The URL can be used to link to this page

Browse Search

Home My WebLink About20161030.tiff MEMORANDUM TO: Sheriff's Office DATE: September 18, 2020 i J c._.c o u N T FROM: Clerk to the Board's Office SUBJECT: Tyler Document#2016-1030 Final signatures were not obtained by the parties required to fully execute Tyler Document#2016-1030, approved by the Weld County Board of Commissioners on March 21, 2016. Due to the prolonged delay in obtaining final signatures, the Clerk to the Board's Office has deemed it prudent to close this item out. This memorandum will be added to the Commissioners' files to demonstrate this document was not fully executed. ' X lCa- ►o3o 30003? RESOLUTION RE: APPROVE INTERCONNECTION SECURITY AGREEMENT AND AUTHORIZE CHAIR TO SIGN - U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT AND ENFORCEMENT AND REMOVAL OPERATIONS WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Interconnection Security Agreement between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, U.S. Immigration and Customs Enforcement, Enforcement and Removal Operations, the Division of Information Assurance, commencing, and ending, with terms and conditions being as stated in said agreement, and WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Interconnection Security Agreement between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Sheriffs Office, and U.S, Immigration and Customs Enforcement, Enforcement and Removal Operations, the Division of Information Assurance, be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 21st day of March, A.D., 2016. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ATTEST: dvd 6: . p:� Mike Freeman, Chair Weld County Cler o the Board P Sean P. Conway, Pro-Tem 3 ( BY: (�� ‘ D uty Clerk to the Board Julie A. Cozad AP"O D AS T� � %'-� �� ' f /4Kirkmeer4 ' oun ,:ttorney 1861 =,;,;;.-• e ��repo Date of signature: 4.zra.p.p cc:5Q _ 2016-1030 s ` ©q/2i/?n SO0037 INTERCONNECTION SECURITY AGREEMENT cpART, BETWEEN 40>.----....‹,4, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT ICE o f o rip; ,1'. . likilliggs" ( ) ENFORCEMENT AND REMOVAL OPERATIONS 4ND sEc' (ERO) AND WELD COUNTY JAIL GREELEY, COLORADO INFORMATION ASSURANCE DIVISION ICE IAD 2015-14 Final December 22, 2015 WARNING: This document is FOR OFFICIAL USE ONLY(FOUO). It contains information that may be exempt from public release under the Freedom of Information Act(5 U.S.C. 552). It is to be controlled,stored, handled,transmitted,distributed,and disposed of in accordance with DI IS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid"need-to-know" without prior approval of ICE and Weld County Jail Disclosure Offices. 2016-1030 FOR OFFICIAL USE ONLY CONTENTS 1.0 PURPOSE 3 1.1 Security Network Connectivity Policy 3 1.2 ISA Requirements for Types of System Interconnections 3 1.3 Scope 4 1.4 Point of Contacts 5 1.5 References 5 2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS 6 2.1 WCJ LAN Staff Responsibilities 6 2.2 ICE Office of the Chief Information Officer(OCIO)Responsibilities 7 3.0 SECURITY CONSIDERATIONS 7 3.1 Formal Security Policy 7 3.2 General Information/Data Description 7 3.3 ISA Requirements Within and Across Organizational Boundaries 8 3.4 Physical Security and Environmental Controls 8 3.5 Data Sensitivity 9 3.6 Services Offered 9 3.7 Period of Operation 9 3.8 User Community 9 3.9 Information Exchange Security 9 3.10 Trusted Behavior/Rules of Behavior 9 3.11 Incident Reporting 10 3.12 System Monitoring 11 3.13 Security Audit Trail Responsibility 11 3.14 Specific Equipment/Service Restrictions 11 3.15 Dial-Up/Remote/Wireless Connectivity 11 3.16 Training and Awareness 11 3.17 Security Documentation 11 3.18 Change Control 11 3.19 Site or System Certification and Accreditation 12 4.0 TOPOLOGICAL DRAWING 13 5.0 SIGNATORY AUTHORITY 14 ATTACHMENT A-ALLOWED PORTS, PROTOCOLS,AND SERVICES EXHIBITS Exhibit 1: Systems and Applications 4 Exhibit 2: Points of Contact 5 December 22,2015 ii ICE IAD 2015-14 FOR OFFICIAL USE ONLY 1.0 PURPOSE This Interconnection Security Agreement(ISA) is required by Federal and Department of Homeland Security(DHS)policy and establishes individual and organizational security responsibilities for protection and handling of DHS Sensitive-but-Unclassified(SBU)/For Official Use Only(FOUO) information. All specific requirements by both signatory organizations are also included in this ISA. 1.1 Security Network Connectivity Policy DHS Sensitive Security Systems Policy Directive 4300A establishes DHS policy for network connectivity. The section on network connectivity(Section 5.4.3) states: a. Components shall ensure appropriate identification and authentication controls,audit