The URL can be used to link to this page

Browse Search

Home My WebLink About20090861RESOLUTION RE: APPROVE INTERCONNECTION SECURITY AGREEMENT FOR WELD COUNTY JAIL AND AUTHORIZE CHAIR TO SIGN - U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with an Interconnection Security Agreement for the Weld County Jail between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, and the U.S. Immigration and Customs Enforcement, Information Assurance Division, commencing upon full execution of said agreement, for a period of three years, with further terms and conditions being as stated in said agreement, and WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Interconnection Security Agreement for the Weld County Jail between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, and the U.S. Immigration and Customs Enforcement, Information Assurance Division, be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 13th day of April, A.D., 2009. BOARD OF COUNTY COMMISSIONERS WELD( U , COLORADO ATTEST: �� p ei% Weld County Clerk to the BY. w ?, Deputy Clerk to the Boaz APPROVAS flFORM: 6unty Attorney Date of signature. Y1/420-17 William F. Garcia, Chair r Cr L11a G/ILei acher, Pro-Tem Sean P. Conway . 1,��_2 C 2009-0861 / SO003�0 05 C( ( G I 287(g) INTERCONNECTION SECURITY AGREEMENT BETWEEN U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT AND WELD COUNTY JAIL GREELEY, COLORADO INFORMATION ASSURANCE DIVISION ICE IAD 2009-008 FINAL April 7, 2009 WARNING: This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DI -IS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid "need -to -know" without prior approval of ICE and Weld County Jail Disclosure Offices. FOR OFFICIAL USE ONLY CONTENTS 1.0 PURPOSE 1 1.1 Security Network Connectivity Policy 1 1.2 ISA Requirements for Types of System Interconnections 1 1.3 Scope 2 1.4 Point of Contacts 3 1.5 References 4 2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS 4 2.1 WCJ LAN Staff Responsibilities 5 2.2 ICE Office of the Chief Information Officer (OCIO) Responsibilities 5 3.0 SECURITY CONSIDERATIONS 5 3.1 Formal Security Policy 5 3.2 General Information/Data Description 5 3.3 ISA Requirements Within and Across Organizational Boundaries 6 3.4 Physical Security and Environmental Controls 6 3.5 Data Sensitivity 6 3.6 Services Offered 6 3.7 Period of Operation 6 3.8 User Community 6 3.9 Information Exchange Security 6 3.10 Trusted Behavior/Rules of Behavior 7 3.11 Incident Reporting 8 3.12 System Monitoring 8 3.13 Security Audit Trail Responsibility 8 3.14 Specific Equipment/Service Restrictions 8 3.15 Dial-Up/Remote/Wireless Connectivity 8 3.16 Training and Awareness 9 3.17 Security Documentation 9 3.18 Change Control 9 3.19 Site or System Certification and Accreditation 9 4.0 TOPOLOGICAL DRAWING 10 5.0 SIGNATORY AUTHORITY 11 ATTACHMENT A -ALLOWED PORTS, PROTOCOLS, AND SERVICES ATTACHMENT B-ICE-TO-WCJ LAN INTERCONNECTION ARCHITECTURE ATTACHMENT C-ICE-TO-WCJ LAN INTERCONNECTION ARCHITECTURE EXHIBITS Exhibit I: Systems and Applications 2 Exhibit 2: Points of Contact 3 March 4, 2009 ii ICE IAD 2009-008 FOR OFFICIAL USE ONLY 1.0 PURPOSE This Interconnection Security Agreement (ISA) is required by Federal and Department of Homeland Security (DHS) policy and establishes individual and organizational security responsibilities for protection and handling of DHS Sensitive -but -Unclassified (SBU)/ For Official Use Only (FOUO) information. All specific requirements by both signatory organizations are also included in this ISA. 1.1 Security Network Connectivity Policy DHS Sensitive Security Systems Policy Directive 4300A establishes DHS policy for network connectivity. The section on network connectivity (Section 5.4.3) states: a. Components shall ensure appropriate identification and authentication controls, audit logging, and integrity controls are implemented on every network component. b. Interconnections between classified Information Technology (IT) systems and IT systems not controlled by DHS shall be established only through controlled interfaces. The controlled interfaces shall be accredited at the highest security level of the information on the network. c. Components shall document interconnections with other external networks with an ISA. Interconnections between DHS Components shall require an ISA when there is a difference in the security categorizations for confidentiality, integrity, and availability for the two networks. An ISA shall be signed by both Designated Approval Authorities (DAA) or by the official designated by the DAA to have signatory authority. d. ISAs shall be reissued every three years or whenever any significant changes have been made to any of the interconnected systems. e. ISAs shall be reviewed as a part of the annual Federal Information Security Management Act (FISMA) self -assessment. 