Item C16 C.16
i�`
CountCounty ��Monroe. ,y, ? "tr, BOARD OF COUNTY COMMISSIONERS
y M T� \�1a� Mayor Michelle Coldiron,District 2
�1 1 nff `_ll Mayor Pro Tem David Rice,District 4
-Ile Florida.Keys Craig Cates,District 1
Eddie Martinez,District 3
w Mike Forster,District 5
County Commission Meeting
June 16, 2021
Agenda Item Number: C.16
Agenda Item Summary #3321
BULK ITEM: Yes DEPARTMENT: Emergency Management
TIME APPROXIMATE: STAFF CONTACT: Jeff Manning (305)289-6325
N/A
AGENDA ITEM WORDING: Approval to renew Memorandum of Agreement with the Federal
Emergency Management Agency (FEMA) regarding the use of the Interoperable Public Alert and
Warning System (IPAWS) Platform for Emergency Networks System, and delegation to the Monroe
County Director of Emergency Management to execute this MOA and any related documentation.
ITEM BACKGROUND: Monroe County is required by the Federal Emergency Management
Agency (FEMA)to deliver certain emergency messages to protect lives and property of residents
and visitors to Monroe County via the Emergency Alert System (EAS). This agreement will allow
for coordination and cooperation between and among Monroe County Emergency Management and
FEMA regarding utilization and security of Monroe County Emergency Management's
interoperable system for emergency messaging, which may interoperate with the FEMA IPAWS-
Open Platform for Emergency Networks (IPAWS-OPEN), to deliver emergency alert messaging to
the public.
PREVIOUS RELEVANT BOCC ACTION: The current MOA between Monroe County and
FEMA for this purpose was executed in 2018 and expires in August 2021.
CONTRACT/AGREEMENT CHANGES:
Renewal
STAFF RECOMMENDATION: Approval
DOCUMENTATION:
IPAWS MOA FL Monroe County Emergency Management_MOA-v4.5-2
FINANCIAL IMPACT:
Effective Date: Upon execution
Expiration Date: Three years from full execution
Packet Pg. 518
C.16!
Total Dollar Value of Contract: 0
Total Cost to County: 0
Current Year Portion: N/A
Budgeted: N/A
Source of Funds: N/A
CPI: N/A
Estimated Ongoing Costs Not Included in above dollar amounts:
Revenue Producing: N/A If yes, amount:
Grant: N/A
County Match: N/A
Insurance Required: N/A
Additional Details:
N/A
REVIEWED BY:
Shannon Weiner Completed 05/26/2021 4:16 PM
Pedro Mercado Completed 05/26/2021 4:53 PM
Purchasing Completed 05/27/2021 9:36 AM
Budget and Finance Completed 05/28/2021 3:20 PM
Maria Slavik Completed 05/28/2021 3:21 PM
Liz Yongue Completed 06/01/2021 10:38 AM
Board of County Commissioners Pending 06/16/2021 9:00 AM
Packet Pg. 519
C.16.a
Memorandum of Agreement
between the
FL Monroe County Emergency Management
and the
05
�
� s
Federal Emergency Management Agency W
Integrated Public Alert and Warning System
(IPAWS) Program Management Office
Regarding the use of: a)
FL Monroe County Emergency Management
Interoperable System(s)
and
IPAWS OPEN Platform for Emergency Networks
(IPAWS-OPEN)
0
2
r-
Version 4.5
20 May 2021
WARNING:This document is FOR OFFICIAL USE ONLY(FOUO). It contains information that may be exempt
from public release under the Freedom of Information Act(5 U.S.C. 552). It is to be controlled,stored,handled,
transmitted,distributed,and disposed of in accordance with DHS policy relating to FOUO information and is not to
be released to the public or other personnel who do not have a valid"need-to-know"without prior approval of the m
FEMA Integrated Public and Warning System and the FEMA Disclosure Offices.