logging, and integrity controls are implemented on every network component. b. Interconnections between classified Information Technology(IT) systems and IT systems not controlled by DHS shall be established only through controlled interfaces. The controlled interfaces shall be accredited at the highest security level of the information on the network. c. Components shall document interconnections with other external networks with an ISA. Interconnections between DHS Components shall require an ISA when there is a difference in the security categorizations for confidentiality, integrity, and availability for the two networks. An ISA shall be signed by both Designated Approval Authorities(DAA)or by the official designated by the DAA to have signatory authority. d. ISAs shall be reissued every three years or whenever any significant changes have been made to any of the interconnected systems. e. ISAs shall be reviewed as a part of the annual Federal Information Security Management Act (FISMA)self-assessment. 1.2 ISA Requirements for Types of System Interconnections System interconnections may be characterized as either direct or networked. Direct connections are single purpose point-to-point connections that support only the two connected systems. Directly connected systems do not rely on another network for their connectivity or security and are physically and electronically isolated from other networks and systems. Networked systems connect via an intervening network that exists as a general support system, not a single-purpose connection. For networked systems, the ISA must include the owner and DAA of the network as well as the owners of the classified or unclassified systems. December 22,2015 3 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 1.3 Scope This interconnection provides Department of Homeland Security/Enforcement and Removal Operations(DHS/ERO)agents at the Weld County Jail(WCJ)with the systems shown in Exhibit 1. This facility is a law enforcement building located at 2110 0 Street, Greeley, Colorado 80631. The DHS/ERO agents need the network and systems access to support the Criminal Alien Program, in order to integrate national security and law enforcement intelligence concerning the deportation of illegal aliens. The facility has a T1 connection with one (1) workstation. Exhibit 1: Systems and Applications Acronym Systems/Applications IDENT Automated Biometric Identification System(OBIM)Read Only EAGLE Enforcement Integrated Database(EID)Arrest Guide(ICE)Read Only IAFIS Integrated Automated Fingerprint Identification System(FBI)Read/Write Only CIS Central Index System(USCIS)Read Only CLAIMS 3 Mainframe Computer Linked Application Information Management System(USCIS)Read Only EARM ENFORCE Alien Removal Module(ICE)Read/Write Only December 22,2015 4 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 1.4 Point of Contacts The established points of contact(POC) for all issues associated with this agreement are available in Exhibit 2: Exhibit 2: Points of Contact ICE Enforcement& Removal Operations Name Donald Robillard Point of Contact(POC) Phone: 303-833-6598, Ext 101 Cell: 720-454-5737 Email: Donald.T.Robillard@ice.dhs.gov Address 3770 Puritan Way, Unit J Frederick, CO 80516 ICE Alternate ERO POC Name: Christopher Jones Phone: 303-833-6598 Ext 104 Cell: 720-354-6626 Email: Christopher.L.Jones@ice.dhs.gov Address: 3770 Puritan Way, Unit J Frederick, CO 80516 ICE ISSO Name: Wendell N. Miller Phone: 202-732-6541 Cell: 301-580-5040 Email: Wendell.N.Miller@associates.ice.dhs.gov Address: Potomac Center North 500 12`f' St. SW Washington, DC 20024 WCJ POC Name: Todd Deutsch Phone: 970-356-4015 ext 2837 Email: tdeutsch@co.weld.co.us Address: 2110 O' Street, Greeley, CO 80631 1.5 References National Institute of Standards and Technology(NIST) Special Publication(SP) 800-47,Security Guide for Interconnecting Information Technology Systems, provides guidance in preparing and establishing connectivity between networks. SP 800-47 specifies guidance for establishing network ISAs. The key points are discussed in this ISA. Consult the full document for additional information and examples of ISAs and MOUs. NIST SP 800-53, Recommended Security Controls for Federal Information Systems,provides guidelines for selecting and specifying security controls for information systems supporting the December 22,2015 5 ICE IAD 2015-14 FOR OFFICIAL USE ONLY executive agencies of the federal government. The guidelines apply to all components of an information system that process, store, or transmit Federal information. • The documents that served as the primary source for this ISA are the two following National Institute of