1.2 ISA Requirements for Types of System Interconnections System interconnections may be characterized as either direct or networked. Direct connections are single purpose point-to-point connections that support only the two connected systems. Directly connected systems do not rely on another network for their connectivity or security and are physically and electronically isolated from other networks and systems. Networked systems connect via an intervening network that exists as a general support system, not a single -purpose connection. Systems that are connected via an encrypted tunnel, whether on Homeland Secure Data Network (HSDN) or any other network, are considered networked systems. For networked systems, the ISA must include the owner and DAA of the network as well as the owners of the classified or unclassified systems. In most cases, DHS classified systems will be connected via the HSDN, but some classified systems may be connected directly, without using the HSDN. For these directly connected systems, the ISA may include only the owners and DAAs of the connected systems themselves. March 4, 2009 1 FOR OFFICIAL USE ONLY ICE IAD 2009-008 1.3 Scope A T1 circuit will be used to access DHS and the Federal Bureau of Investigations (FBI) systems and applications in Exhibit 1 to support the delegation of authority to the Weld County Jail (WCJ). A T1 connection will be used for one workstation. No previous data access has been at this site. These are not ICE controlled facilities, but rather a County Jail located in Greeley, Colorado 80631. This delegation of authority project has been approved by Assistant Secretary Clark on or around December 11, 2005. Exhibit 1: Systems and Applications Acronym Systems/Applications IDENT Automated Biometric Identification System (US VISIT) Read Only ENFORCE Enforcement Case Tracking System (ICE) Read Only IAFIS Integrated Automated Fingerprint Identification System (FBI) Read/Write Only HTTP/HTTPS/Exchange DHS Intranet Web Portals (ICE) Read Only CIS Central Index System (USCIS) Read Only CLAIMS Mainframe Computer Linked Application Information Management System (USCIS) Read Only EARM ENFORCE Alien Removal Module (ICE) Read Only March 4, 2009 2 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 1.4 Point of Contacts The established points of contact (POC) for all issues associated with this agreement are available in Exhibit 2: it 2: Points of Contact ICE Office of Investigations (OI) Point of Contact (POC) Name Eric Dreher Phone: 303-721-3160 Cell: 303-901-6426 Fax: 303-721-3033 Email: eric.dreher@dhs.gov Address 5445 DTC Parkway, Suite 600 Denver, Colorado 80111 ICE Alternate OI POC Name: Steve Pryor Phone: 970-454-5638 Cell: 970-424-3654 Fax: 303-721-3033 Email: steven.l.pryor@dhs.gov Address: 515 Industrial Park Road Brush, Colorado 80723 Local Client 287(g) POC Name: Alexsei Churyk Phone: 970-356-4000, ext 2555 Cell: 970-590-2307 Fax: 970-304-6571 Email: achuryk@co.weld.co.us Address: 2110 0 Street Greeley, CO 80631 Local 287(g) Technical POC Name: Michael Welch Phone: 970-356-4000, ext. 2554 Cell: 970-381-7426 Fax: 970-304-6571 Email: mwelch@co.weld.co.us Address: 2110 0 Street Greeley, CO 80631 DHS ICE Office of Investigation (OI) Special Agent in Charge sponsor Name: Rich Beamer Phone: 202-732-3619 (office) Cell: 202-498-9797 Fax: 202-732-5734 Email: Rich Beamer@sra.com Address: 500 12th Street, SW Washington, DC 20024 March 4, 2009 3 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 1.5 References National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems, provides guidance in preparing and establishing connectivity between networks. SP 800-47 specifies guidance for establishing network ISAs. The key points are discussed in this ISA. Consult the full document for additional information and examples of ISAs and MOUs. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components of an information system that process, store, or transmit Federal information. • DHS Sensitive Systems Policy Directive 4300A • DHS 4300A Sensitive Systems Handbook • DHS, Type Accreditation, Attachment D to the DHS 4300A Sensitive Systems Handbook • DHS, Incident Response and Reporting, Attachment F to the DHS 4300A Sensitive Systems Handbook • DHS, Vulnerability Assessment Program, Attachment O to the DHS 4300A Sensitive Systems Handbook • NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002 • NIST ITL Bulletin, Secure Interconnections for Information Technology Systems, February 2003 • NIST SP 800-53, Rev. 1, Recommended Security Controls for Federal Information Systems, December 2006 • DHS MD 11042, Safeguarding Sensitive Information 2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS The intent of this ISA is to provide DHS ICE agents, contractors, and WCJ with exclusive ICE access to those systems listed in Exhibit 1. This ISA encompasses the connection of the DHS wide area network via a T1 circuit connection to the Joint Enforcement Operations Facilities at WCJ 2110 0 Street Greeley, Colorado 80631. Personnel will utilize these systems to process aliens and conduct investigations. The access to DHS and FBI systems (refer to Exhibit 1) from WCJ will be a network connection between the DHS Wide Area Network (WAN) and the ICE DHS local area network (LAN), which consists of a separate TI network connection via DHS ICE. The 287(g) equipment related to this connection is owned by ICE, and WCJ has the responsibility to secure the location of the equipment. Both organizations are authorized to perform on -site verification to the extent necessary to confirm compliance with this agreement. March 4, 2009 4 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 2.1 WCJ LAN Staff Responsibilities The WCJ LAN staff responsibilities include: • Limiting workstation logon access only to cleared and authorized 287(g) users. 