Presentation on theme: "Agency C&A Process Stakeholder Quarterly Training Presented by _______________ Date."— Presentation transcript:
Agency C&A Process Stakeholder Quarterly Training Presented by _______________ Date
Page 2 Logistics Participants will receive three (3) hours of credit for this training. Please ____________ and indicate in the subject line of the “C&A Stakeholder Training” so you can receive credit.
Page 3 Agency C&A Process - Stakeholder Training: Table of Contents What is C&A and Why Bother with It? NIST-Compliant C&A Process & Risk Management Framework C&A Approach in Seven Phases Agency Environment Background Key Stakeholders C&A Team Roles and Responsibilities WinZip Procedures C&A Process Timeline & ELC Milestone Guidance Stakeholders C&A Working/Validation Agenda Boundary/Scope Meeting Working Sessions NIST SP Controls Validation Sessions Security Test & Evaluation (ST&E) Test Training & Exercise (TT&E) Security Assessment Report (SAR) Risk Overview and Stakeholder Outbrief Sessions Critical Success Factors
Page 4 Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A) What is Certification and Accreditation? Certification is the “comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” (FIPS 200) Accreditation is “the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.” (FIPS 200)
Page 5 Agency C&A Process - Stakeholder Training: Certification & Accreditation (C&A) (continued) Why bother with Certification and Accreditation? It’s the LAW - Title III Public Law commonly known as Federal Information Security Management Act (FISMA) of 2002 mandates “assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information and information systems” Federal Information Processing Standards Publication (FIPS) 199 mandates Standards for Security Categorization of Federal Information and Information Systems FIPS 200 mandates Minimum Security Requirements for Federal Information and Information Systems Systemic say to identify risks which should be mitigated or resolved To proactively protect the Agency from attacks and threats!!!
Page 6 Agency C&A Process - Stakeholder Training: The Agency NIST- Compliant C&A Process The Agency has established a standardized Certification & Accreditation Process That process aligned with Guidance Provided by the National Institute of Standards and Technology (NIST) and OMB It has been fully vetted by the business units through the business unit security PMOs It is robust and comprehensive It is a risk-based approach The process is solid, defensible, and produces documentation and includes comprehensive testing and reporting
Page 7 Agency C&A Process - Stakeholder Training: The Agency C&A Process follows the NIST Risk Management Framework In system security plan, provides an overview of the security requirements for the information system and documents the security controls planned or in place SP Security Control Documentation Defines category of information system according to potential impact of loss FIPS 199 / SP Security Categorization Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system SP / FIPS 200 Security Control Selection Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements SP A / SP Security Control Assessment SP / FIPS 200 / SP Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness Implements security controls in new or legacy information systems; implements security configuration checklists Security Control Implementation SP
Page 8 Agency C&A Process - Stakeholder Training: The Agency C&A Approach Consists of 7 Phases Phase 1: Preparation Phase 2: Draft SSP, PIA, ITCP Documents Phase 3: Finalize SSP, PIA, ITCP Documents Phase 4: Develop ST&E Plan Phase 5: Execute ST&E Plan Phase 6: Assess Risk and Finalize C&A Package Phase 7: Maintenance and Monitoring
Page 9 Agency C&A Process - Stakeholder Training : Agency Environment General Support System (GSS) – infrastructure the application resides on An interconnected set of information resources under the same direct management control that shares common functionality, which normally includes hardware, software, information, data, components, communications, and people Application (General) “A self-contained program that performs a well-defined set of tasks under user control, as opposed to a system program” “An application program (sometimes shortened to application) is any program designed to perform a specific function directly for the user or, in some cases, for another application program“ Applications process data Application types Major Application An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application Note: All federal applications require some level of protection; Certain applications, because of the information in them, however, require special management oversight and should be treated as major applications; Adequate security for other applications should be provided by security of the systems in which they operate Minor Application An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application Definitions Associated with Agency Information Systems
Page 10 Security Categorization Definitions (potential impact): Low – the loss of confidentiality, integrity, or availability could be expected to have a LIMITED adverse effect on organizational operations, organizational assets, or individuals Moderate - the loss of confidentiality, integrity, or availability could be expected to have a SERIOUS adverse effect on organizational operations, organizational assets, or individuals High - the loss of confidentiality, integrity, or availability could be expected to have a SEVERE or CATASTROPHIC adverse effect on organizational operations, organizational assets, or individuals Agency C&A Process - Stakeholder Training : Agency Environment
Page 11 Agency C&A Process - Stakeholder Training : Agency Environment Security Controls provide: Protection of Information Systems that support operations and assets of the organization to ensure the organization can: –Accomplish its assigned mission –Protect its assets and PII data –Fulfill legal responsibilities –Maintain day-to-day operations –Protect individuals The provide safeguards for people, systems, and applications throughout the organization NIST SP and FIPS 199 mandate agencies to define the category of information systems according to potential risk impact level
Page 12 Security controls are an integral part of Agency applications, components, systems, and environment Organizational and Physical/Environment al and Media Protection controls support the foundation provided by Agency policies and procedures GSS/BU controls apply to applications and systems Application controls are specific to each application Application GSS/BU Organizational and PE/MP Controls System Integrity Access Controls Database Controls Auditing or Application Users Transactions Access Controls to OS Remote Access Database Controls Backup and Recovery Auditing of GSS Users Security Policies Personnel Security Physical and Environmental Security Training and Awareness (portions) Incident Response (portions) Media Protection Security Framework for Agency Applications, Systems, & Organization NIST SP Controls : Agency Environment