1
V4.5,October 15,2020
Packet Pg. 520
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
Document Change History
m
Version Date Author Description
4.0 06/13/2019 Al Kenyon Updated COG MOA with stakeholders'input
41 1 06/13/2019 Al Kenyon I Delete CISO and CIO signature blocks per CIO =a
Corrected IPAWS Suite 4,Zipcode
4.2 6/20/2019 Gustavo Barbet I Fixed grammatical errors and made minor wording changes throughout
Jr document
4.3 1 9/6/2019 Mark Lucero Changes to Section 3.0 from paragraph to bullet format
----------------------------
4 4 1 Gustavo Barbet
1/31/2020 Jr Updated FEMA CISO POC
4.5 1 Gustavo Barbet et
6/30/2020 Jr Updated FEMA CISO POC
"'-
4.5 Mark Lucero,Al c
10/15/2020 Kenyon,Justin Authority Section,Version History Page,and Footer Updates
Sin er
cv
0
CJ
2
C
0
2
V4.5,October 15,2020
Packet Pg. 521
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
MEMORANDUM OF AGREEMENT
1.0 SUPERSEDES: FL Monroe County Emergency Management-MOA-2 2018-08-07 W
2.0 INTRODUCTION
The purpose of this memorandum is to establish a management agreement between the FL Monroe County
Emergency Management hereinafter referred to as the Collaborative Operating Group(COG),and the Federal
Emergency Management Agency(FEMA)IPAWS Program regarding the utilization and security of FL Monroe <
County Emergency Management Interoperable System(s)(as shown in Appendix A),which interoperate with the
IPAWS-Open Platform for Emergency Networks(IPAWS-OPEN).The expected benefit is to enable information U-
interoperability across emergency response organizations and systems as intended by the FEMA IPAWS Program.
This agreement will govern the relationship between the Collaborative Operating Group and FEMA,including
designated managerial and technical staff and system users associated with the aforementioned COG.As indicated
within the terms of this agreement,both parties agree to allow system interoperability through the use of SOAP over
HTTPS via the public internet.Under this agreement,no direct or networked connection using VPN(or equivalent
technology)between the systems named in Appendix A and IPAWS-OPEN is allowed.In the event a direct
connection is required,an Interconnection Security Agreement must be executed.
3.0 AUTHORITY
cv
This agreement is authorized under the following authorities and regulations:
• Section 706 of 47 U.S.C. 666,The War Powers Act:Provides for Presidential Access to commercial
communications during"a state of public peril or disaster or other national emergency" i
• Public Law 93-288,The Stafford Act. Sec.202.Disaster Warning:Directs FEMA to provide technical
assistance to State and local governments to ensure that timely and effectively disaster warning is provided
• Public Law 114-143,The IPAWS Modernization Act:Enacts to law the policy statement and similar
requirements found in Executive Order 14307
• Sec.202.Disaster Warning:Directs FEMA to provide technical assistance to State and local governments to
ensure that timely and effectively disaster warning is provided
• Executive Order 13407 of June 26,2006,Public Alert and Warning System:Established as policy the
requirement for the United State to have an effective,reliable,integrated,flexible,and comprehensive
system to alert and warn the American people
• 47 CFR Part 10,Wireless Emergency Alert(WEA):Provide for alert and warning to devices on wireless E
carrier networks
• 47 CFR Part 11,Emergency Alert System(EAS):Provide for alert and warning over TV and radio
broadcast 0
c
CJ
4.0 BACKGROUND
C
It is the intent of both parties to this agreement to establish and utilize a standardized web based application interface c
(as defined by the IPAWS-OPEN Web Service Interface Design Guidance)between the information technology(IT) -j
systems shown below to facilitate the exchange of emergency messages within the production environment. The et
testing of the interoperability of these systems has been performed through the use of FEMA's Test and Development
environment to ensure the transference and receipt of emergency messages using approved messaging standards. The
interoperability between these systems is supported by the use of SOAP over HTTPS via the public internet.
5.0 COMMUNICATIONS
Frequent formal communications are essential to ensure the successful management and operation of system
interoperability.Both parties agree to maintain open lines of communication between designated staff(as indicated in E
Appendix B)at both the managerial and technical levels.All communications described herein must be conducted in
writing and may be disseminated by electronic means unless otherwise noted.