2.2 ICE Office of the Chief Information Officer (OCIO) Responsibilities • Setting up user accounts to support 287(g) activities (ICE OCIO Operations) • Providing a user group Internet Protocol (IP) list (and updates) to the DHS ICE Network Operations Center (NOC) Firewall Staff (ICE OCIO NOC) • Enabling stringent identification and authorization enforcement, using DHS password and system inactivity standards (e.g., Windows password protected screen saver) as described in Section 3.10 (ICE OCIO Engineering) • Establishing link encryption between site router and the DHS firewall (ICE OCIO Engineering) • Utilizing the ICE image which includes hardened operating system, rigorous patch/Service Patch, and anti -virus management (ICE OCIO Engineering) The approval of this ISA does not include the ability for the outside agency to establish user accounts. DHS ICE security policies and procedures must be followed for clearances and written authorization by DHS. System administration and maintenance of ICE -owned networking devices and workstations are the sole responsibility of the ICE OCIO staff, including the Firewall Staff, Enterprise Operations Center (routers and switches), and others as necessary and appropriate. 3.0 SECURITY CONSIDERATIONS 3.1 Formal Security Policy ICE, Task Force Office (TFO), Jail Enforcement Office (JEO), contractors, and DHS must comply with existing Federal security and privacy laws and regulations in order to protect Federal systems and data. Additionally, ICE in the protection of DHS systems and data, will utilize DES and ICE Information Assurance Division (IAD) documents, listed in Section 1.5. TFOs, JEOs and contractors shall comply with their own internal agency security policies as well as the higher -level requirements applicable to their operations. Additionally, TFOs, JEOs and contractors agree to requirements set forth by ICE. Circuits associated with this ISA are required by DHS 4300A to enforce and maintain Federal Information Processing Standards (FIPS) 140-2 level encryption. 3.2 General Information/Data Description The biometric data of FBI's IAFIS will transport through the Criminal Justice Information System (CJIS) Gateway/CJIS WAN. This data will include fingerprint image data. The interconnection will utilize FIPS 140-2 compliant encryption technologies provided through Transport Level Security (TLS) 1.0. Biographic, biometric (in the form of ten fingerprints), and search result data will be transmitted to IDENT. Illegal or criminal aliens encountered by TFOs March 4, 2009 5 ICE IAD 2009-008 FOR OFFICIAL USE ONLY and JEOs will also be checked against DHS records (See listing of DHS systems in Exhibit 1) and processed for removal from the U.S. or prosecuted in U.S. District Court, as appropriate. 3.3 ISA Requirements Within and Across Organizational Boundaries See Section 2.0. 3.4 Physical Security and Environmental Controls Physical security, at a minimum, will be governed by DHS 4300A Sensitive Systems Policy Section 4.2 IT Physical Security and NIST SP 800-53 controls. Both organizations shall provide physical security and system environmental safeguards adequate to provide protection of the system components. 3.5 Data Sensitivity The data passed to the 287(g) agents via the DHS WAN connection is considered to be at the "high" sensitivity level (FIPS 199 classifications equate to low, moderate and high ratings). 3.6 Services Offered The 287g client workstation will utilize Dynamic Host Configuration Protocol (DHCP) for accessing systems. Technical details are provided in the high-level illustration in Attachment B and the business case requirements table maintained by the ICE IAD staff. 3.7 Period of Operation Systems/Applications accessed are available 24 hours a day, 7 days a week. This ISA is valid for a three year period from the date of the last signature. As the three year period closes, a renewal ISA agreement will be initiated by ICE and require signatures by both parties. Either party may terminate this ISA at any time by providing the other party with a ten (10) day written notice of termination. Upon termination of the ISA, ICE will be responsible for removing the T-1 communications lines any workstations and computer hardware that was installed in the WCJ pursuant to this agreement. 3.8 User Community The user community will be restricted to staff having an appropriate background investigation, and authorized by the ICE POC as per DHS/ICE standards/requirements. Following DHS 4300A Sensitive System Policy, non-DHS staff is permitted "read/write" access to DHS and FBI systems. DHS 4300A policy also states in Section 4.1.1.e that, "Only U.S. citizens shall be granted access to DHS systems processing sensitive information. An exception to the U.S. citizenship requirement may be granted by the Component Head or designee with the concurrence of the DHS Office of Security and the DHS Chief Information Officer or their designee (DHS Chief Information Security Officer)." 