Standards and Technology(NIST) Special Publications, as well as the IT Security Policy Handbooks Guides, and Manuals of DHS: • NIST Special Publication(SP) 800-47,Security Guide for Interconnecting Information Technology Systems. • NIST ITL Bulletin„ Secure Interconnections for Information Technology Systems, February 2003 • NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems, May 2010 • DHS Sensitive Systems Policy Directive 4300A • DHS 4300A Sensitive Systems Handbook • CBP HB 1400-05D Information Systems Security Policies and Procedures Handbook. • Office of Assisant Secretary of Defense Memorandum, The Defense Information Systems Security Program(DISSP),August 19,1992. • Additional reference documents: a. DHS, Preparation of Interconnection Security Agreements, Attachment N to the DHS 4300A Sensitive Systems Handbook b. DHS, Incident Response and Reporting, Attachment F to the DHS 4300A Sensitive Systems Handbook c. NIST ITL Bulletin, Secure Interconnections for Information Technology Systems, February 2003 2.0 INTERCONNECTION STATEMENT OF REQUIREMENTS WCJ, located at 2110 O Street, Greeley Colorado 80631 has an ICE T1 circuit to access one(1) workstation. . The Enforcement Officer will access the systems listed in Exhibit 1 to perform case status and criminal history checks on detainees in the correctional facility. The WCJ maintains physical site security(access control)through a sign-in/badge process at the main entrance. Non-authorized personnel are escorted through the site. Guards are stationed in the lobby entry area with walk-through metal detectors and X-ray scanner devices. The facility requires non-authorized personnel to be escorted within the facility. Both ICE and WCJ organizations are authorized to make on-site verification to the extent necessary to confirm compliance with this agreement. 2.1 WCJ LAN Staff Responsibilities The WCJ LAN staff is responsible for the following duties: December 22,2015 6 ICE IAD 2015-14 FOR OFFICIAL USE ONLY • Ensuring that DHS ICE user group workstations will be connected to the DHS WAN via a dedicated network. • Ensuring that workstation logon access is limited to cleared and authorized users, as determined by ICE,to all DHS systems that will be accessed. 2.2 ICE Office of the Chief Information Officer(OCIO) Responsibilities DHS OneNet Steward Engineers, ICE Firewall Engineering Group and ICE ITFO staff are responsible for configuring and maintaining all aspects of the connectivity. Specifically: • The ICE Firewall Engineering Group works with ITFO and/or other stakeholders to identify the types of access required for the specified business case and documents it for submission to the DHS OneNet Steward Engineers who will in turn, configure the OneNet firewall at the Stennis Data Center. • ITFO maintains, by names, user groups for all that are individually cleared and authorized to access DHS systems. • ITFO configures DHS user group workstations with static Internet Protocol (IP) addresses, restricts workstation logon to DHS user group only, and provides user group IP list(and updates as changes are made)to the ICE Infrastructure Engineering firewall staff. The approval of this ISA does not include the ability for the outside agency to establish user accounts. DHS/ICE security policies and procedures must be followed for clearances. DHS must also provide written authorization. System administration and maintenance of ICE-owned networking devices and workstations are the sole responsibility of the ICE OCIO staff,including the Firewall Staff, Enterprise Operations Center(EOC)(routers and switches), and others as necessary and appropriate. 3.0 SECURITY CONSIDERATIONS 3.1 Formal Security Policy ICE, Task Force Office(TFO),Jail Enforcement Office(JEO),contractors,and DHS must comply with existing Federal security and privacy laws and regulations in order to protect Federal systems and data. Additionally, ICE in the protection of DHS systems and data, will utilize DHS and ICE Information Assurance Division(IAD) documents, listed in Section 1.5. TFOs,JEOs and contractors shall comply with their own internal agency security policies as well as the higher-level requirements applicable to their operations. Additionally, TFOs,JEOs and contractors agree to requirements set forth by ICE. Circuits associated with this ISA are required by DHS 4300A to enforce and maintain Federal Information Processing Standards (FIPS) 140-2 level encryption. 