Page 13 Agency C&A Process - Stakeholder Training : Background The C&A Process is lead by the C&A Team. The C&A Team is divided into two sub-teams; a documentation team and an ST&E team. The documentation team performs the following: MS Project is used to plan, monitor, and track the performance of the C&A process. A project plan is built based on the C&A timeline for each application and system. The schedule and timeline has recently been updated to reflect lessons learned from the C&A process conducted on prior applications and systems All applications/systems going through the C&A process will have its own MS project schedule Standard process takes 126 business days for applications (Draft-Proposal) Process takes 140 business days for systems (Draft-Proposal) Schedules may vary slightly due to the following: Categorization or complexity of the application/GSS Prior or partial C&A’s performed; including changes made to the application Specific requests made by the Business Owner Comprehensive analysis of existing and developmental security controls and application/system components Develop and conduct an exercise of the Information Technology Contingency Plan (ITCP) through team collaboration Facilitation of testing, training, and exercises of equipment, systems, and applications to ensure Agency personnel understand the IT regulations and procedures
Page 14 Key Application/System Stakeholders Security Engineering POC - Responsible for application/system security and report to the Business Unit (BU) Application/System POC - Represent application/system as primary POC for the Designated Approving Authority (DAA) Security PMO- Oversee application/system for the DAA Developer - Develop and provide ongoing support for the application/system Database Administrator (DBA)- Perform maintenance and administration of database System Administrator (SA)- Administer and maintain system on an ongoing basis Functional Tester/Non-Functional Tester - Manage the application/system test(s) Configuration Management POC - Possess extensive knowledge of application/system for configuration management Business Unit Security PMO- Guide and oversee application/system security for the DAA Agency essential staff that represent applications/systems: Agency C&A Process - Stakeholder Training : Key Stakeholders
Page 15 Agency C&A Process - Stakeholder Training: C&A Team Roles & Responsibilities C&A Documentation Program Manager Manages application throughout entire process Provides guidance and authority on application/system decisions C&A Documentation Team Lead Serves as primary liaison between application/system team and internal C&A Documentation personnel and third party support personnel (contractor) Leads Scoping sessions, working sessions, security categorization Sends out Meeting Minutes (recaps) Coordinates development and release of deliverables Provides updates to the master schedule Schedules ST&E Plan collaboration meetings SSP POC Develops SSP, ST&E Plan, SAR, e-Authentication RA PIA POC--Conducts and develops PIA, Appendix of SSP E-authentication POC Conducts and develops e-AUTH RA, Appendix of SSP
Page 16 Agency C&A Process - Stakeholder Training: C&A Team Roles & Responsibilities ITCP, BIA, and TT&E Lead Develops and writes ITCP and BIA Gathers data through application/system personnel interviews, demonstrations, and discussion and acquisition of IT process/procedure information including all aspects of application/system failure, recovery, and reconstitution Facilitates ITCP training and tabletop exercise with Agency essential personnel Documents results in an after action report (AAR) and works with team to ensure information gathered and lessons learned from exercise are implemented Test team Leads and Supports application/system ST&E Attends TT&E as an observer Certification Program Office (CPO) Provides Program Leadership Provides C&A process oversight Provides scheduling and logistics support Performs Stakeholder, Certifier and DAA Out briefs Primary Lead for all C&A activities C&A Team Roles and Responsibilities (continued)
Page 17 Agency C&A Process - Stakeholder Training: WinZip Procedures Issue: Due to the sensitivity of the data, information such as IP addresses, network diagrams, etc., should not be sent directly between the Agency network to the C&A Documentation team’s network. Solution: WinZip 9.0 has been approved by the client as a secure way to encrypt attachments. Ensure that the BU POC has WinZip 9.0, since both sending and receiving ends must use this version to encrypt and decrypt attachments. Sending Information: All ed information should go through the BU POC. The BU POC will ensure that all information is encrypted and sent securely to the client inside the Agency network. (See next slides for how-to instructions.) Receiving Information: All ed information should go through the BU POC. The BU POC will ensure that all information is encrypted and sent securely to the team outside of the Agency network. (See next slides for how- to instructions.) Transmission of Data – WinZip 9.0
Page 18 Agency C&A Process - Stakeholder Training: WinZip Procedures Encrypting WinZip 9.0: How to encrypt using WinZip 9.0: Zip file(s) When the zip prompt appears, select “Encrypt added files” Use the 256-bit AES Encryption option when encrypting Input password (note: use standard team password) Once files are successfully zipped and encrypted, change the file extension from “.zip” to “.change”. If the.zip extension remains, often times the firewall will strip the attachment for various reasons Ensure when sending the that “recompress file” is unchecked; option is located in the lower left corner when attaching files in Microsoft Outlook
Page 19 Agency C&A Process - Stakeholder Training: WinZip Procedures Decrypting WinZip 9.0: How to decrypt using WinZip 9.0: Instructions to open the attachment are as follows: 1) Ensure the WinZip version is 9.0 2) Save file (e.g., to My Documents) 3) Change extension to '.zip' 4) Open zip file 5) Insert password 6) Open document contained in zip file
Page 20 Agency C&A Process - Stakeholder Training: Process Timeline The C&A Process performed on applications and systems is divisible into phases and deliverables Application and system deliverables are broken down further into concrete activities and tasks in the Microsoft Project schedule…..
Page 21 Agency C&A Process - Stakeholder Training: C&A ELC Milestone Requirements The C&A Customer Liaison Team (CLT) (within the Agency’s Security Organization) provides formal guidance and stakeholder education related to the Certification & Accreditation deliverables by Enterprise Lifecycle (ELC) Milestones (MS) Below is a list of Certification & Accreditation (C&A) deliverables as required by the Agency’s Security Organization. These deliverables build beginning in Milestone 1. A presentation describing deliverables by Milestone is available from the CLT. - Boundary/Scope Memo (BSM) – System Security Plan (SSP) – Privacy Impact Statement (PIA) – Information Tech Contingency Plan (ITCP) – Security Test & Evaluation Plan (ST&E) – Security Risk Assessment (SRA) (ITSecurity Engineering will produce) – Interconnection Security Agreement (ISA) – Security Assessment Report (SAR) – produced after the completion of the ST&E
Page 22 Agency C&A Process - Stakeholder Training: Boundary/Scope Meeting Overview Conduct Boundary/Scope Meeting Boundary/Scope: Table of Contents