3.9 Information Exchange Security The information accessed by the 287(g) site is considered to be at the "moderate" sensitivity level (FIPS 199 classifications of low, moderate and high). The information must be protected in accordance with DHS 4300A Sensitive Systems Policy and marked, stored, and disposed of in accordance with DHS MD 11042.1. March 4, 2009 6 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 3.10 Trusted Behavior/Rules of Behavior In compliance with DHS ICE 4300A Sensitive System Policy Rules of Behavior, each workstation accessing ICE information under the 287(g) program shall use and maintain the ICE image that is provided by ICE OCIO Engineering (the Deployment Team). Each agency shall protect the information shared under this agreement. Each agency shall implement the following security controls: a) Anti -Virus Workstations will include the ICE -approved anti -virus software with current definitions. b) Clearance—DHS will restrict system access to authorized DHS ICE Special Agents or employees and 287(g) personnel who must be U.S. citizens with favorable background investigations who require this information in the course of official DHS ICE duties. c) Data Storage -287(g) personnel are not permitted to replicate or store any system information in a separate database or in any other electronic format, unless approved by the system owner. Only an ICE approved thumb drive is authorized for ICE users. d) Disabled Sessions —Workstations shall be configured to automatically disable inactive sessions after no more than 20 minutes of inactivity. Authentication must be required to re- establish the session, either through unlocking a screensaver or logging onto the workstation. e) Notification— The 287(g) TPOC must notify the ICE TPOC immediately upon the termination or departure of any approved 287(g) user. The 287(g) TPOC must then notify the local Password Issuance and Control System (PICS) officer at the Special Agent in Charge (SAC) office of this change. I) Passwords —All 287(g) personnel are to go to the 287(g) Project Management Officer at their site. The Officer will set up the process for 287(g) training including acquiring User IDs and passwords. For subsequent password changes during the course of the year, 287(g) personnel should go to the local PICS officer at the Special Agent in Charge (SAC) office or at the Detention and Removal Office's Field Office Director (FOD). The 287(g) TPOC must also submit password changes to the ICE Service Desk at 1-888-347-7762 or via the Internet at http://remedyweb.ice.dhs.gov/help. All 287(g) users must utilize the following policy for passwords. Passwords must: Be at least eight characters in length Contain a combination of alphabetic, numeric, special characters and not contain any dictionary word, i.e. (!@#$%) Contain no more than two identical consecutive characters in any position from previous password — Not be the same as the previous eight passwords Contain a combination of upper and lower case alphabetic letters — Not be shared among users under any circumstances (including DHS ICE, WCJ, and non -ICE personnel) All 287(g) personnel accessing data must complete a DHS/ICE 287(g) Access Request Form covering each system. The 287(g) users then must submit the 287(g) Access Request Form March 4, 2009 7 ICE IAD 2009-008 FOR OFFICIAL USE ONLY g) h) to the local PICS Officer at the SAC or FOD. If possible, please hand deliver the completed 287(g) Access Request Form to the local PICS Officer. If it must be sent via e-mail, please note that due to the inclusion of Social Security Number information on the 287(g) Access Request Form, this form must be compressed, encrypted, and password protected using WinZip or equivalent software and then e -mailed. The password for this form must be delivered in a separate e-mail. Coordination of fax transfer should be made prior to that transfer. Printing —Output of 287(g) information is permitted for management use only. Privacy In accordance with FIPS, 287(g) client agency may not disclose information obtained from the system to a third party, without written permission from ICE. Personally Identifiable Information (PII) must be controlled and safeguarded according to Federal guidelines. This data is to only be used for those having an authorized purpose only and must be destroyed after 90 days. i) System Modifications— Refer to Exhibit 1 for list of systems and access privileges. 3.11 Incident Reporting Any security incidents involving DHS/ICE equipment or data must be reported to ICE through the DHS ICE Service Desk at (888) 347-7762 or the ICE CSIRC at ice.csirc@dhs.gov. Incidents also include the loss of any Federal property or data. 3.12 System Monitoring The systems/networks included in this interconnection are monitored by the owning agencies. Within ICE, the Network Operations Center (NOC) and Security Operations Center (SOC) are primary offices to perform network monitoring. 3.13 Security Audit Trail Responsibility Auditing of the system transactions is the responsibility of the owner of the DHS systems listed in Exhibit 1. Audit logs will be retained for 90 days on-line and available for at least one year. 3.14 Specific Equipment/Service Restrictions Government Furnished Equipment supporting the 287(g) sites shall be configured and maintained to current ICE Image Lab standards. Special purpose circuits, routers, servers, and workstations will be configured and maintained in compliance with current, mandatory security polices. All DHS ICE equipment at or with access to 287(g) sites or connections must be located in a secured area not accessible to the public and must be restricted to only cleared and authorized staff. 3.15 Dial-Up/Remote/Wireless Connectivity Not required for this agreement. March 4, 2009 8 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 3.16 Training and Awareness The DHS ICE Office of Investigation Special Agent in Charge sponsor shall ensure that DHS and 287(g) personnel with access to DHS ICE systems have documented participation in mandatory ICE Information Assurance Awareness Training. These sessions shall be taken initially and annually. 