3.2 General Information/Data Description EAGLE is the Enforcement Integrated Database(EID)Arrest Guide for Law Enforcement-EID captures and maintains information related to the investigation, arrest, booking, detention and removal of persons encountered during immigration and criminal law enforcement investigations and operations. EAGLE is the booking application used to process the biometric and biographic information for individuals arrested by ICE for criminal violations of law and administrative December 22,2015 7 ICE IAD 2015-14 FOR OFFICIAL USE ONLY violations of the Immigration and Nationality Act(INA). EAGLE replaces EID booking applications EABM, Mobile IDENT, WebIDENT, and ENFORCE. EAGLE will also connect to the Department of Defense's (DOD)Automated Biographic Information System(ABIS)and permit the comparison of fingerprints of foreign nationals arrested by ICE with DOD's information in ABIS. IAFIS is the Integrated Automated Fingerprint Identification System-a national fingerprint and criminal history system that is maintained by the FBI. The application provides automated fingerprint search capabilities, latent searching capabilities, electronic image storage, and electronic exchanges of fingerprints and responses. IDENT-The Automated Biometric Identification System(IDENT) is the primary repository of biometric information held by DHS in connection with its several and varied missions and functions. It is a centralized and dynamic DHS-wide biometric database that also contains limited biographic and encounter history information needed to place the biometric information in proper context. CLAIMS 3 MF-The Computer Linked Application Information Management System 3 Mainframe (CLAIMS 3 MF) is a mainframe database-centered major application that supports processing of USCIS applications and petitions for various immigrant benefits (e.g., change of status, employment authorization,and extension of stay). CLAIMS 3 MF also serves as the repository for all data processed through daily batch runs in the CLAIMS 3 LAN systems at the four Service Centers, the National Benefits Center, the Administrative Appeals Office (AAO) and the Baltimore District Office(BAL). CLAIMS 3 MF has two primary components: (1)an online data entry,query, and adjudication system;and(2) a system of batch runs,which extract and report data and provide interfaces with other systems. The Marriage Fraud Amendment System(MFAS)is a subsystem of CLAIMS 3 MF. The MFAS supports and maintains casework for petitions for Legal Permanent Residency by aliens who have previously been granted Conditional Permanent Residency under the terms of the Marriage Fraud Amendment, including entrepreneurs. The MFAS facilitates the adjudication and notification process for this program. EARM-The ENFORCE Alien Removal Module(EARM) is a module that is used to assist in the tracking of the removal of aliens. The system maintains name and biographical information, biometric information, arrest information(including initial immigration charges, criminal charges, and detainer information.) It also has case information; including category and status information,case comments, information about hearing actions and decisions, information about custody and bonds actions and decisions, and encounters linked to the case. ERO agents located at WCJ will utilize these systems while processing suspected felons that are aliens. 3.3 ISA Requirements Within and Across Organizational Boundaries See Section 2.0. 3.4 Physical Security and Environmental Controls Physical security, at a minimum, will be governed by DHS 4300A Sensitive Systems Policy Section 4.2"IT Physical Security"and NIST SP 800-53 controls. Both organizations shall provide physical security and system environmental safeguards adequate to provide protection of the system components. December 22,2015 8 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 3.5 Data Sensitivity The data passed to the ERO agents via the DHS WAN connection is considered to be at the "HIGH"sensitivity level (FIPS 199 classifications equate to low, moderate, and high ratings). 3.6 Services Offered The client workstation will utilize Dynamic Host Configuration Protocol (DHCP) for accessing systems. Technical details are provided in the high-level illustration in Attachment B and the business case requirements table maintained by the ICE IAD staff. 3.7 Period of Operation Systems/Applications accessed are available 24 hours a day, 7 days a week. This ISA is valid for a three year period from the date of the last signature. As the three year period closes, a renewal ISA agreement will be initiated by ICE and require signatures by both parties. Either party may terminate this ISA at any time by providing the other party with a ten(10) day written notice of termination. Upon termination of the ISA, ICE will be responsible for removing the T-1 communications lines any workstations and computer hardware that was installed in the WCJ pursuant to this agreement. 