3
V4.5,October 15,2020
Packet Pg. 522
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
The owners of the respective systems agree to designate and provide contact information for technical leads for their
respective systems,and to facilitate direct contacts between technical leads to support the management and operation m
of system interoperability.To safeguard the confidentiality,integrity,and availability of the systems and the data they
store,process,and transmit,both parties agree to provide notice of specific events within the timeframes indicated
below: 0)
• Security Incidents:Technical,administrative and/or help desk staff will immediately notify their designated
counterparts by telephone or e-mail when a security incident(s)is detected and/or a violation of the Rules of
Behavior(see Appendix C)has been identified.Both parties agree to make the appropriate technical and
administrative individuals available for all necessary inquiries and/or investigations. Containment and/or
resolution procedures will be documented by the identifying party and after action reports generated and
submitted to the system owner and/or designated security officials within five(5)business days after detection of
the incident(s).
• Disasters and Other Contingencies: The FEMA IPAWS Program Office will notify the COG by telephone,e-
mail or other acceptable means in the event of a disaster or other contingency that disrupts the normal operation
of IPAWS-OPEN.
• System Interconnections: This MOA is intended for systems interoperating with IPAWS-OPEN using SOAP
over HTTPS via the public Internet. If in the future,an interconnection(i.e.dedicated system-to-system
connection)is required to IPAWS-OPEN,this MOA must be updated and an Interconnection Security
Agreement(ISA)must be executed.If a change in status from interoperating to interconnected system is
required,the initiating party will notify the other party at least 3 months before the planned interconnection is to
be in place.
N
• Discontinuation of Use:In the event the use of IPAWS-OPEN is no longer required,the COG agrees to Us
immediately notify,in writing,the FEMA IPAWS Program Office at which time the COGID and associated >
access credentials will be deactivated. et
• Personnel Changes:Both parties agree to provide notification of changes to their respective system owner or 1
technical lead.In addition,both parties will provide notification of any changes in the point of contact
information provided in Appendix B. All relevant personnel changes and changes to contact information must E
be provided within 5 business days of the change.
6.0 TYPE OF INTERCONNECTIVITY
Both parties agree that the COG will utilize only the assigned COGID,associated credentials and digital certificates
provided by the FEMA IPAWS Program Office to support interoperability between the system(s)listed in Appendix
A and IPAWS-OPEN.In addition,all interoperable systems must be configured to interface with IPAWS-OPEN over
the public Internet using only approved web service standards and associated requirements. A listing of approved
web service standards and supporting requirements can be obtained from the IPAWS-OPEN Web Service Interface
Design Guidance document.
In the event,a dedicated connection is required,both parties will agree to negotiate and execute an Interconnection
Security Agreement(ISA)as required per Department of Homeland Security (DHS)policy which must be signed by
all required parties before the interconnection is activated.Proposed changes to either system that affect system
interoperability will be reviewed and evaluated to determine the potential impact.If the proposed changes impact the c
agreed upon terms,the MOA will be renegotiated and executed before changes are implemented.
7.0 SECURITY
To ensure the joint security of the systems and the message data they store,process,and transmit,both parties agree
to adhere to and enforce the Rules of Behavior(as specified in Appendix Q. In addition,both parties agree to the
following:
• Ensure authorized users accessing the interoperable system(s)receive,agree to abide by and sign(electronically
m
or in paper form)the IPAWS-OPEN Rules of Behavior as specified in Appendix C.Each jurisdiction is
responsible for keeping the signed Rules of Behavior on file or stored electronically for each system user.
4
V4.5,October 15,2020
Packet Pg. 523
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
• Utilize FEMA approved PKI certificates to digitally sign messages as they are transported over the public
m
Internet. —
• Certify that its respective system is designed,managed and operated in compliance with all relevant federal laws,
regulations,and policies.
• Document and maintain jurisdictional and/or system specific security policies and procedures and produce such
documentation in response to official inquiries and/or requests.
• Provide physical security and system environmental safeguards for devices supporting system interoperability
with IPAWS-OPEN.