3.17 Security Documentation ICE System Security Plans and other Certification and Accreditation documentation will be updated and provided to the ICE IAD as appropriate for systems accessed. Client 287(g) managerial and technical security policies and procedures may be requested and reviewed by the DHS ICE IAD on a periodic basis. 3.18 Change Control Significant changes to the system architecture, documentation, or configurations will be reviewed, approved and documented in accordance with the ICE configuration/change control process. 3.19 Site or System Certification and Accreditation ICE and DHS System Security Plans (SSP) and all other security related documents are updated to reflect the changed security environment brought about by ICE and the 287(g) interconnection. All future changes relating to the security architecture of the ICE interconnection will be updated within the corresponding security documents. The ICE Certification and Accreditation (C&A) documentation (e.g., SSP, Contingency Plan, Risk Assessments and Security Assessments, ISAs, etc.) and all other security related documents will be made available upon request to each party for review and acceptance. C&A documentation will be updated to reflect the establishment of this interconnection and whenever a significant system change occurs. This ISA shall be updated should any significant information contained within change. The following information, at a minimum will be maintained accurate within this ISA and any Memorandum of Understandings or Memorandums of Agreements: • Names of interconnected systems • Organizations owning all systems involved in the connection All future changes relating to the security architecture of either system will be updated within the corresponding security documents. The assigned Information Systems Security Officer(s) for each system shall provide the security documentation to the each organization upon request. March 4, 2009 9 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 4.0 TOPOLOGICAL DRAWING An architecture diagram showing the system interconnection is contained in Attachments B. The diagrams shall illustrate all communication paths, circuits, and other components used for the interconnection. March 4, 2009 10 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 5.0 SIGNATORY AUTHORITY This ISA is valid for three years after the latest date on either signature listed below, if the technology documented herein does not change or if there are no other intervening requirements for updates. At that time, the agreement must be reviewed, updated, and reauthorized. The security controls for this interconnection will be reviewed at least annually or whenever a significant change occurs. Either party may terminate this agreement with 30 days advanced notice. Noncompliance on the part of the ICE or its users or contractors with regards to security policies, standards, and procedures explained herein may result in the immediate termination of this agreement. Gil Vega DHS ICE/Chief Information Security Officer Designated Accrediting Authority Weld County Jail, by and through the Weld County Board of Commissioners, William F. Garcia, Chair DesignatedAccrediting Authority 4/ ' �C____________--- /th 04/13/09 // / (Signature and Date) (Signature and Date) Original Copy: Scott Williams Aleksei Churyk Michael Welch Eric Dreher Steve Pryor Steve Cooper Matt Schneider Mark Jesmer Kelly Gilmore Mai Mozelle Susan Penney Roger Chalonec Phil Letowt Jim Froning Patricia Dawkins Clifford Tichenor Art Freeman ICE OCIO IAD WCJ POC WCJ TPOC OI POC OI Alternate POC ICE ENFORCE POC U.S. VISIT, IDENT POC DOJ, FBI, IAFIS POC USCIS, CIS/CLAIMS POC ICE, DRO, DACS POC ICE, OCIO, SDD ICE, OCIO, Engineering ICE, OCIO, Architecture ICE, IAD, SOC POC CBP POC CBP POC ICE, OCIO, IAD March 4, 2009 11 ICE IAD 2009-008 FOR OFFICIAL USE ONLY &6'61- 6 rf6/ Attachment A March 4, 2009 12 ICE IAD 2009-008 FOR OFFICIAL USE ONLY Allowed Ports, Protocols, and Services Technical detail is provided in the high-level illustration in Attachment B and the business case requirements table maintained by the IAD staff for firewall configuration management of the network interconnection. DHS 4300A Sensitive Systems Policy has general requirement statements concerning DHS allowed ports, protocols and services for ISA's. These ISA requirements from DHS 4300A are restated below: • Interconnections between DHS and non-DHS IT systems shall be established only through controlled interfaces and via approved service providers. The controlled interfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements, memoranda of understanding, service level agreements or interconnect service agreements. • 5.4.5.d - Telnet shall not be used to connect to any DHS computer. A connection protocol such as Secure Shell (SSH) that employs secure authentication (two factor, encrypted, key exchange, etc.) and is approved by the Component shall be used instead • Section 5.4.5.e - File Transfer Protocol (FTP) shall not be used to connect to or from any DHS computer. A connection protocol that employs secure authentication (two factor, encrypted, key exchange, etc.) and is approved