3.8 User Community The user community will be restricted to staff having an appropriate background investigation, and authorization from the ICE POC as per DHS/ICE standards/requirements. See Exhibit 1 for access permissions for each respective system. DHS 4300A policy also states in Section 4.1.1.e that, "Components shall ensure that only U.S. Citizens are granted access to DHS systems processing sensitive information. Exceptions to the U.S. Citizenship requirement may be granted by the Component senior official or designee with the concurrence of the Office of Security and the DHS CIO or their designees." 3.9 Information Exchange Security The information accessed by the WCJ site is considered to be at the "HIGH"sensitivity level (FIPS 199 classifications of low, moderate and high). The information must be protected in accordance with DHS 4300A Sensitive Systems Policy and marked, stored, and disposed of in accordance with DHS MD 11042.1. 3.10 Trusted Behavior/Rules of Behavior In compliance with DHS ICE 4300A Sensitive System Policy Rules of Behavior, each workstation accessing ICE information under the ERO program shall use and maintain the ICE image that is provided by ICE OCIO Engineering(the Deployment Team). Each agency shall protect the information shared under this agreement. Each agency shall implement the following security controls: a) Anti-Virus—Workstations will include the ICE-approved anti-virus software with current definitions. b) Clearance—DHS will restrict system access to authorized DHS ICE Special Agents or employees and ERO personnel who must be U.S. citizens with favorable background investigations who require this information in the course of official DHS ICE duties. December 22,2015 9 ICE IAD 2015-14 FOR OFFICIAL USE ONLY c) Data Storage—ERO personnel are not permitted to replicate or store any system information in a separate database or in any other electronic format, unless approved by the system owner. Only an ICE approved thumb drive is authorized for ICE users. d) Disabled Sessions—Workstations shall be configured to automatically disable inactive sessions after no more than 20 minutes of inactivity. Authentication must be required to re- establish the session, either through unlocking a screensaver or logging onto the workstation. e) Notification—The ERO TPOC must notify the ICE TPOC immediately upon the termination or departure of any approved ERO user. The ERO TPOC must then notify the local Password Issuance and Control System(PICS) officer at the Special Agent in Charge (SAC)office of this change. f) Passwords—All ERO personnel are to go to the ERO Project Management Officer at their site. All ERO users must utilize the following policy for passwords. Passwords must: — Be at least eight characters in length — Contain a combination of alphabetic,numeric, special characters and not contain any dictionary word, i.e. (!@#$%) — Contain no more than two identical consecutive characters in any position from previous password — Not be the same as the previous eight passwords — Contain a combination of upper and lower case alphabetic letters — Not be shared among users under any circumstances(including DHS ICE, WCJ,and non- ICE personnel) All ERO personnel accessing data must complete a DHS Form G-872c,"Request for ADP Password,"for each system. ERO users then submit these forms to the ICE fax number, (202)732-2073. Coordination of fax transfer should be made prior to the form being transmitted by calling the following number: (202) 732-2074. Due to the inclusion of Social Security Number information on the G-872c form,this form must be compressed and encrypted using WinZip or equivalent software and then e-mailed. The password for this form must be delivered in a separate e-mail. g) Printing—Output of ERO information is permitted for management use only. h) Privacy—In accordance with FIPS,ERO client agency may not disclose information obtained from the system to a third party,without written permission from ICE. Personally Identifiable Information(PII) must be controlled and safeguarded according to Federal guidelines. This data is to only be used for those having an authorized purpose only and must be destroyed after 90 days. i) System Modifications—Refer to Exhibit 1 for list of systems and access privileges. 3.11 Incident Reporting Any security incidents involving DHS/ICE equipment or data must be reported to ICE through the DHS ICE Service Desk at(888) 347-7762 or the ICE CSIRC at ice.csirc@dhs.gov. Incidents also include the loss of any Federal property or data. December 22,2015 10 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 3.12 System Monitoring The systems/networks included in this interconnection are monitored by the owning agencies. Within ICE, the EOC and Security Operations Center(SOC) are the primary offices to perform network monitoring. 