Page 23 Agency C&A Process - Stakeholder Training: Boundary/Scope: Overview Purpose The purpose of the Boundary/Scope Meeting is to establish the scope of the application/system’s C&A review, confirm execution logistics, discuss the system’s functionality and purpose, and identify all Stakeholders and C&A Team members. Participants C&A Team: PM and/or Team Lead (Documentation, Tester, Privacy & Engineering) SSP/ITCP/PIA Points of Contact (POCs) Stakeholders: Business Unit Representatives Application POC Developers System Administrators DAA POC and/or BU POC Scheduling One hour is typically dedicated to the Boundary/Scope Meeting
Page 24 Agency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope Meeting Identify Participants Discuss purpose of the meeting Walk through the BSM Validate Application name, Business Unit (BU), and BU and DAA POCs Determine production and development environments and the location of the system’s developers Discuss the appropriate location to conduct the working session Review proposed C&A milestones and deliverables, determine black out dates, and establish if there is a hard deadline for completing the C&A Verify and collect additional system information (i.e. system description, modules, and components) Identify or confirm changes to the system Identify all supporting General Support Systems (GSSs) Discuss the system’s scope and security categorization Review POCs to obtain additional information Identify any black out dates Identify production deployment date & when the system will be available for testing Walk through the working/validation agenda to identify folks to attend The following activities will occur at the Boundary/Scope Meeting:
Page 25 Agency C&A Process - Stakeholder Training: Boundary/Scope: Conduct Boundary/Scope Meeting Walk through the Working/Validation Agenda and obtain updates to the POCs who should attend each of the sessions Discuss Document Request List Ensure stakeholders send the C&A Team all existing system documentation to prepare for the working session Examples of typical documents existing for the system/application: System Security Plan (SSP) Information Technology Contingency Plan (ITCP) Technical Contingency Planning Document (TCPD) Risk Assessment Installation Guides User Manuals Design Documents Approved Deviation Requests Discuss Document Tracker The document tracker will be used to record all documentation that has been received by the C&A Team Discuss use of naming convention and the use of WinZip for encrypting documents before sending via “C&A Initiative: Business Unit-Application Name” The following activities will take place at the Boundary/Scope Meeting (continued):
Page 26 Agency C&A Process - Stakeholder Training: Working Sessions Working Sessions: Table of Contents Overview Pre-Working Session Preparation Security Categorization Conduct SSP Working Sessions Day 1, Kickoff Meeting, Demo Remaining Days After Each Day ITCP Working Sessions PIA Working Sessions Post-Working Sessions
Page 27 Agency C&A Process - Stakeholder Training: Working Session Overview Purpose Gather information to develop/update the System Security Plan (SSP), IT Contingency Plan (ITCP), and Privacy Impact Assessment (PIA) Additional attention to AC-17 and MA-4 to ensure that any access by vendors, contractors, etc (such as call back, call home, etc) is documented Key Participants C&A Team: Documentation Team Lead (including leads for SSP, ITCP, PIA, Engineering) ST&E Team Stakeholders: System POC(s) Developers System Administrators Business Unit POC Scheduling Dates determined by Boundary/Scope Meeting Typical duration of Working Session is 3 to 5 days depending on complexity for Applications; 10 days for GSS
Page 28 Agency C&A Process - Stakeholder Training: Pre-Working Sessions Preparations The following activities need to take place before the Working Sessions: Work with System POC(s) to finalize Working Session agenda, distribute to C&A Team and Stakeholders, and send calendar invitations Kickoff meeting Demo SSP data gathering ITCP information gathering Coordinate with C&A Team members and system POCs If traveling to a site: Coordinate visitor request, laptop information, clearances, etc. Work with System POC(s) to reserve a conference room Review existing documentation and pre-populate the document templates Distribute documents to C&A Team and Stakeholders Pre-populated documents v0.1 PDF of C&A Schedule
Page 29 Agency C&A Process - Stakeholder Training: Stakeholders C&A Working/Validation Agenda Agenda Day 1 C&A Process Session ItemAttendees (Role of folks to participate) Comments General Description/Purpose of Application Application Points of Contact (owner, designated contacts, security personnel) Security Categorization BU SD/DBA/SA – Limited Role - (Intro) Application Demo/Walkthrough BU, SD System Environment Network Infrastructure Network/System Diagrams Input-Output Diagrams (Data Flow) Hardware/Software Inventory System Interconnection (MOUs & ISAs) Information Sharing Continuous Monitoring BU, SA, SA, DBA Risk Assessment and Management Rules of Behavior Review of Security Controls BU Privacy Considerations (Privacy Impact Assessment update and Identification of system information type) Disclosure Considerations BU Physical Security Controls Monitoring physical access Visitor controls Environmental Security Controls Only appropriate if the GSS and/or application is located at a non- Agency site 8:00am Documentation Team Arrives 9:00am Meeting Kick Off Introductions GSS/APPs Boundary Scopes Finalize agenda/schedules Conduct C&A Process Sessions
Page 30 Agenda Day 2 C&A Process Session ItemAttendees (Role of folks to participate) Comments Input Controls Media Sanitization/Disposal User Support System Monitoring Virus Detection Incident Response Capability Incident handling/monitoring/reporting Incident Testing Software Policy BU, SD, SA Maintenance and Repair Maintenance Procedures Remote Maintenance Maintenance Personnel Configuration Management Baseline Configuration Configuration Change Control Monitoring Configuration Changes Security in the System Development Life Cycle BU, SD, SA, DBA Security Awareness and Training Security Training and Awareness Procedures Security Training Records Personnel Security Position Categorization Personnel Termination/Transfer Access Agreements Third-Party Personnel Security BU Conduct C&A process as scheduled below: Business Unit – BU System Developer – SD System Administrator – SA Database Administrator - DBA Agency C&A Process - Stakeholder Training: Stakeholders C&A Working/Validation Agenda (continued)
Page 31 Agenda Day 2 C&A Process Session ItemAttendees (Role of folks to participate) Comments Separation of duties Least Privilege Documentation Data Integrity/Validation Flaw Remediation Malicious Code Protection BU, SD SA, DBA (limited) Agency C&A Process - Stakeholder Training: Stakeholders C&A Working/Validation Agenda (continued)