• Ensure physical and logical access to the respective systems as well as knowledge of the COGID and associated
access criteria are only granted to properly vetted and approved entities or individuals.
U_
• Where applicable,ensure that only individuals who have successfully completed FEMA-required training can
utilize the interoperable systems to issue alerts and warnings intended for distribution to the public.
• Where applicable,document and maintain records of successful completion of FEMA-required training and
produce such documentation in response to official inquiries and/or requests. 0
8.0 PROFICIENCY DEMONSTRATION
Once enabled,each COG operating under this agreement must demonstrate their ability to compose and send a
message through the IPAWS-OPEN system at regular intervals. Such demonstration must be performed on a monthly
basis through generation of a message successfully sent through the IPAWS-OPEN Training and Demonstration
environment.
9.0 ASSOCIATED SOFTWARE REQUIREMENTS
The COG will need to select a software package which will allow the COG to properly populate a Common Alerting �.
Protocol(CAP)message which complies with both the OASIS Common Alerting Protocol Version 1.2 and the OASIS
Common Alerting Protocol, v. 1.2 USA Integrated Public Alert and Warning Svstem Profile Version 1.0.With respect E
m
to the software and the software vendor selected FEMA expects the selected software to provide the following
minimum critical capabilities and services:
• Permissions:
o The ability to assign and manage user permissions;and
o The ability to retrieve and view IPAWS Alerting Permissions
• Proficiency: LU
o The provision of vendor support,to include user training,and around the clock technical support;
and c
U
o The ability to submit both live and test digital certificates,with clear,easily identifiable information m
2
that indicates the environment to which the software is pointed(Live or Test) r_
0
• User Interface:
o The provision of an intuitive user interface,to include help menus; and
o The ability to notify the user of digital certificate expiration; and
o The ability to constrain event types and geocodes to user permissions; and U)
o The ability to send one alert to multiple channels; and
ei.
o The provision of displays that show required fields based on selected channel; and
o The ability to pre-populate fields to the greatest extent possible; and
o The ability to support templates; and
o The ability to create a polygon or circle,of less than 100 nodes; and
5
V4.5,October 15,2020
Packet Pg. 524
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
o The ability to update or cancel an alert,without having to reenter all of the data; and
m
o The ability to alert the end user if a software license has expired; and
o Clear explanations if alert information is case sensitive when entered U
• Confirmation and Error Checking: as
o The ability to pre-check an alert message for errors,prior to sending; and E
o The ability to create free-form 90-character WEA text,while preventing prohibited characters; and
o The provision to IPAWS of alert status codes for any sent alert,with a clear definition of whether
the codes are advice codes or error codes,along with the meaning of those codes; and
o The provision of user confirmation of connectivity to IPAWS; and
o The ability for users to see alert history and/or logs
10.0 COST CONSIDERATIONS
E
This agreement does not authorize financial expenditures by the COG on behalf of FEMA.The FEMA IPAWS
Program is responsible for the costs associated with developing,operating and maintaining the availability of the
IPAWS-OPEN system. The COG is responsible for all costs related to providing their users with access to IPAWS- 4-
OPEN via the public Internet. These costs may include hardware,software,monthly Internet charges,completion of c
security awareness training and other related jurisdictional costs.
11.0 PROPERTY OWNERSHIP
Each Party agrees and acknowledges that nothing in this Agreement shall be construed as giving a party any
proprietary rights in or to the intellectual property of the other party. Each Party further agrees that nothing in this
Agreement shall be construed as creating or granting to a party any implied or express license in or to the intellectual
property of the other party.
12.0 TIMELINE
This agreement will remain in effect based on the life of the Authority to Operate(ATO)for IPAWS-OPEN or a m
maximum of three(3)years after the last date on either signature in the signature block below.Upon expiration of the
IPAWS-OPEN ATO or after three(3)years(whichever comes first),this agreement will expire without further action
and system access privileges will be revoked.If the parties wish to extend this agreement,they may do so by
reviewing,updating,and reauthorizing this agreement.This agreement supersedes all earlier agreements,which
should be referenced above by title and date.If one or both of the parties wish to terminate this agreement
prematurely,they may do so upon 30 days'advanced notice or in the event of a security incident that necessitates an
immediate response.This agreement may be suspended by FEMA for failure to perform the Proficiency m
Demonstration for two consecutive months.A suspended COG may be reinstated upon a completion of a successful W
Proficiency Demonstration.