3.13 Security Audit Trail Responsibility Auditing of the system transactions is the responsibility of the owner of the DHS systems listed in Exhibit 1. Audit logs will be retained for 90 days on-line and available for at least seven(7) years off-line. 3.14 Specific Equipment/Service Restrictions Government Furnished Equipment supporting the WCJ site shall be configured and maintained to current ICE standards. Special purpose circuits, routers, servers, and workstations will be configured and maintained in compliance with current,mandatory security polices. All DHS ICE equipment at or with access to WCJ or connections must be located in a secured area not accessible to the public and must be restricted to only cleared and authorized staff 3.15 Dial-Up/Remote/Wireless Connectivity Dial-up and remote connectivity are not allowed for this agreement. 3.16 Training and Awareness ERO shall ensure that personnel with access to DHS/ICE systems have documented participation in mandatory ICE Information Assurance Awareness Training. These sessions shall be taken initially and annually. 3.17 Security Documentation ICE Security Plans (SPs) and other Security Authorization(SA) documentation will be updated and provided to the ICE IAD as appropriate for systems accessed. Client ERO managerial and technical security policies and procedures may be requested and reviewed by the DHS ICE IAD on a periodic basis. In order to ensure the required protection of DHS/ICE information, ICE reserves the right to inspect ICE IT assets at the client site with a seven(7)work day notice to the client organization. This coordinated inspection will include,but is not limited to, a complete physical walk-through of areas housing ICE workstations or other workstations accessing ICE data,and a Blue Team scanning of ICE IT assets to include data storage. 3.18 Change Control Significant changes to the system architecture,documentation,or configurations will be reviewed, approved and documented in accordance with the ICE configuration/change control process. December 22,2015 11 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 3.19 Site or System Certification and Accreditation ICE and DHS SPs and all other security related documents are updated to reflect the changed security environment brought about by ICE and the WCJ interconnection. All future changes relating to the security architecture of the ICE interconnection will be updated within the corresponding security documents. The ICE SA documentation(e.g., SP, Contingency Plan, Risk Assessments, Security Assessments, ISAs,etc.)and all other security- related documents will be made available upon request to each party for review and acceptance. Security documentation will be updated to reflect the establishment of this interconnection and whenever a significant system change occurs. This ISA shall be updated should any significant information contained within change. The following information, at a minimum will be maintained accurate within this ISA and any Memorandum of Understandings or Memorandums of Agreements: • Names of interconnected systems • Organizations owning all systems involved in the connection All future changes relating to the security architecture of either system will be updated within the corresponding security documents. The assigned Information Systems Security Officer(s)for each system shall provide the security documentation to the each organization upon request. December 22,2015 12 ICE IAD 2015-14 FOR OFFICIAL USE ONLY 4.0 TOPOLOGICAL DRAWING An architecture diagram showing the system interconnection is contained in Attachments B. The diagrams shall illustrate all communication paths, circuits, and other components used for the interconnection. ICE-to- WCJ LAN Interconnection Architecture (2110 O Street, Greeley, Colorado 80631) router � Equipment provided! Packet managed by Verizon • J Shaper •►4� `•_ MPLS(AES 256 Encryption) Packet killOp Shaper IQ MPLS I Screening may* Router .c orized rata Getter OHS Steward Cisco Eireann Mainframe Applications USICF EAGLE IAFIS a IDENT usice USC1$ CIS EARM CLAIM T3 MF March 4,2009 13 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 5.0 SIGNATORY AUTHORITY This ISA is valid for three years after the latest date on either signature listed below, if the technology documented herein does not change or if there are no other intervening requirements for updates. At that time,the