Page 32 Agenda Day 3 C&A Process Session ItemAttendees (Role of folks to participate) Comments Technical Controls Identification and Authentication (Access Controls) Encryption Methodology Account Management Unsuccessful Login Attempts Session lock/termination System use Notification Supervision and review of access controls Remote access Wireless or mobile access controls Audit Trails Auditable events Audit storage capacity Audit processing Audit monitoring, analysis and reporting Audit retention/protection/timestamp BU, SD, SA, DBA IT Contingency Plan Business Impact Analysis BU (System Owner if possible) SD,SA, DBA IT Contingency Plan Backups Off Site Storage Recovery Strategies Alternative Storage sites Alternative processing sites Documentation Distribution BU, SD,SA, DBA Conduct C&A process as scheduled below: Business Unit – BU System Developer – SD System Administrator – SA Database Administrator - DBA Agency C&A Process - Stakeholder Training: Stakeholders C&A Working/Validation Agenda (continued)
Page 33 Agenda Day 3 C&A Process Session ItemAttendees (Role of folks to participate) Comments IT Contingency Plan Key Personnel Notification List Vendor Information Communication/Telecom Strategy Telecommunication Procedures Training Contingency Plan Testing BU, SD,SA, DBA Follow-up on outstanding items Agency C&A Process - Stakeholder Training: Stakeholders C&A Working/Validation Agenda (continued)
Page 34 Agency C&A Process - Stakeholder Training: Working Session Security Categorization Security Categorization is the foundational step to determining the level of effort required for a C&A Security Categorization is performed early in the process (usually before the C&A kicks off) Security Categorization is based on the information types processed, stored or transmitted by the system/ application according to FIPS 199 and NIST SP
Page 35 Agency C&A Process - Stakeholder Training: NIST SP Controls The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH ACCESS CONTROL AC-1Access Control Policy and ProceduresAC-1 AC-2Account ManagementAC-2AC-2 (1)(2)(3)(4) AC-3Access EnforcementAC-3AC-3 (1) AC-4Information Flow EnforcementNot SelectedAC-4 AC-5Separation of DutiesNot SelectedAC-5 AC-6Least PrivilegeNot SelectedAC-6 AC-7Unsuccessful Login AttemptsAC-7 AC-8System Use NotificationAC-8 AC-9Previous Logon NotificationNot Selected AC-10Concurrent Session ControlNot Selected AC-10 AC-11Session LockNot SelectedAC-11 AC-12Session TerminationNot SelectedAC-12AC-12(1) AC-13Supervision and Review-Access ControlAC-13AC-13(1) AC-14Permitted Actions without ID or AuthenticationAC-14AC-14(1) AC-15Automated MarkingNot Selected AC-15 AC-16Automated LabelingNot Selected AC-17Remote AccessAC-17AC-17(1)(2)(3)(4) AC-18Wireless Access RestrictionsAC-18AC-18(1)AC-18(1)(2) AC-19Access Control for Portable and Mobile SystemsNot SelectedAC-19(1) AC-20Use of External Information SystemsAC-20AC-20(1)AC-20(1)(2)
Page 36 Agency C&A Process - Stakeholder Training: NIST Controls (continued) The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH AWARENESS AND TRAINING AT-1Security Awareness and Training Policy & Procedures AT-1 AT-2Security AwarenessAT-2 AT-3Security TrainingAT-3 AT-4Security Training RecordsAT-4 AT-5Contracts with Security Groups and AssociationsNot Selected AUDIT AND ACCOUNTABILITY AU-1Audit and Accountability Policy & ProceduresAU-1 AU-2Auditable EventsAU-2AU-2(3)AU-2(1)(2)(3) AU-3Content of Audit RecordsAU-3AU-3(1)AU-3(1)(2) AU-4Audit Storage CapacityAU-4 AU-5Response to Audit Processing FailuresAU-5 AU-5(1)(2) AU-6Audit monitoring, Analysis, and ReportingNot Selected AU-6(2)AU-6(1)(2) AU-7Audit Reduction and Report GenerationNot Selected AU-7(1) AU-8Time StampsAU-8AU-8(1) AU-9Protection of Audit InformationAU-9 AU-10Non-repudiationNot Selected AU-11Audit Record RetentionAU-11
Page 37 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH CERTIFICATION, ACCREDITATION, & SECURITY ASSESSMENTS CA-1Certification, Accreditation, & Security Assessment Policies and Procedures CA-1 CA-2Security AssessmentsNot Selected CA-2 CA-3Information System ConnectionsCA-3 CA-4Security CertificationCA-4CA-4(1) CA-5Plan of Action and MilestonesCA-5 CA-6Security AccreditationCA-6 CA-7Continuous MonitoringCA-7 CONFIGURATION MANAGEMENT CM-1Configuration Management Policy and ProceduresCM-1 CM-2Baseline Configuration and System Component Inventory CM-2CM-2(1)CM(1)(2) CM-3Configuration Change ControlNot Selected CM-3CM-3(1) CM-4Monitoring Configuration ChangesNot Selected CM-5Access Restrictions for ChangeNot Selected CM-5CM-5(1) CM-6Configuration SettingsCM-6 CM-6(1) CM-7Least FunctionalityNot Selected CM-7CM-7(1) CM-8Information System Component InventoryCM-8CM-8(1)CM-8(1)(2) Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 38 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH CONTINGENCY PLANNING CP-1Contingency Planning Policy and ProceduresCP-1 CP-2Contingency PlanCP-2CP-2(1)CP-2(1)(2)(3) CP-3Contingency TrainingNot SelectedCP-3CP-3(1) CP-4Contingency Plan TestingNot SelectedCP-4(1)CP-4(1)(2) CP-5Contingency Plan UpdateCP-5 CP-6Alternate Storage SitesNot SelectedCP-6(1)(3)CP-6(1)(2)(3) CP-7Alternate Processing SitesNot SelectedCP-7(1)(2)(3)CP-7(1)(2)(3)(4) CP-8Telecommunications ServicesNot SelectedCP-8(1)(2)CP-8(1)(2)(3)(4) CP-9Information System BackupCP-9CP-9(1)(4)CP-9(1)(2)(3)(4) CP-10Information System Recovery & ReconstitutionCP-10 CP-10(1) INDENTIFICATION AND AUTHENTICATION IA-1Identification and Authentication Policy and ProceduresIA-1 IA-2User Identification and AuthenticationIA-2 IA-2(1) IA-3Device Identification and AuthenticationNot SelectedIA-3 IA-4Identifier ManagementIA-4 IA-5Authenticator ManagementIA-5 IA-6Authenticator FeedbackIA-6 IA-7Cryptographic Module AuthenticationIA-7 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 39 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH INCIDENT RESPONSE IR-1Incident Response Policy and ProceduresIR-1 IR-2Incident Response TrainingNot Selected IR-2IR-2(1) IR-3Incident Response TestingNot Selected IR-3 IR-4Incident HandlingIR-4IR-4(1) IR-5Incident MonitoringNot Selected IR-5 IR-6Incident ReportingIR-6IR-6(1) IR-7Incident Response AssistanceIR-7IR-7(1) MAINTENANCE MA-1System MaintenanceMA-1 MA-2Periodic MaintenanceMA-2MA-2(1)MA-2(1)(2) MA-3Maintenance ToolsNot Selected MA-3MA-3(1)(2)(3) MA-4Remote MaintenanceMA-4 MA-4(1)(2)(3)(4) MA-5Maintenance PersonnelMA-5 MA-5(1) MA-6Timely MaintenanceNot Selected MA-6 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 40 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH MEDIA PROTECTION MP-1Media Protection Policy and ProceduresMP-1 MP-2Media AccessMP-2MP-2(1) MP-3Media LabelingNot SelectedMP-3 MP-4Media StorageNot SelectedMP-4(1) MP-5Media TransportNot SelectedMP-5(1)MP-5(1)(2) MP-6Media Sanitization and DisposalMP-6 MP-6(1)(2) PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1Physical and Environmental Protection Policy and Procedures PE-1 PE-2Physical Access AuthorizationsPE-2 PE-3Physical Access ControlPE-3 PE-3(1) PE-4Access Control for Transmission MediumNot Selected PE-4 PE-5Access Control for Display MediumNot SelectedPE-5 PE-6Monitoring Physical AccessPE-6PE-6(1)PE-6(1)(2) PE-7Visitor ControlPE-7PE-7(1) PE-8Access RecordsPE-8 PE-8(1)(2) PE-9Power Equipment and Power CablingNot SelectedPE-9 PE-10Emergency ShutoffNot SelectedPE-10 PE-11Emergency PowerNot SelectedPE-11PE-11(1) PE-12Emergency LightingPE-12 Agency C&A Process - Stakeholder Training: NIST Controls (continued) P&E security controls are assessed annually and considered inherited unless the system is located at a contractor site.