0
CJ
2
r_
0
6
V4.5,October 15,2020
Packet Pg. 525
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
SIGNATORY AUTHORITY
I agree to the terms of this Memorandum of Agreement.Noncompliance on the part of either organization or its users ,-
or contractors concerning the policies,standards,and procedures explained herein may result in the immediate c
termination of this agreement.
FL Monroe County Emergency Management Official Federal Emergency Management Agency cv
Name: Shannon Weiner IPAWS-OPEN System Owner
Title: Emergency Management Director Name:Mark A.Lucero
Title: Chief,IPAWS Engineering
(Signature Date) (Signature Date)
FL Monroe County Emergency Management Attn:IPAWS-OPEN System Owner,Suite 5NW-0309 0)
490 63rd St Suite 150 Federal Emergency Management Agency uo
Marathon, FL, 33050 500 C Street SW
Washington,D.C.20472-3153 0
U
2
C
0
7
V4.5,October 15,2020
Packet Pg. 526
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
Appendix A -
Listing of Interoperable Systems
The FEMA IPAWS Program recognizes that Emergency Management organizations may utilize multiple tools to
facilitate the emergency management process.As a result,jurisdictions may need to interoperate with IPAWS-OPEN °'
using more than one system. In order to comply with DHS policy,all systems interoperating with IPAWS-OPEN Lu
must be documented and supported by a Memorandum of Agreement.As a result this appendix must be completed to
identify all systems associated with the COG and used for interoperating with IPAWS-OPEN. This Appendix must =�
be amended as applicable systems are added or removed from operations.
• IPAWS-OPEN
LU
IPAWS-OPEN is the backbone system that structures the alert and distributes the
Function: message from one interoperating and/or interconnected system(message sender)to
another interoperating and/or interconnected system(message recipient).
e(
Location: Bluemont,VA; Clarksville,VA
4-
0
Description of data, Messaging data is considered Sensitive But Unclassified(SBU)information and does
including sensitivity or not contain Personally Identifiable Information(PII),Financial data,Law
classification level: Enforcement Sensitive Information or classified information.Each message that
flows through the IPAWS-OPEN system will be associated to a specifically assigned
system User ID and COGID as captured within the message elements.This N
information will be retained in system logs. to
The systems listed below are managed and operated by the COG and are subject to the terms defined within the i
Memorandum of Agreement including the Rules of Behavior in Appendix C. Each interoperable system will be
assigned unique authentication credentials,which must be protected by the COG. In the event these credentials are 03
compromised,the COG is expected to immediately contact the FEMA IPAWS Program Management Office. The m
systems listed below are only allowed to interoperate with IPAWS-OPEN based on the criteria set forth within the
IPAWS-OPEN Web Service Interface Design Guidance.
• Everbridge
Everbridge MN provides critical information to residents during emergencies by
Function: sending public alerts for major events for disseminations to E
WEA/CMAS,EAS,NWEM and Public Feed.
Location: Burbank,CA;Denver,CO;Amazon Web Services,US;
Description of data, Data is comprised of emergency public alert messages.