agreement must be reviewed, updated,and reauthorized. The security controls for this interconnection will be reviewed at least annually or whenever a significant change occurs. Either party may terminate this agreement with 30 days advanced notice. Noncompliance on the part of the ICE or its users or contractors with regards to security policies, standards,and procedures explained herein may result in the immediate termination of this agreement. Robert Thorne Mike Freeman 1,Chair DHS ICE/Chief Information Security Weld County Jail, by and through the Officer Weld County Board of Commissioners, Designated Accrediting Authority Designated Accrediting Authority pyrentjtkliut, I 28/2°l(. MAR 21 2016 (Signature and Date) (Signature and Date) Original Copy: Hunter Shaw ICE IAD OCIO cc: William F. Garcia Weld County Jail DAA Bradley L. Douglas ICE/ERO Primary POC Daniel Schichel ICE/ERO Secondary Wendell N. Miller ICE ISSO Eric Dheher WCJ OI POC Sarah Fanden USCIS Risk Management Branch Chief Erica Palmer USCIS ISSO March 4,2009 14 ICE IAD 2009-008 FOR OFFICIAL USE ONLY 020X0, l >p 5.0 SIGNATORY AUTHORITY This ISA is valid for three years after the latest date on either signature listed below, if the technology documented herein does not change or if there are no other intervening requirements for updates. At that time,the agreement must be reviewed, updated, and reauthorized. The security controls for this interconnection will be reviewed at least annually or whenever a significant change occurs. Either party may terminate this agreement with 30 days advanced notice. Noncompliance on the part of the ICE or its users or contractors with regards to security policies, standards, and procedures explained herein may result in the immediate termination of this agreement. Robert Thorne Todd Deutsch-Lieutenant DHS ICE/Chief Information Security Weld County Jail Officer(acting) Designated Accrediting Authority Designated Accrediting Authority (Signature and Date) (Signature and Date) Original Copy: Hunter Shaw ICE IAD OCIO cc: Todd Deutsch Weld County Jail DAA Bradley L. Douglas ICE/ERO Primary POC Daniel Schichel ICE/ERO Secondary Wendell N. Miller ICE ISSO Eric Dheher WCJ OI POC Sarah Fanden USCIS Risk Management Branch Chief Erica Palmer USCIS ISSO December 22,2015 14 ICE IAD 2015-14 FOR OFFICIAL USE ONLY Mark A. Schwartz USCIS, Chief Information Officer Authorizing Official (Signature and Date) • December 22,2015 15 ICE IAD 2015-14 FOR OFFICIAL USE ONLY Attachment A Allowed Ports, Protocols, and Services Technical detail is provided in the high-level illustration in Section 4 of this document. Additionally, DHS 4300A v11 Sensitive IT Security Policy has general requirements statements concerning DHS allowed ports,protocols, and services for ISAs. These ISA requirements from DHS 4300A v11 are restated below: • 5.4.3.b. Interconnections between DHS and non-DHS systems shall be established only through the Trusted Internet Connection(TIC)and by approved service providers. The controlled interfaces shall be authorized at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements, memoranda of understanding, service level agreements or interconnection security agreements. • 5.4.5.a Any direct connection of OneNet, DHS networks, or DHS mission systems to the Internet or to extranets shall occur through DHS Trusted Internet Connection(TIC) Proposal Evaluation Procedures(PEPs). The Public Switched Telephone Network (PSTN) shall not be connected to OneNet at any time. • 5.4.5.b. Firewalls and PEPs shall be configured to prohibit any protocol or service that is not explicitly permitted. • 5.4.5.d. Telnet shall not be used to connect to any DHS computer. A connection protocol such as Secure Shell (SSH)that employs secure authentication(two-factor, encrypted, key exchange) and is approved by the Component shall be used instead. • 5.4.5.e. File Transfer Protocol (FTP)shall not be used to connect to or from any DHS computer. A connection protocol that employs secure authentication(two-factor, encrypted, key exchange) and is approved by the Component shall be used instead.. December 22,2015 16 ICE IAD 2015-14 FOR OFFICIAL USE ONLY RE: INTERCONNECTION AECURTIY AGREEMENT - U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT (ice) AND ENFORCEMENT AND REMOVAL OPERATIONS (ERO) ATTEST: _ e•' BOARD OF COUNTY COMMISSIONERS Weld ' t unty Jerk to the :oard WELD COUNTY, COLORADO BY: ..- .�i� • L6klUte Deputy rk to the Bo %'� z Mike Freeman, Chair MAR 2 1 VIC APPEIDVEDAS T. F N % AP ROVED AS T UBSTANCE: CireL , Controller 1 .��"'` cted Officia or Department Head APP VEDA O FORM: AIM jDirector of General Services Ad County Attorney 0,2,0/6 - /0.30 Hello