Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Published byBritney Bates Modified over 8 years ago

Similar presentations

Presentation on theme: "Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat."— Presentation transcript:

1 Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat

2 2 Phase-1 Overview n n Phase 1 initiates the DITSCAP process by acquiring or developing the information necessary to understand the Information System under evaluation and then using that information to plan the C&A tasks.

3 3 Phase-1 Definition n n The objectives of the Phase 1 activities are to agree on - The intended system mission - security requirements - C&A boundary - level of effort and - resources required.

4 4 Phase-1 Definition Business case Mission Need Threat, Requirement,..etc PreparationRegistrationNegotiation Agreement SSAA Phase 2 Yes No Review Documentation Prepare Mission Description and System Identification Register System Describe Environment & Threat Identify Organization and resources Draft SSAA Certification Requirements review Approve Phase1 SSAA

5 5 Phase-1 Activities n n Phase 1 activities: - Preparation - Registration - Negotiation

6 6 Phase-1 Preparation n n The DITSCAP process starts when an Information System is developed or modified in response to a business case, operational requirements, mission needs, or significant change in threats to be countered. n n During the preparation activity, information and documentation is collected about the system.

7 7 Phase-1 Preparation n n Materials Reviewed During Preparation 1. Business Case 2. Mission Needs Statement 3. System Specifications 4. Architecture and Design Documents 5. User Manuals 6. Operating Procedures 7. Network Diagrams 8. Configuration Management Documents 9. Threat Analysis 10. Federal and Organizational IA and Security Instructions and Policies

8 8 Phase-1 Registration n n Registration initiates the risk management agreement process among the program manager, DAA, Certifier, and user representative. n n Registration begins with preparing the system description and system identification and concludes with preparing an initial draft of the SSAA.

9 9 Phase-1 Registration n n Registration Tasks 1. Prepare business or operational functional description and system identification. 2. Inform the DAA, Certifier, and user representative that the system will require C&A support (register the system). 3. Prepare the environment and threat description. 4. Prepare system architecture description and describe the C&A boundary. 5. Determine the system security requirements. 6. Tailor the DITSCAP tasks, determine the C&A level of effort, and prepare a DITSCAP plan. 7. Identify organizations that will be involved in the C&A 8. Develop the draft SSAA.

10 10 Phase-1 Negotiation  During negotiation all the participants involved in the Information System's development, acquisition, operation, security certification, and accreditation reach agreement on the implementation strategy to be used to satisfy the security requirements identified during system registration.

11 11 Phase-1 Negotiation n n Negotiation Tasks 1. Conduct the Certification Requirements Review (CRR). 2. Agree on the security requirements, level of effort, and schedule. 3. Approve final Phase 1 SSAA.

12 12Negotiation n n Negotiation starts with a review of draft SSAA n n All participants review the proposed certification level and resource requirements to determine that the appropriate assurance is being applied.

13 13Negotiation n n The purpose of negotiation is to ensure that the SSAA properly and clearly defines the approach and level of effort. n n During negotiation all participants must develop an understanding of their roles and responsibilities. n n Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached.

14 14 Phase-1 Tasks  Task 1-1 Review Documentation - Task Objective: The objective of this task is to obtain and review documentation relevant to the system. - Task Description: In the review documentation task, information and documentation is collected about the system. This Information includes - capabilities and functions the system will perform - operational organizations supported - intended operational environment, and operational threat. - T his information is contained in the business case or mission needs statement, system specifications, architecture and design documentation, user manuals, operating procedures, network diagrams, and configuration management documentation.

15 15 Phase-1 Tasks n Task 1-2 n Task 1-2 Prepare the System and Functional Description and system Identification. n n Task Objective: The objective of this task is to prepare an accurate description of the system. n n Task Description. The system and functional description and system identification task describes the system mission and functions, system capabilities and Concept of Operations (CONOPS). - 1.2.1 System Identification: Identify the system being developed or entering the C&A process. Provide the name, organization, and location of the organization developing the mission needs and the organizations containing the ultimate user. - 1.2.2 System Description. Describe the system focusing on the information security relevant features of the system. Describe all the components of the system.

16 16 Phase-1 Tasks - - 1.2.3 Functional Description and Capabilities: Describe the system clearly delineating what functions or capabilities are expected in the fully accredited system. - System Capabilities: The functions or capabilities expected in the fully accredited system and the mission for which it will be used are clearly defined. - System Criticality: system criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. - Classification and Sensitivity of Data: The type and sensitivity of the data processed by the system are defined. - System Users: User's security clearances, their access rights to specific categories of information processed, and the actual information that the system is required to process are defined. - System Life Cycle:. The system life cycle and where the system is in relationship to its life cycle is defined.

