documents. The assigned Information Systems Security Officer(s)for
each system shall provide the security documentation to each organization upon request.
August 6,2012 12 IAD 2012.006
FOR OFFICIAL USE ONLY
4.0 TOPOLOGICAL DRAWING
ICE-to-WCJ
WCJ 2110 '0' Street Greeley, Colorado 80631
WCJ
WCJ Servers or
Clients
DHS
Demarcation Firewall
MPLS VPN Router
Secondary Primary
Logical I Logical
Path —t- 0 MPLS 4 Path
AES256 AES256
IPSEC VPN IPSEC VPN
Tunnels MPLS Routers I MPLS Routers Tunnels
S
Firewall Firewall
a
Cisco VPN Router Cisco VPN Router
DHS Firewall I Firewall OHS
Data Center 1 j i Data Center 2
(Secondary) I WAN Routers I I WAN Routers I (Primary)
LAN/OneNet Encrypted WAN
LAN/WAN Routers
LAN
ICE Servers or Clients
Immigration and
Customs Enforcement
(ICE)
CLIENT] 2i17q [omit ,ii Connection to Immigration and Customs Author: DHSICBP Network
mt. a na nt ICE, .i i 7HS D.itd Center RTIC MPLS Endpoints Engineering
'Mdn iyc.l R .uLv) Dale: October 17,2011
Revision:
August 6,2012 13 IAD 2012-006
FOR OFFICIAL USE ONLY
5.0 SIGNATORY AUTHORITY
This ISA is valid for three years after the latest date on either signature listed below if the
technology documented herein does not change or if there are no other intervening requirements
for updates. At that time,the agreement must be reviewed,updated,and reauthorized. The
security controls for this interconnection will be reviewed at least annually or whenever a
significant change occurs. Either party may terminate this agreement with 30 days advanced
notice. Noncompliance on the part of ICE or its users or contractors with regards to security
policies, standards,and procedures explained herein may result in the immediate termination of
this agreement.
Jeffrey Eisensmith Weld County Jail,by and through the
DHS ICE/Chief Information Security Weld County Board of Commissioners,
Officer William F. Garcia, Chair protein
Authorizing Official Authorizing Official
AUG 2 7 2012
(Signature and Date) (Signature and Date)
ICE ISA 2012-006 ICE ISA 2012-006
Original Copy: Carlos Vallejo ICE, OCIO, IAD
cc: William F. Garcia WCJ AO
Derek Lampe ICE Primary POC
Ken Yu ICE Secondary POC
Aleksei Welch Local POC
Keith Acosta Local 287(g)TPOC
Matt Schneider U.S. VISIT, IDENT POC
Mark Jesmer DOJ,FBI, IAFIS POC
Robert E. Purvis USCIS CLAIMS POC
Renee Schaming USCIS CLAIMS POC
Miguel Adams USCIS POC
Perry Darley USCIS POC
Linda Sollinger ICE OCIO Program Office
Lori de Venoge ICE Engineering POC
Patricia Dawkins CBP POC
August 6,2012 14 IAD 2012-006
FOR OFFICIAL USE ONLY
aria
USCIS Signature Page
Interconnection Security Agreement
(ICE Tracking IAD 2012-006)
Mark A. Schwartz
USCIS/Chief Information Officer
Authorizing Official
(Signature and Date)
Ref: ISA ICE IAD 2012-006
August 6,2012 15 IAD 2012-006
FOR OFFICIAL USE ONLY
Michael Brown
Executive Director,IT Services
DHS RTIC/OneNet
Authorizing Official
(Signature and Date)
[DATE] 16 IAD[TRACKING#]
FOR OFFICIAL USE ONLY
Attachment A
Allowed Ports, Protocols, and Services
Technical detail is provided in the high-level illustration in Section 4.0 of this document.
Additionally,DHS 4300A v8 Sensitive IT Security Policy has general requirements statements
concerning DHS allowed ports,protocols,and services for ISAs. These ISA requirements from
DHS 4300A v7.2 are restated below:
5.4.3.b. Interconnections between DHS and non-DHS systems shall be established only through
controlled interfaces and via approved service providers.The controlled interfaces shall be
accredited at the highest security level of information on the network. Connections with other
Federal agencies shall be documented based on interagency agreements,memoranda of
understanding, service level agreements or interconnection security agreements.
5.4.5.a Any direct connection of OneNet,DHS networks,or DHS mission systems to the
Internet or to extranets shall occur through DHS Trusted Internet Connection(TIC)PEPs.The
PSTN shall not be connected to OneNet at any time.
5.4.5.6. Firewalls and PEPs shall be configured to prohibit any protocol or service that is not
explicitly permitted.
5.4.5.d. Telnet shall not be used to connect to any DHS computer. A connection protocol such as
Secure Shell(SSH)that employs secure authentication(two-factor,encrypted,key exchange,
etc.)and is approved by the Component shall be used instead.
5.4.5.e. File Transfer Protocol (FTP)shall not be used to connect to or from any DHS computer.
A connection protocol that employs secure authentication(two-factor,encrypted, key exchange,
etc.)and is approved by the Component shall be used instead.
[DATE] 17 IAD[TRACKING#1
FOR OFFICIAL USE ONLY
Attachment B
ICE Engineering Drawing
287(g)
WCJ ch t- - - -- -maw'[
— router I
ILI
Equipment provided!
Packet managed by Verizon
falai number oIP Shaper
•ticfkstat,cns I I I
,s; ; -- MPLS (AES 256 Encryption)
In. I I
' I
287(g) LAN I Packet
J Shaper
MPLS
Screening
DHS Router
Authorized - -
Data Center
DHS Steward Cisco
t ..,..„..%,,, e Firewall
V
IISICF Mainframe Applications
ENFORCE
Eel s. %., IDENT
IAFIS J HTTPS imm~ USICE USCIS
1 ..%;,.... EXCHANGE
,, FARM CIS
CLAIMS 3 MF
3
[DATE] 18 IAD [TRACKING ##]
FOR OFFICIAL USE ONLY
Hello