Page 41 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13Fire ProtectionPE-13 PE-14Temperature and HumidityPE-14 PE-15Water Damage ProtectionPE-15 PE-16Delivery and RemovalPE-16 PE-17Alternate Work SiteNot Selected PE-17 PE-18Location of Information System ComponentsPE-18 PE-19Information LeakageNot Selected PLANNING PL-1Security Planning and Policy and ProceduresPL-1 PL-2System Security PlanPL-2 PL-3System Security Plan UpdatePL-3 PL-4Rules of BehaviorPL-4 PL-5Privacy Impact AssessmentPL-5 PL-6Security-Related Activity PlanningPL-6 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 42 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : Agency C&A Process - Stakeholder Training: NIST Controls (continued) CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH PERSONNEL SECURITY PS-1Personnel Security Policy and ProceduresPS-1 PS-2Position CategorizationPS-2 PS-3Personnel ScreeningPS-3 PS-4Personnel TerminationPS-4 PS-5Personnel TransferPS-5 PS-6Access AgreementsPS-6 PS-7Third-Party Personnel SecurityPS-7 PS-8Personnel SanctionsPS-8
Page 43 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH RISK ASSESSMENT RA-1Risk Assessment Policy and ProceduresRA-1 RA-2Security CategorizationRA-2 RA-3Risk AssessmentRA-3 RA-4Risk AssessmentRA-4 RA-5Vulnerability ScanningNot Selected RA-5RA-5(1)(2) SYSTEM AND SERVICES ACQUISITION SA-1System and Services Acquisition Policy and Procedures SA-1 SA-2Allocation of ResourcesSA-2 SA-3Life Cycle SupportSA-3 SA-4AcquisitionsSA-4 SA-5Information System DocumentationSA-5SA-5(1)SA-5(1)(2) SA-6Software Usage RestrictionsSA-6 SA-7User Installed SoftwareSA-7 SA-8Security Engineering PrinciplesNot Selected SA-8 SA-9Outsourced Information System ServicesSA-9 SA-10Developer Configuration ManagementNot Selected SA-10 SA-11Developer Security TestingNot Selected SA-11 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 44 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH SYSTEM AND COMMUNICATION PROTECTION SC-1System and Communications Protection PolicySC-1 SC-2Application PartitioningNot SelectedSC-2 SC-3Security Function IsolationNot Selected SC-3 SC-4Information RemnantsNot SelectedSC-4 SC-5Denial of Service ProtectionSC-5 SC-6Resource PriorityNot Selected SC-7Boundary ProtectionSC-7SC-7(1)(2)(3)SC-7(1)(2)(3)(4) SC-8Transmission IntegrityNot SelectedSC-8 SC-9Transmission ConfidentialityNot SelectedSC-9 SC-10Network DisconnectNot SelectedSC-10 SC-11Trusted PathNot Selected SC-12Cryptographic Key Establishment and Mgmt.Not SelectedSC-12 SC-13Use of Validated CryptographySC-13 SC-14Public Access ProtectionsSC-14 SC-15Collaborative ComputingNot SelectedSC-15 SC-16Transmission of Security ParametersNot Selected SC-17Public Key Infrastructure CertificatesNot SelectedSC-17 SC-18Mobile CodeNot SelectedSC-18 SC-19Voice Over Internet ProtocolNot SelectedSC-19 SC-20Secure Name/Address Resolution Service (Authoritative Source) Not SelectedSC-20 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 45 The following tables address the specific minimum Security Controls and Control Baselines as defined by NIST : CNTL NO.CONTROL NAMEControl Baselines LOWMODERATEHIGH SYSTEM AND COMMUNICATION PROTECTION SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver) Not Selected SC-21 SC-22Architecture and Provisioning for Name/Address Resolution Service Not SelectedSC-22 SC-23Session AuthenticityNot SelectedSC-23SC-23(1) SYSTEM AND INFORMATION INTEGRITY SI-1System and Information Integrity Policy and ProceduresSI-1 SI-2Flaw RemediationSI-2SI-2(2)SI-2(1)(2) SI-3Malicious Code ProtectionSI-3SI-3(1)SI-3(1)(2) SI-4Information System Monitoring Tools and TechniquesNot SelectedSI-4(4)SI-4(2)(4)(5) SI-5Security Alerts and AdvisoriesSI-5 SI-5(1) SI-6Security Functionality VerificationNot Selected SI-6 SI-7Software and Information IntegrityNot Selected SI-7 SI-8Spam ProtectionNot SelectedSI-8SI-8(1) SI-9Information Input RestrictionsNot SelectedSI-9 SI-10Information Accuracy, Completeness, Validity, and Authenticity Not SelectedSI-10 SI-11Error HandlingNot SelectedSI-11 SI-12Information Output Handling and RetentionNot SelectedSI-12 Agency C&A Process - Stakeholder Training: NIST Controls (continued)
Page 46 Working Session: Conduct SSP Working Sessions – FAgencyt Day (Kickoff Meeting, Demo) The following activities will take place during the Working Sessions : Introductions Explain C&A Process from start to finish and walk through the agenda and identify stakeholder roles that will need to participate Discuss NIST guidance, controls, etc. Explain common controls (GSS, Organizational, and PE Controls) Explain GSS-level controls Explain layout of SSP Section 2, System Identification Section 3, Management Controls Section 4, Operational Controls Section 5, Technical Controls System/Network Diagram Input/Output Diagram MOUs/ISAs (inquiry regarding connectivity to Agency system from outside of the Agency environment such as call back for maintenance or remote management) e-Authentication Questionnaire
Page 47 Working Session: Conduct SSP Working Sessions – First Day (Kickoff Meeting, Demo) The following activities will take place during the Working Sessions : Gather information for Section 2 of SSP System Name, Unique Identifier System POCs Operational Status General Description/Purpose System Environment System Interconnections Demo/walk through of System Schedule during the Boundary Scoping Session
Page 48 Agency C&A Process - Stakeholder Training: Working Session: Conduct SSP Working Sessions The following activities will take place during the Working Sessions (continued): Discuss remainder of SSP controls: Management Operational Technical Discuss the impact of the following controls on the enterprise infrastructure/applications: AC-17 (Remote Access) The organization authorizes, monitors, and controls all methods of remote access to the information system. MA-4 (Remote Maintenance) The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.
