Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

Published byDeclan Stobbs Modified over 9 years ago

Similar presentations

Presentation on theme: "What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,"— Presentation transcript:

1 What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie, Texas Cage Code: IS Number: 240 This IS Profile is associated with ODAA Unique Identifier:

2 Preparing System Security Plans
JSAC April 2011

3 What are the Requirements needed to start a new Classified Program?

4 Contract Instrument DD254
The Federal Acquisition Regulation (FAR) requires that a DD Form 254 be incorporated in each classified contract. The DD Form 254 provides to the contractor (or a subcontractor) the security requirements and the classification guidance that would be necessary to perform on a classified contract. Invitation for Bid (IBF), Independent Research and Development (IRAD), Request for Proposal (RFP), Request for Quotation.

5 DD 254…

6 Certification and Accrediation
Security classification guide or other relevant security docs (Required prior to beginning a IS profile) Identify classification and handling caveats Identify IS USER required training based on classification and handling caveats COMSEC: information includes accountable or non-accountable COMSEC information and controlled cryptographic items (CCI). Closed area/ Safe training required

7 IT/Tech Apps “White board” meeting to discuss computing system requirements Engineering and program requirements Unclassified and Classified systems Allocate, Build and pre-Certify systems based upon ODAA technical baseline settings.

8 Why the Defense Security Service denies (DSS) an Interim Approval to Operate (IATO)
Missing or incomplete Unique Identifier (UID) ISSM did not sign the IS Security Package Submission and Certification Statement Missing Hardware List / Software List / Configuration Diagram Physical Security not adequately explained No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area No Certification Test Guide or NISP Tool Results were provided Missing letter from Government Contracting Activity (GCA) if any variances are needed Missing MOA when required Identification and Authentication not adequately addressed Any unique issues that would require denial of the IATO

9 Missing or incomplete UID

10 Physical Security not adequately explained

11 Any unique issues that would require denial of the IATO
Special Procedures Other Special procedures: N/A Yes If yes, describe:       Other Comments or Additional Information: Classified media may be utilized at the same or higher classification and or handling caveat, contact the ISSM for specific details. Hard drives and other media will be destroyed by sending it to the NSA or by returning it as classified back to the data owner. Overwriting of hard drives is NOT an approved method of Sanitization. Temporarily inactive drives or infrequent use of the hard drives is not uncommon.  These procedures pertain to drives not used for a Week or longer.  In lieu of conducting Weekly online audits of the hard drive, the drives will be placed in Bag and the opening sealed with Tamper Proof Seals.  Each week, the Bags will be inspected to ensure usage has not taken place.  If or when a Seal is broken, an entry will be made in the Seal Log identifying the reason.  When the drives are used, the anti-virus definitions will be updated, work conducted, then an on-line audit of the drive completed and then the drive will be bagged and seal placed over the opening.  The action will be recorded in the Maintenance and or Seal Logs as appropriate and in the weekly record audit. The ASTi / Telestra 4 hardware has a BIOS password length limitation of 7 characters. It will accept upper/lower case and special characters, but does not enforce any complexity requirements.

12 Missing Hardware List / Software List / Configuration Diagram

13 No signed DSS Form 147 (Record of Controlled Area) if the system is in a Closed Area

14 No Certification Test Guide or NISP Tool Results were provided

15 No Certification Test Guide or NISP Tool Results were provided

16 No Certification Test Guide or NISP Tool Results were provided

17 Missing MOA when required
MOU Requirements When information systems accredited by different DAAs are to be interconnected, an MOU is required to be completed and signed by the DAAs for the systems involved. MOUs are created to describe the security responsibilities and other information as agreed upon by two or more designated approving authorities or DAAs. Contractor-to-Contractor system interconnections do not require an MOU when DSS is the DAA for all systems involved.

18 Missing letter from GCA if any variances are needed
A signed copy of the customers Risk Acceptance Letter on Government letterhead. stating they are willing to assume the residual risk for the alternate trusted download procedures. Note that Risk Acceptance Letter's must be updated when the plan is reaccredited every three years. For special purpose systems not part of a larger system the facility needs to explain the need to the GCA and get risk acceptance letter to include GCA security guidance since the system won't meet NISPOM requirements. Operating system must be NISPOM compliant, or have a Risk Acceptance Letter from the GCA.

19 Identification and Authentication not adequately addressed

20 Any unique issues that would require denial of the IATO

21 Restricted Areas…

22 Tracking Activity…

23 Missing or incomplete UID
ISSM did not sign the IS Security Package Submission and Certification Statement

24 Missing or incomplete UID

25 Question Time?

Download ppt "What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,"

Similar presentations

Configuration Management

Configuration Management
Classified Contract Close-out By Jane Dinkel Security Manager LMMFC.

Classified Contract Close-out By Jane Dinkel Security Manager LMMFC.
For Security Professionals

For Security Professionals
Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.

Annual Security Refresher Briefing Note: All classified markings contained within this presentation are for training purposes.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards.

1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Industrial Security 2010 Worldwide Security Conference.

Industrial Security 2010 Worldwide Security Conference.
ISP Preparation Series 1 – Chapter 7. NISPOM Chapter 7 – Subcontracting Acronyms CSCS:Contract Security Classification Specification (DD Form 254) CSA:Cognizant.

ISP Preparation Series 1 – Chapter 7. NISPOM Chapter 7 – Subcontracting Acronyms CSCS:Contract Security Classification Specification (DD Form 254) CSA:Cognizant.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
First Article Inspection Report

First Article Inspection Report
PROCUREMENT PROCESS FOR CONTRACTS Recognition of Need.

PROCUREMENT PROCESS FOR CONTRACTS Recognition of Need.
Marcy Mealy Procurement Specialist CDBG Program

Marcy Mealy Procurement Specialist CDBG Program
Section Four: Employee and Visitor Access Controls Note: All classified markings contained within this presentation are for training purposes only.

Section Four: Employee and Visitor Access Controls Note: All classified markings contained within this presentation are for training purposes only.
Disk Clearing and Disk Sanitization

Disk Clearing and Disk Sanitization
SRC Application Process Fall 2014 Version: November 12, 2014.

SRC Application Process Fall 2014 Version: November 12, 2014.
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Similar presentations

Ads by Google