by the Component shall be used instead. DHS 4300A Sensitive Systems Handbook goes on to provide guidance in the following manner: • Section 5.4.5 Firewalls must be configured to prohibit any Transport Control Protocol (TCP), User Datagram Protocol (UDP) service, or other protocol that is not explicitly permitted. Note: The TCP/IP protocol is a common standard for ICE use. Of particular concern is the need to close ports that allow file and printer sharing, whether through Microsoft NetBIOS, Common Internet File Service (CIFS), Network File Services (NFS), or TCP Server Message Block (SMB) protocols. The use of file and printer sharing is associated with numerous vulnerabilities related to everything from enumeration of devices and user accounts to anonymous control of systems without authorization. March 4, 2009 13 ICE IAD 2009-008 FOR OFFICIAL USE ONLY Attachment B March 4, 2009 14 ICE IAD 2009-008 FOR OFFICIAL USE ONLY ICE-to-WCJ LAN Interconnection Architecture The network connectivity between the ICE and WCJ is shown in Attachment B. Attachment B: ICE-to-WCJ Connectivity at 2110 O Street Greeley, Colorado 80631 Redundant Trusted Internet Connections ONENet Eat IAFIS 28 g router Packet Shaper Equipment provided/ managed by Vedzon MPLS (AES 128 Encryption) Packet Shaper MPLS Screening Router 287(g) Juniper NetScreen Firewall USICE ENFORCE IDENT HTTPS EXCHANGE ONENet ONENet USICE EARM USCIS CIS CLAIMS March 4, 2009 15 ICE lAD 2009-008 FOR OFFICIAL USE ONLY Page 1 of 1 Donna Bechler From: Donna Bechler Sent: Monday, April 13, 2009 2:52 PM To: 'William.Berry1@dhs.gov' Cc: Bruce Barker; Monica Mika Subject: Weld County Jail Interconnection Security Agreement Attachments: Agreement.tif Mr. Berry, I am attaching a copy of the ISA Agreement that was signed by the Board of County Commissioners at the Board meeting this morning, April 13, 2009. We did not receive a cover letter which was to include your mailing information when we received the contracts. We will need that information in order to mail the original to you. Sincerely, Donna Bechler Deputy Clerk to the Board 970-356-4000 X4227 4/13/2009 Page 1 of 4 Donna Bechler From: Esther Gesick Sent: Thursday, April 09, 2009 12:51 PM To: Donna Bechler; Jennifer VanEgdom Cc: Monica Mika; Bruce Barker; William.Berry1@dhs.gov Subject: FW: Weld County Jail ISA Donna, The Weld County Jail Interconnection Security Agreement (ISA) is listed on Monday's (13°i) Agenda. I just spoke with Dan Berry, ICE Project Manager, and he stated they are mailing two signed originals today in hopes that we will have them for the Chair to sign on Monday. Once they are signed, please e-mail him a scanned copy (cc: 1--• L Monica and Bruce), and then mail one original back to him as soon as possible. He indicated there will be a cover letter included with his contact and mailing information provided. Thanks for taking care of this while I'm out next week! Esther E. Gesick Deputy Clerk to the Board 915 10th Street Greeley, CO 80631 (970)356-4000 X4226 (970)352-0242 (fax) From: Berry, William [mailto:William.Berryl@dhs.gov] Sent: Thursday, April 09, 2009 7:42 AM To: Dreher, Eric A; Penney, Susan E Cc: Esther Gesick Subject: Re: Weld County Jail ISA Does this ISA reflect all the changes? Regards, William (Dan) Berry IT Project Manager-> 287(g) DHS/ICE/OCIO/NIB Email -> William.Berry1@dhs.gov Office -> 202.732.2340 Mobile-> 202.507.3182 From: Dreher, Eric A To: Berry, William; Penney, Susan E Cc: Esther Gesick <egesick@co.weld.co.us> Sent: Thu Apr 09 09:41:07 2009 Subject: FW: Weld County Jail ISA William, The Weld County Jail is asking that the ISA be signed by the DHS ICE/Chief Information Security Officer and returned to them via mail (FedEx). This will allow them to have the Chair sign the ISA. 4/13/2009 Page 2 of 4 Attached is the ISA which has been reviewed and approved by Weld County Legal. Weld County is requesting two original signed copies of the ISA (see below) and to send them to: Esther E. Gesick Deputy Clerk to the Board 915 10th Street Greeley, CO 80631 Thanks, Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 From: Esther Gesick [mailto:egesick@co.weld.co.us] Sent: Wednesday, April 08, 2009 3:08 PM To: eric.dreher@dhs.gov Cc: Monica Mika; Bruce Barker; Esther Gesick Subject: FW: Weld County Jail ISA Mr. Dreher, I made a slight modification to the signature page to designate the Weld County Board of Commissioners. This matter will be listed on the 9:00 Agenda for Monday, April 13, 2009; however, I would appreciate your assistance in expediting the signature of the DHS ICE/Chief Information Security Officer, Gil Vega. Please mail two signed originals to my attention at the address below so I can finalize the matter with the Chair's signature. One fully executed original and a copy of the Board's Resolution will be returned to you. If you have any questions, please let me know. Thanks! Esther E. Gesick Deputy Clerk to the Board 915 10th Street Greeley, CO 80631 (970)356-4000 X4226 (970)352-0242 (fax) From: Monica Mika Sent: Wednesday, April 08, 2009 8:22 AM To: Esther Gesick Subject: FW: Weld County Jail ISA Please put this on the agenda for Monday. Thanks. From: Dreher, Eric A [mailto:eric.dreher@dhs.gov] 4/13/2009 Page 3 of 4 Sent: Wednesday, April 08, 2009 8:11 AM To: Monica Mika Cc: Berry, William; Penney, Susan E Subject: RE: Weld County Jail ISA Monica, Here is the latest revision. Sorry I missed that one, thought that I had gotten them all. Would you like for me to be at the BOCC meeting on Monday, to answer any questions that might arise? If not I look forward to moving forward on having the computer installed after the ISA is signed. Thanks for all your help! Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 From: Monica Mika [mailto:mmika@co.weld.co.us] Sent: Tuesday, April 07, 2009 5:50 PM To: Dreher, Eric A Subject: RE: Weld County Jail ISA Eric can you please make this change and I will put on the agenda for approval by the BOCC for Monday. Thanks. m Original Message From: Bruce Barker Sent: Tuesday, April 07, 2009 3:41 PM To: Monica Mika Subject: RE: Weld County Jail ISA Looks fine. I made a slight change to 1.3 to state, again, that the facility is a county jail. Original Message From: Monica Mika Sent: Tuesday, April 07, 2009 3:27 PM To: Bruce Barker Subject: FW: Weld County Jail ISA Importance: High Here you go, the revised agreement is attached. Thanks for your review. From: Dreher, Eric A [mailto:eric.dreher@dhs.gov] 4/13/2009 Page 4 of 4 Sent: Tuesday, April 07, 2009 2:04 PM To: Monica Mika Cc: Berry, William; Penney, Susan E Subject: Weld County Jail ISA Importance: High Monica, It was finally a pleasure talking to you today and I look forward to working with you more. I hope that I was able to make all the correction you and your legal office requested. • I corrected the ISA to show "Weld County Jail" • I also added into section 3.7 that written notice of termination, but as I said this is your building and you can kick us out any time. • I also made sure that section 3.7 states that ICE will be responsible for removing all line, equipment, etc; at the termination of the ISA. • Finally, I think that the other concerns that your legal had in regards to the other sections where WCJ would comply with ICE Standard is some what irrelevant at this time. For the fact that your security (you are a jail) surpasses all of ICE Standards and if ICE would have a problem, then WCJ could terminate the ISA. I have attached the amended ISA and hope that you are able to get approval to get it signed off. If you run into any more problems please give me a call. Thanks, Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 4/13/2009 Page 1 of 3 Donna Bechler From: Monica Mika Sent: Monday, April 13, 2009 5:24 PM To: Esther Gesick Subject: Fw: Weld County Jail ISA contact info Donna. Here is that contact for ICE (Eric Derher) From: Dreher, Eric A To: Monica Mika Sent: Mon Apr 13 13:30:10 2009 Subject: RE: Weld County Jail ISA Thanks for the information, I will make sure and pass it along. Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 From: Monica Mika [mailto:mmika@co.weld.co.us] Sent: Monday, April 13, 2009 1:24 PM To: eric.dreher@dhs.gov Subject: RE: Weld County Jail ISA The BOCC approved the agreement today. FYI... Monica From: Esther Gesick Sent: Wednesday, April 08, 2009 3:08 PM To: eric.dreher@dhs.gov Cc: Monica Mika; Bruce Barker; Esther Gesick Subject: FW: Weld County Jail ISA Mr. Dreher, I made a slight modification to the signature page to designate the Weld County Board of Commissioners. This matter will be listed on the 9:00 Agenda for Monday, April 13, 2009; however, I would appreciate your assistance in expediting the signature of the DHS ICE/Chief Information Security Officer, Gil Vega. Please mail two signed originals to my attention at the address below so I can finalize the matter with the Chair's signature. One fully executed original and a copy of the Board's Resolution will be returned to you. 4/14/2009 Page 2 of 3 If you have any questions, please let me know. Thanks! Esther E. Gesick Deputy Clerk to the Board 915 10th Street Greeley, CO 80631 (970)356-4000 X4226 (970)352-0242 (fax) From: Monica Mika Sent: Wednesday, April 08, 2009 8:22 AM To: Esther Gesick Subject: FW: Weld County Jail ISA Please put this on the agenda for Monday. Thanks. From: Dreher, Eric A [mailto:eric.dreher@dhs.gov] Sent: Wednesday, April 08, 2009 8:11 AM To: Monica Mika Cc: Berry, William; Penney, Susan E Subject: RE: Weld County Jail ISA Monica, Here is the latest revision. Sorry I missed that one, thought that I had gotten them all. Would you like for me to be at the BOCC meeting on Monday, to answer any questions that might arise? If not I look forward to moving forward on having the computer installed after the ISA is signed. Thanks for all your help! Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 From: Monica Mika [mailto:mmika@co.weld.co.us] Sent: Tuesday, April 07, 2009 5:50 PM To: Dreher, Eric A Subject: RE: Weld County Jail ISA Eric can you please make this change and I will put on the agenda for approval by the BOCC for Monday. Thanks. m Original Message From: Bruce Barker 4/14/2009 Page 3 of 3 Sent: Tuesday, April 07, 2009 3:41 PM To: Monica Mika Subject: RE: Weld County Jail ISA Looks fine. I made a slight change to 1.3 to state, again, that the facility is a county jail. Original Message From: Monica Mika Sent: Tuesday, April 07, 2009 3:27 PM To: Bruce Barker Subject: FW: Weld County Jail ISA Importance: High Here you go, the revised agreement is attached. Thanks for your review. From: Dreher, Eric A [mailto:eric.dreher@dhs.gov] Sent: Tuesday, April 07, 2009 2:04 PM To: Monica Mika Cc: Berry, William; Penney, Susan E Subject: Weld County Jail ISA Importance: High Monica, It was finally a