including sensitivity or UNCLASSIFIED
classification level: c
8
V4.5,October 15,2020
Packet Pg. 527
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
Appendix B -
COG Point of Contact Information
Designated COG Primary Point of Contact:
Name: Mary Napoli
Title: Senior Planner
Business Email Address: napoli-mary@monroecounty-fl.gov
Primary Phone Number: 305-289-6019
Alternate Phone Number:
Organization: Monroe County Emergency Management
Mailing Address: 490 63rd Street Ocean, Suite 150, Marathon, FL, 33050
Designated Alternate Point of Contact: �--
cv
Name: Matt Massoud
Title: Senior Planner
Business Email Address: massoud-matt@monroecounty-fl.gov
Primary Phone Number: 305-289-6018
Alternate Phone Number:
Organization: Monroe County Emergency Management
Mailing Address: 490 63rd St. Ocean, Suite 150, Marathon, FL, 33050
Designated Technical Point of Contact:
Name: Mary Napoli
0
Title: Senior Planner
0
Business Email Address: napoli-mary@monroecounty-fl.gov
Primary Phone Number: 305-289-6019
Alternate Phone Number:
Organization: Monroe County Emergency Management
Mailing Address:490 63rd Street Ocean, Suite 150, Marathon, FL, 33050
9
V4.5,October 15,2020
Packet Pg. 528
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
FEMA: Integrated Public Alert and Warning System
Open Platform for Emergency Networks (IPAWS-OPEN)
Contact Summary of System
Contact Name Number Email Address Responsibilities
Chief Information Officer
Lytwaive Hutchinson 202-212-2480 lytwaive.hutchinson@fema.dhs.gov FEMA
nthia Sutherland 202-710-5329 c nthia.sutherland@fema.dhs. ov Chief Information Security
C
Y Y g Officer
Mark Lucero 202-646-1386 mark.lucero@fcma.dhs.gov System Owner
Gary Ham 703-899-6241 gary.ham@associates.fema.dhs.gov FEMA PMO - IPAWS-
OPEN
0
FEMA ISSO - IPAWS- r
Gustavo Barbet 202-212-3586 gustavo.barbet@associates.fema.dhs.gov OPEN
Neil Bourgeois 703-732-6331 neil.bourgeois@ FEMA-EADIS IPAWS-
associates.fema.dhs.gov OPEN Tech Lead NA
>
LU
0
2
C
0
10
V4.5,October 15,2020
Packet Pg. 529
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
Appendix C _
IPAWS-OPEN Rules of Behavior
1.0 INTRODUCTION
The following rules of behavior apply to all persons with application access to FL Monroe County Emergency
Management Interoperable System(s)and/or who have been issued a COGID with associated credentials for IPAWS-
OPEN. These individuals shall be held accountable for their actions related to the information resources entrusted to =�
them and must comply with the following rules or risk losing their access privileges.The Rules of Behavior apply to
users on official travel as well as at their primary workplace(e.g.,Emergency Operations Center—EOC)and at any
alternative workplace(e.g.,telecommuting from a remote or satellite site)using any electronic device including
laptop computers and portable electronic devices(PED's). PED's include personal digital assistants(PDA's)(e.g. w
Palm Pilots),cell phones,text messaging systems(e.g.,Blackberry),and plug-in and wireless peripherals that employ u_
removable media(e.g. CDs,DVDs,etc.).PEDs also encompass USB flash memory(thumb)drives,external drives,
and diskettes. These Rules of Behavior are consistent with existing DHS policies and DHS Information Technology
(IT) Security directives and are intended to enhance the awareness of each user's responsibilities regarding accessing,
storing,receiving and/or transmitting information using IPAWS-OPEN. 0
2.0 APPLICATION RULES c
2.1 Official Use
• IPAWS-OPEN is a Federal application to be used only in the performance of the user's official duties in �--
support of public safety as described in the National Incident Management System(NIMS). N
• The use of the IPAWS-OPEN for unauthorized activities is prohibited and could result in verbal or written >
warning,loss of access rights,and/or criminal or civil prosecution.
2
• By utilizing IPAWS-OPEN,the user of the interoperable system(s)consents to allow system monitoring to
ensure appropriate usage for public safety is being observed.
• FL Monroe County Emergency Management will be held accountable for safeguarding all configuration m
items and information entrusted to them by FEMA. FL Monroe County Emergency Management is
expected to manage the relationship with supporting vendors,consultants and any other entities providing
system support on their behalf. In addition,FL Monroe County Emergency Management will be held U
accountable in the event of a security breach or disclosure of sensitive configuration information such as
digital certificates. FL Monroe County Emergency Management understands that the use of digital
signatures,used on their behalf,is binding and FL Monroe County Emergency Management will be held E
accountable accordingly. In the event sensitive information is mishandled,utilization of IPAWS-OPEN
may be immediately revoked by FEMA.