Page 49 Agency C&A Process - Stakeholder Training: Working Session: ITCP ITCP Working Sessions: Introductions Explain the different documentation (BIA, ITCP, TT&E) Explain the process for developing the ITCP BIA including Recovery Time Objectives (RTO) ITCP TT&E Begin Data Gathering for BIA Use ITCP/BIA Interview Guide Begin Data Gathering for ITCP Continue with ITCP/BIA Interview Guide Post-ITCP Working Session Let the System POCs know that you will follow up with an listing any action items and requesting any information that has not yet been provided.
Page 50 Agency C&A Process - Stakeholder Training: Working Session: ITCP The BIA is a fact finding process that provides the foundation for the ITCP: A BIA is used to identify and prioritize the components of an application by linking them to the Agency business processes that they support A BIA is conducted during the initial phase of building an ITCP, and it is included as an appendix to the ITCP Interviews are conducted with key stakeholders to gather information about the application, including: Determine what Agency-wide critical business processes (CBP) and administrative/infrastructure (A/I) processes the application supports Determine the Recovery Time Objective (RTO), the maximum amount of time that may elapse before unavailability of the application causes an unacceptable impact on the Business Unit sub-processes, and Recovery Point Objective (RPO), the point in time which sub-process data must be recovered Recovery priority and timeframe of recovery for application components (i.e., servers, files, etc.) This information is used to develop procedures and strategies for recovering the application, if disrupted
Page 51 Agency C&A Process - Stakeholder Training: Working Session: ITCP An ITCP establishes procedures to recover and resume normal operations of an application following a disruption. A full activation of the ITCP includes three phases: Notification/Activation Notify proper personnel Detect and assess damage Activate the plan Recovery Identify and prioritize recovery activities Restore temporary IT operations Recover damage done to the original application Reconstitution Resume application processing capabilities to normal operations Deactivate the plan
Page 52 Agency C&A Process - Stakeholder Training: Working Session: ITCP The ITCP data gathering process: Interviews are conducted with key stakeholders to gather information about the application, including: Key personnel and their roles/responsibilities Threats to the application Damage assessment procedures Recovery procedures Concurrent processing procedures Off-site data storage details Backup procedures This information is used to develop procedures and strategies for recovering and resuming normal operations of the application, if disrupted Data gathering for General Support Systems (GSS) may require separate sections for components and major systems
Page 53 Agency C&A Process - Stakeholder Training: Working Session: PIA Privacy Impact Assessment (PIA) Purpose: PIAs are completed on information systems collecting personally identifiable information: Examples: name, SSN, address, phone number, address, financial data and account numbers, biometric identifier, etc. PIAs ensure that: The public is made aware of the information federal agencies collect about them Any impact these systems have on personal privacy is adequately addressed Only the necessary personal information is collected, nothing else Conducting PIAs will allow the Agency to identify which of its systems contain Information in Identifiable Form (IIF). For those systems containing IIF, the PIA will serve as a platform to: Ensure that information handling conforms to applicable legal, regulatory, and policy requirements regarding privacy Determine the risks and effects of collecting, maintaining, and disseminating IIF in an electronic information system Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks  Taken from the definition of “PIA” in OMB Memorandum M-03-22, “OMB Guidance for Implementing of the Privacy Provisions of the E-Government Act of 2002,” September 26, 2003.
Page 54 Agency C&A Process - Stakeholder Training: Working Session: PIA Privacy Impact Assessment (PIA) Purpose (continued): Additionally, conducting a PIA provides an opportunity to identify privacy risks associated with information systems. Formal PIAs provide a number of advantages over ad hoc evaluations. These advantages include: Providing inputs (e.g., privacy risks) for required C&A reporting documents, to include: POA&M, SAR, SSP (Appendix) Improving the understanding of a system’s overall potential privacy risks, exposures, and liabilities Providing a reliable basis for decision making of policy and system design Generating and improving public confidence, at the organizational level, by anticipating and addressing privacy concerns Privacy Deliverables include: Final Privacy Impact Assessment Questionnaire Privacy Memo (Officially signed by the Director of the Agency Office of Privacy): States all privacy risks where acceptable
Page 55 Agency C&A Process - Stakeholder Training: Working Session: Conduct Working Sessions – After Each Day The following activities will take place after each day of the Working Sessions: Prepare and distribute recap Attendees Action Items Information gathered by section and/or control Documents received For follow-up at the next working sessions Distribute soft copies of documents to entire team Update document tracker Include CDs, hard copies, soft copies, screen captures, etc.
Page 56 Agency C&A Process - Stakeholder Training: Working Session: Post-Working Sessions The following activities will take place after each day of the Working Sessions (continued): Inform team of next steps One week for drafting SSP and ITCP Validation Session following drafting of documents (including PIA Working Session) Confirm or change Validation Session PIA Working Session Send calendar invitation
Page 58 Agency C&A Process - Stakeholder Training: Validation Session Overview Purpose To validate the information documented in the System Security Plan (SSP), IT Contingency Plan (ITCP), and Privacy Impact Assessment (PIA) for accuracy, completeness, and validity Participants Stakeholders who were involved during the Working Sessions C&A Team Duration Typically 2 to 4 hours to validate the SSP Typically 2 hours to validate the ITCP Typically 1 hour for PIA Working Session *Note: Refer to the GSS schedule template for Validation Session duration specifics.