pleasure talking to you today and I look forward to working with you more. I hope that I was able to make all the correction you and your legal office requested. • I corrected the ISA to show "Weld County Jail" • I also added into section 3.7 that written notice of termination, but as I said this is your building and you can kick us out any time. • I also made sure that section 3.7 states that ICE will be responsible for removing all line, equipment, etc; at the termination of the ISA. • Finally, I think that the other concerns that your legal had in regards to the other sections where WCJ would comply with ICE Standard is some what irrelevant at this time. For the fact that your security (you are a jail) surpasses all of ICE Standards and if ICE would have a problem, then WCJ could terminate the ISA. I have attached the amended ISA and hope that you are able to get approval to get it signed off. If you run into any more problems please give me a call. Thanks, Eric Dreher Senior Special Agent/Program Manager U.S. Immigration and Customs Enforcement 5445 DTC Parkway, Suite 600 Denver, CO 80111 Office: 303-721-3160 Cellular: 303-901-6426 FAX: 303-721-3033 4/14/2009 Page 1 of 2 Donna Bechler From: Berry, William [William.Berry1@dhs.gov] Sent: Monday, April 13, 2009 3:57 PM To: Donna Bechler Cc: Berry, William Subject: FW: Weld County Jail Interconnection Security Agreement Donna, One more tidbit you will need © -> Washington DC 20001 William (Dan) Berry IT Project Manager /287(g) OCIO Engineering /Implementation Office of the Chief Information Officer Immigration & Customs Enforcement Email -> Wllliam.Berry1@dhs.gov Office -> 202.732.2340 Mobile-> 202.507.3182 From: Berry, William Sent: Monday, April 13, 2009 5:35 PM To: 'Donna Bechler' Cc: Berry, William; Seabron, Lavert; Penney, Susan E; Williams, Scott Subject: RE: Weld County Jail Interconnection Security Agreement Donna, I am sorry you did not receive the return mailing address. I want to thank you for your quick response. Please see below information. Please Send to Attn: Scott Williams US Department of Homeland Security 801 I Street NW Suite 700 OCIO Engineering /Implementation Office of the Chief Information Officer (202) 732-2059 Thanks Again William (Dan) Berry IT Project Manager /287(g) OCIO Engineering /Implementation Office of the Chief Information Officer Immigration & Customs Enforcement Email -> William.Berry_1@dhs.gov Office -> 202.732.2340 Mobile-> 202.507.3182 From: Donna Bechler [mailto:dbechler@co.weld.co.us] Sent: Monday, April 13, 2009 4:52 PM 4/13/2009 Page 2 of 2 To: William.Berryl@dhs.gov Cc: Bruce Barker; Monica Mika Subject: Weld County Jail Interconnection Security Agreement Mr. Berry, I am attaching a copy of the ISA Agreement that was signed by the Board of County Commissioners at the Board meeting this morning, April 13, 2009. We did not receive a cover letter which was to include your mailing information when we received the contracts. We will need that information in order to mail the original to you. Sincerely, Donna Bechler Deputy Clerk to the Board 970-356-4000 X4227 4/13/2009 Page 1 of 1 Donna Bechler From: Berry, William [William.Berry1@dhs.gov] Sent: Monday, April 13, 2009 3:35 PM To: Donna Bechler Cc: Berry, William; Seabron, Lavert; Penney, Susan E; Williams, Scott Subject: RE: Weld County Jail Interconnection Security Agreement Donna, I am sorry you did not receive the return mailing address. I want to thank you for your quick response. Please see below information. Please Send to Attn: Scott Williams US Department of Homeland Security 801 I Street NW Suite 700 OCIO Engineering /Implementation Office of the Chief Information Officer (202) 732-2059 Thanks Again William (Dan) Berry IT Project Manager /287(g) OCIO Engineering /Implementation Office of the Chief Information Officer Immigration & Customs Enforcement Email -> William.Berrylhdhs.gov Office -> 202.732.2340 Mobile-> 202.507.3182 From: Donna Bechler [mailto:dbechler@co.weld.co.us] Sent: Monday, April 13, 2009 4:52 PM To: William.Berryl@dhs.gov Cc: Bruce Barker; Monica Mika Subject: Weld County Jail Interconnection Security Agreement Mr. Berry, I am attaching a copy of the ISA Agreement that was signed by the Board of County Commissioners at the Board meeting this morning, April 13, 2009. We did not receive a cover letter which was to include your mailing information when we received the contracts. We will need that information in order to mail the original to you. Sincerely, Donna Bechler Deputy Clerk to the Board 970-356-4000 X4227 4/13/2009 FAX TRANSMISSION COLORADO CLERK TO THE BOARD 915 10TH STREET P. O. BOX 758 GREELEY, CO 80631 PHONE: 970-356-4000 EXT. 4225 FAX: 970-352-0242 To: SCOTT WILLIAMS Date: 04/16/09 Fax: (202)732-2055 Pages: 18 , including cover page Phone: From: Sharon Kahl, Deputy Clerk to the Board Subject: INTERCONNECTION SECURITY AGREEMENT BETWEEN US IMMIGRATION AND CUSTOMS ENFORCEMENT AND WC JAIL COMMENTS: AS REQUESTED BY SCOTT WILLIAMS CONFIDENTIAL This facsimile is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged confidential, and exempt from disclosure under applicable law. If the reader of this facsimile is not the intended recipient nor the employee or agent responsible for delivering the facsimile to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the original message to us at the above address via the U.S. Postal Service. Thank you. Hello