0
• If software interoperating with IPAWS-OPEN enables users to geo-target public alert messages by means
of geospatial polygons or circles,then the user shall restrict any such geospatial boundaries so as to remain
within the geographical limits of their public warning authority(or as near as possible),as determined by c
applicable state and/or local laws and duly adopted operational plans.
�
2.2 Access Security
• All Email addresses provided in connection with interoperable system(s)user accounts must be associated
to an approved email account assigned by the user's emergency management organization.The use of
personal email accounts to support emergency messaging through IPAWS-OPEN is prohibited.
• Upon approval of the MOA by FEMA,a COG account with COGID and Digital Certificate will be created
and issued to the designated technical representative. All individuals with knowledge of these credentials E
must not share or alter these authentication mechanisms without explicit approval from the FEMA IPAWS
11
V4.5,October 15,2020
Packet Pg. 530
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
Program.
• Every interoperable system user is responsible for remote access security as it relates to their use of
IPAWS-OPEN and shall abide by these Rules of Behavior.
2.3 Interoperable System User Accounts and Passwords
E
• All users must have a discrete user account ID which cannot be the user's social security number.To
protect against unauthorized access,passwords linked to the user ID are used to identify and authenticate
authorized users.
• Accounts and passwords shall not be transferred or shared. The sharing of both a user ID and associated
password with anyone(including administrators)is prohibited.
• Accounts and passwords shall be protected from disclosure and writing passwords down or electronically
storing them on a medium that is accessible by others is prohibited.
• The selection of passwords must be complex and shall:
o Be at least eight characters in length
o Contain a combination of alphabetic,numeric and special characters
o Not the same as any of the user's previous 8 passwords.
• Passwords shall not contain any dictionary word. N
• Passwords shall not contain any proper noun or the name of any person,pet,child,or fictional character. >
Passwords shall not contain any employee serial number, Social Security number,birth date,phone
number,or any information that could be readily guessed about the creator of the password.
• Passwords shall not contain any simple pattern of letters or numbers,such as"qwerty"or"xyz123".
E
• Passwords shall not be any word,noun,or name spelled backwards or with a single digit appended,or with m
a two-digit"year"string,such as 98xyz l23.
• Pass phrases,if used in addition to or instead of passwords,should follow the same guidelines.
• Passwords shall not be the same as the User ID.
• Users shall either log off or lock their workstations when unattended.
• Workstations shall be configured to either log off,or activate a password-protected lock,or password-
protected screensaver within fifteen(15)minutes of user inactivity. 0
U
• Locked sessions shall remain locked until the user re-authenticates.
2
C
0
• Workstations shall be protected from theft.
• A user's account shall be automatically locked after three consecutive failed logon attempts.
• The automatic lockout period for accounts locked due to failed login attempts shall be set for a minimum of
twenty(20)minutes. U)
• A process shall exist for manually unlocking accounts prior to the expiration of the twenty (20)minute
period, after sufficient user identification is established.
• Sessions shall automatically be terminated after sixty (60)minutes of inactivity.
12
V4.5,October 15,2020
Packet Pg. 531
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
• Users are required to change their passwords at least once every 90 days.
• Passwords must be promptly changed whenever a compromise of a password is known or suspected.
2.4 Integrity Controls&Data Protection
• All computer workstations accessing IPAWS-OPEN must be protected by up-to-date anti-virus software.
Virus scans must be performed on a periodic basis and when notified by the anti-virus software.
• Users accessing interoperable system(s)to utilize IPAWS-OPEN must:
o Physically protect computing devices such as laptops,PEDs,blackberry devices,smartphones,etc;
o Protect sensitive data sent to or received from IPAWS-OPEN;
o Not use peer-to-peer(P2P)file sharing,which can provide a mechanism for the spreading of
viruses and put sensitive information at risk;
o Not program computing devices with automatic sign-on sequences,passwords or access
credentials when utilizing IPAWS-OPEN.