Page 59 Agency C&A Process - Stakeholder Training: Conduct Validation Session(s) The following activities will take place during the Validation Session(s): Review outstanding action items to ensure all issues have been addressed Walk-through SSP to verify information is correct
Page 60 Agency C&A Process - Stakeholder Training: ITCP Validation Session(s) ITCP Validation Session(s): Address any questions, comments, and input the attendees have regarding the draft ITCP Discuss any of your previous questions that followed the ITCP working session that are still outstanding Walk through the BIA and ITCP to validate existing information within the plan Recap any information that is still needed; follow up with an covering the same information
Page 61 Agency C&A Process - Stakeholder Training: ITCP Validation Session(s) The following activities will take place after the Validation Session(s): Prepare and distribute recap Attendees Action Items Information gathered by section and/or control Documents received For follow-up at the next validation sessions Make updates as identified Obtain an from DAA POC that all information is complete and accurate before finalizing the documents and sending to the C&A Team and Stakeholders Distribute updated documents to C&A Team and Stakeholders
Page 62 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Purpose of conducting an ST&E: The purpose of performing a Security Test and Evaluation (ST&E) is to evaluate the management, operational and technical controls of the application/system, determine the effectiveness of these controls in operation, and identify the vulnerabilities. An ST&E will provide important insight into the effectiveness of the security controls that are a part of each Agency application, system, or GSS.
Page 63 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Security Categorization Impacts the Type of ST&E Conducted: The Application/System business owner identifies the information types processed, stored, or transmitted by the application/GSS to determine the impact levels for confidentiality, integrity, and availability of the application/GSS and then categorizes the application as Low, Moderate, or High. The type of ST&E that is conducted varies depending on the application or GSS’s security categorization.
Page 64 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Developing an ST&E Test Plan: The ST&E Test Plan is based on the information collected from several key documents that are created as a part of the Certification and Accreditation (C&A) process, such as: *System Security Plan (SSP) – An SSP is a document that provides an overview of the security requirements of the system and describes the current implementation status (in place, planned, etc.) of the minimum security controls and roles and responsibilities. * Information Technology Contingency Plan (ITCP) – The ITCP is a document that contains a strategy, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. * Privacy Impact Assessment (PIA) – The PIA is a process used to evaluate the impact that information systems have on an individual. The PIA process is designed to guide agency system developers and operators in assessing privacy through the early stages of development.
Page 65 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Types of personnel that need to be involved in developing an accurate SSP and ITCP and conduct a thorough and complete ST&E: Business primary Points of Contact (POC) Application developers Application administrators Operating system administrators Database administrators System operators Security administrators ST&E Team members
Page 66 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process ITCP: An ITCP test is conducted in conjunction with an ST&E; however, it is not part of the ST&E and is facilitated by the C&A Documentation Team. *Testing, Training, and Exercise (TT&E), also known as a Table Top Exercise, usually includes the following testing areas: - Preparations - Notification/Activation - Recovery - Reconstitution - Plan Deactivation Note: The ST&E should always be conducted in the production environment. When this is not possible, this has to be raised by the BU stakeholders and resolved during the initial C&A Working Sessions. When an ST&E is conducted in a development or test environment, rather than the production environment, those environments must replicate the production environment, and all technical tests will need to be retested once the production environment is available. This scenario requires additional funding to support the additional ST&E activity and must be identified early in the process.
Page 67 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Throughout the ST&E process, BU personnel have numerous opportunities to review and provide input to the final SSP and ITCP that is used to develop the ST&E test plan for a particular application or GSS. BU personnel are given an opportunity to review and discuss the ST&E plan that is developed for a particular application or GSS. It is critical to the success of a ST&E that a stable and accurate SSP, ITCP, and Application or GSS Inventory are completed prior to beginning the ST&E testing of an application or GSS. The Agency conducts many ST&Es during each FISMA reporting cycle. This often means that several ST&Es will be occurring during the same time frame, which makes for a complex ST&E schedule. To minimize impact on the ST&E master testing schedule and to all the ST&E participants, it is important that all parties associated with each ST&E complete the work related to their ST&E in a manner that helps ensure that ST&E occurs within the projected master ST&E schedule timeframe. General ST&E Process Comments:
Page 68 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process General ST&E Process Comments (continued): Stakeholders - assigning the right people to participate in the ST&E is critical to the success of the ST&E, and will minimize unnecessary findings. When the individual participating in a ST&E test does not know an answer to a ST&E question, or does not provide the correct information to answer the question, this will result in an ST&E finding. Stakeholders can avoid these types of unnecessary findings by assigning the right resources to participate in the ST&E and ensuring those key resources are present during the ST&E testing. After a ST&E is completed for an application or GSS, the results are provided to the C&A Documentation Team for analysis and inclusion in the final C&A package. BU stakeholders will receive the results prior to the Stakeholder Outbrief meeting conducted after that analysis and before the C&A package is submitted to the Certification Agent and the Designated Approving Authority for review and signature. Issue Resolution – Stakeholders will be given the opportunity to correct findings and provide additional evidence in a very short turnaround, prior to the stakeholder out brief. Instructions will be provided when the results are distributed. The ST&E Test Team members are not the personnel who make the determination as to whether an application or GSS is to receive an Authority to Operate (ATO) or an Interim Authority to Operate (IATO).