0
Users may not provide personal or official IPAWS-OPEN information solicited by e-mail. If e-mail messages are
received from any source requesting personal information or asking to verify accounts or other authentication
credentials,immediately report this and provide the questionable e-mail to the Local System Administrator and/or the
FL Monroe County Emergency Management Help Desk. �--
cv
• Only devices officially issued through or approved by DHS,FEMA and/or approved emergency 'n
management organizations are authorized for use to interoperate with IPAWS-OPEN and use of personal >
devices to access and/or store IPAWS-OPEN data and information is prohibited.
2
• If a Blackberry,smartphone or other PED is used to access the interoperable system(s)to utilize IPAWS-
OPEN,the device must be password protected and configured to timeout or lock after 10 minutes of
inactivity.
• If sensitive information is processed,stored,or transmitted on wireless devices,it must be encrypted using
approved encryption methods.
2.5 System Access Agreement
• I understand that I am given access to the interoperable system(s)and IPAWS-OPEN to perform my
official duties. E
• I will not attempt to access data,information or applications I am not authorized to access nor bypass
access control measures. 0
c
• I will not provide or knowingly allow other individuals to use my account credentials to access the W
interoperable system(s)and IPAWS-OPEN. C
2
• To prevent and deter others from gaining unauthorized access to sensitive resources,I will log off or lock
my computer workstation or will use a password-protected screensaver whenever I step away from my
work area,even for a short time and I will log off when I leave for the day.
2
• To prevent others from obtaining my password via"shoulder surfing",I will shield my keyboard from view
as I enter my password.
ei.
• I will not engage in,encourage,or conceal any hacking or cracking,denial of service,unauthorized
tampering,or unauthorized attempted use of(or deliberate disruption of)any data or component within the 0)
interoperable system(s)and IPAWS-OPEN.
13
V4.5,October 15,2020
Packet Pg. 532
C.16.a
FOR OFFICIAL USE ONLY//CONTROLLED UNCLASSIFIED INFORMATION
• I agree to inform my Local System Administrator when access to the interoperable system(s)and/or
IPAWS-OPEN is no longer required. m
• I agree that I have completed Computer Security Awareness training as may be required by my jurisdiction
prior to my initial access to the interoperable system(s)and IPAWS-OPEN and that as long as I have
continued access,I will complete Computer Security Awareness training on an annual basis.If my
jurisdiction does not provide Computer Security Awareness training,I will complete the FEMA self-study E
course IS-906: Workplace Security Awareness(https://training.fema.gov/is/courseoverview.aspx?code=IS-
906)on an annual basis.
2.6 Accountability
• I understand that I have no expectation of privacy while using any services or programs interoperating with
IPAWS-OPEN. LLJ
• I understand that I will be held accountable for my actions while accessing and using interoperable =
system(s)and IPAWS-OPEN,including any other connected systems and IT resources. ?:
• I understand it is my responsibility to protect sensitive information from disclosure to unauthorized persons
or groups.
• I understand that I must comply with all software copyrights and licenses pertaining to the use of IPAWS-
OPEN.
2.7 Incident Reporting
cv
• I will promptly report IT security incidents,or any incidents of suspected fraud,waste or misuse of systems
to the Local System Administrator and/or the FL Monroe County Emergency Management Help Desk.
3.0 IPAWS-OPEN Rules of Behavior Statement of Acknowledgement i
I have read and agree to comply with the requirements of these Rules of Behavior.I understand that the terms of this
agreement are a condition of my initial and continued access to FL Monroe County Emergency Management E
Interoperable System(s)and IPA WS-OPEN and related services and that if I fail to abide by the terms of these Rules
of Behavior, my access to any and all IPA WS-OPEN information systems may be terminated and I may be subject to
criminal or civil prosecution.I have read and presently understand the above conditions and restrictions concerning
my access.
Printed Name(as listed in Appendix B):
m
Signature: Date:
0
m
2
r-
0
14
V4.5,October 15,2020
Packet Pg. 533