Page 69 Agency C&A Process - Stakeholder Training: Security Test & Evaluation (ST&E) Process Types of Security Control Tests that are performed during an ST&E of an application or GSS: *Management *Operational *Technical *These three types of controls are defined in NIST SP and determined during the SSP development *Some test sases will be Organizational or GSS Common Controls *Technical and Operational Controls can include test cases related to many application/system areas such as: - Auditing - Databases - COTS Products - Media Protection - Operating System - Telecommunications - Contingency Planning - Configuration Management
Page 70 Application ITCP Director ITCP Coordinator Recovery Personnel including Database Administrators, System Administrators, Developers, and Production Support Staff Business Unit Personnel Test Team and Agency’s Security Organization will be Observers GSS ITCP Plan Director ITCP Incident Commander ITCP Recovery Coordinator ITCP Component Coordinator ITCP BU Coordinator ITCP Application Recovery Teams ITCP Component Recovery Teams Business Unit Personnel Test Team and Agency’s Security Organization will be Observers Test, Training & Exercise (TT&E) Training: Pre-TT&E Invite TT&E Attendees: The following activities will take place before the TT&E:
Page 71 Agency C&A Process - Stakeholder Training: Test, Training & Exercise (TT&E) Training TT&E: Table of Contents Overview
Page 72 Designed to train essential personnel on the Information Technology Contingency Plan (ITCP) and to provide a forum to talk through a realistic emergency scenario whereby the ITCP needs to be activated and exercised Developed to prepare personnel for an emergency situation and to ensure key personnel have a forum to talk through their roles and responsibilities, discuss what they would do during the emergency situation, and communicate how they would respond to the events Created so lessons can be drawn and recorded from the exercise, changes can be made to the plan to represent the flow of information and communication among essential personnel, and staff will be prepared during the event of an actual emergency situation Implemented to enhance understanding of the key communication, coordination, and information necessary during the three key ITCP phases: Notification/Activation, Recovery, and Reconstitution Upholds the following: Public Law , E-Government Act of 2002, the Federal Information Security Management Act of 2002 (FISMA 2002) which requires security awareness training, review of responsibilities regarding policies and procedures, periodic testing and training associated with upholding information security policies and principles, and requires a process for addressing policy and procedures deficiencies Federal Preparedness Circular FPC 65, Federal Executive Branch Continuity of Operations, June 15, 2004 which requires regular testing, training, and exercises of the agency’s equipment, personnel, systems, processes, and procedures during a COOP event National Institute Standards and Technology Special Publication , Contingency Planning Guide for Information Technology Systems, June 2002 TT&E Overview Agency C&A Process - Stakeholder Training: TT&E Training Overview
Page 73 Agency C&A Process - Stakeholder Training: Security Assessment Report (SAR) SAR: Table of Contents Overview
Page 74 Agency C&A Process - Stakeholder Training: SAR Overview Definition As defined within NIST SP , the SAR provides the results of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. In addition, the SAR can also contain a list of recommended corrective actions. Purpose The purpose of the Security Assessment Report (SAR) is to provide the Certifier and the Designated Approving Authority with a more holistic view of risk regarding the GSS/application. It documents the security assessment activities that were performed on the application and the results of those activities including ST&E, PIA, e-Authentication Assessment, audits, and any other risk assessment activities (e.g. Risk Based Review). Duration Typically 5 days
Page 75 Agency C&A Process - Stakeholder Training: Risk Overview Activities Risk Overview: Table of Contents Risk Overview C&A Package Preparation Risk Overview/Stakeholder Outbrief Activities Preparation of Final C&A Package Stakeholder Outbrief Meeting
Page 76 Agency C&A Process - Stakeholder Training: Risk Overview: C&A Package Preparation C&A Package Preparation Update all C&A documentation to reflex the current information Put all files in the correct naming convention Ensure draft watermarks are removed Quality assurance Send documents to Agency’s Security Organization and the C&A mailbox
Page 77 Agency C&A Process - Stakeholder Training: Stakeholder Outbrief Meeting C&A Documentation Team will update the documents based on the Risk Overview session C&A Documentation Team will send the finalized C&A package to the participants of the scheduled Stakeholder meeting For Applications – send documents out 3 days prior to the stakeholders meeting For GSSs – send documents out 5 days prior to the stakeholders meeting The following activities will take place prior to the Stakeholder Outbrief Meeting:
Page 78 The C&A Process comes to its conclusion After the Stakeholder Outbrief Meeting, the entire C&A package goes to the Certifier for review, signature, and approval After Certifier signs the Certification Memo, CPO will then send the signed Certification memo and C&A package to the business unit security PMO with a request to schedule the DAA Outbrief A DAA outbrief will be held to walk the DAA through the C&A package and by the end of the session the DAA’s approval and signature on the Accreditation memo will be requested By signing, the DAA agrees to all risks of the application or GSS during the C&A process, and will work to develop strategies for addressing issues. A POA&M will be created and updated, monitored, and progress reported quarterly by the business unit. Agency C&A Process - Stakeholder Training: Stakeholder Conclusion
Page 79 Critical Success Factors Partnership between all stakeholders (Business Units) is Crucial in successfully completing Certification and Accreditation activities Engagement by business units to efficiently and effectively complete tasks Security documentation is only as good as the information provided Ultimately, the contents of the security documents are the responsibility of the business owner who will be responsible for maintaining the documents Establishing a baseline of NIST-compliant C&A documents will have a positive impact on future costs Staying on schedule [1/3 of applications/GSSs must be certified each FISMA cycle (annually)] Agency C&A Process - Stakeholder Training: A Successful C&A Process Depends on You
Page 80 Agency C&A Process - Stakeholder Training: Your role as a Key Stakeholder in C&A… Actively engage in the Boundary/Scope, Working, and Validation sessions Ensure you understand the questions and the evidence required Actively engage in the Security Test & Evaluation (ST&E) Ensure you understand the test case questions Work closely with the ST&E Team to ensure your responses completely answer the test case question Elevate concerns early through the C&A Team Lead or your business unit security PMO Help CPO ensure all of the right stakeholders are engaged throughout the process If you cannot answer the test case question, help the C&A Test Team identify the right person to respond to that question The goal is to document the current implementation status of the security controls and then validate the current implementation status of the required security controls through independent testing It is not CPO’s intent to trick people into providing the wrong response, it is to ensure the correct people are asked the right questions Understand the expectation for engagement and the time commitment at the kick off of the C&A
Page 81 Agency C&A Process - Stakeholder Training: Who are the right people and what will they do? The “right people” to participate in C&A activities? Someone with a working knowledge of how the controls have been implemented for the application being assessed Someone with knowledge of how the application is managed and operated What will they do? Participants will need to attend conference calls/meetings as scheduled Participants will need to engage and provide input throughout the process Participants will need to provide evidence and documentation timely Participants will need to carefully review and provide feedback to the C&A documentation as scheduled for the Stakeholder Outbrief
Page 82 Agency C&A Process - Stakeholder Training: Success Indicators and Expected Outcomes An added layer in the Agency defense in depth approach to security Consistent identification of risks presenting an opportunity to proactively resolve or mitigate weaknesses before they are exploited resulting in better security for the application and across the enterprise Reusable NIST-compliant test cases for Verification of resolution Continuous monitoring Informed stakeholders and DAA Solid, defensible NIST-compliant C&A package Improved FISMA reporting, improved audit reviews, improved GAO reviews Demonstrates security commitment and accountability Facilitates E300 Funding
Page 83 Questions? Agency C&A Process - Stakeholder Training