17 17 Phase-1 Tasks - 1.2.4 System CONOPS : The system CONOPS, including functions performed jointly with other systems are defined. n Task 1-3 n Task 1-3 Register the System. - - Task Objective: The objective of this task is to identify the Agencies and individuals involved in the C&A process and determine the current status of the system. - Task Description. This task identifies the applicable security and user authorities and informs them of the system status. 1.3.1 Identify Authorities: - The Agency or organization that will serve as the DAA, Certifier, and user representative is identified. - Individuals and their responsibilities in the C&A process are identified.

18 18 Phase-1 Tasks n n Task 1-4: Prepare the Environment and Threat Description. - Task Objective. The objective of this task is to define the system environment and potential threats to the system. - Task Description. The environment and threat description task describes the operating environment, system development environment, and potential system threats. 1.4.1 Operating Environment: - The physical, personnel, communications, emanations, hardware, software, and procedural security features that will be necessary to support site operations are described. - Operating environment security involves the measures designed to prevent unauthorized personnel from gaining physical access to equipment, facilities, material and documents and to safeguard the assets against espionage, sabotage, damage, and theft.

19 19 Phase-1 Tasks n Operating Environment task describes: - - Facility - Physical security - Administrative security - Personnel - COMSEC - TEMPEST - Maintenance - Training

20 20 Phase-1 tasks n 1.4.2 n 1.4.2 System Development, Integration, and Maintenance Environment: - The system development approach and the environment within which the system will be developed are described. The system development approach is an information security strategy that incorporates security into each phase of a system's life cycle. n n 1.4.3 Threat Description and Risk Assessment: potential threats and single points of failure that can affect - confidentiality - availability - Integrity of the system are defined.

21 21 Phase-1 Tasks n n Task 1-5: Determine the System Security Requirements - Task Objective: The objective of this task is to identify the system security requirements. - Task Description. The system security requirements task defines the National, DoD and data security requirements, governing security requisites, network connection rules, and configuration management requirements.

22 22 Phase-1 Tasks - 1.5.1 Applicable Instructions or Directives: Determine the security instructions or directives applicable to the system. - 1.5.2 Governing Security Requisite: Determine requirements stipulated by local agencies and the DAA. Contact the DAA and user representative to determine if they have any additional security requirements. - 1.5.3 Data Security Requirements: Determine the type of data processed by the system. - 1.5.4 Security Concept of Operations: Security CONOPS including system input, system processing, final outputs, security controls and interactions and connections with external systems are described.

23 23 Phase-1 Tasks - 1.5.5 Network Connection Rules: Identify any additional requirements incurred if the system is to be connected to any other network or system. - 1.5.6 Configuration Management: Additional requirements based on the Configuration Management Plan are determined. - 1.5.7 Reaccreditation Requirements: Unique organizational requirements related to the reaccredidation or reaffirmation of the approval to operate the system are determined. - 1.5.8 Requirements Traceability Matrix (RTM) : The directives and security requisites used to determine the system security requirements are analyzed.

24 24 Task 6: Prepare the System Architecture Description n Objective: To prepare a high level overview of the types of hardware, software, and firmware and associated interfaces n Description: The system architecture task defines the system hardware, software, firmware, and interfaces

25 25 Task 6 Description n System Hardware: Target hardware and its function n System Software: OS, DBMS, and software applications n System Firmware: Firmware stored permanently in a hardware device n System Interfaces: The system's external interfaces, purpose and the relationship between the interface and the system n Data Flows: The system's internal interfaces and data flows including the types of data and the general methods for data transmission

26 26 Task 7: Identify the C&A Organizations and the Resources Required n Objective: To identify the organizations and individuals involved in the C&A process. n Description: Identify the appropriate authorities, resource, and training requirements and determines the certification team's roles and responsibilities

27 27 Task 7 Description n Organizations: Identify the organizations, individuals, and titles of the key authorities in the C&A process. n Resources: Identify the resources required to conduct the C&A. Identify the roles of the certification team and their responsibilities n Resources and Training Requirements: –Describe the training requirements, –types of training, –who is responsible for preparing and conducting the training n Other Supporting Organizations: Identify supporting groups to the C&A process.

28 28 Task 8: Tailor the DITSCAP and Prepare the DITSCAP Plan n Objective: To tailor the DITSCAP to the system and prepare the DITSCAP plan. n Determines the appropriate certification level n Adjusts the DITSCAP activities to the program strategy and system life cycle. n Tailors the security activities to system development activities, ensures that the security activities are relevant to the process and provide the required degree of analysis.

29 29 Task 9: Draft the SSAA n Objective: Complete and assemble the SSAA document. n Description: –Completes the SSAA document. –Assemble into the formal SSAA document. –Submit the draft SSAA to the DAA, Certifier. –The draft SSAA establishes a reference for discussions during negotiation

30 30 Task 10: Conduct Certification Requirements Review n Objective: To conduct a CRR. n Description: –Provides an opportunity for the DAA, Certifier, to discuss the system functionality, security requirements, and planned C&A scheduled. –The CRR results in an agreement regarding the level of effort and the approach that will be taken to implement the security requirements

31 31 Task 11: Establish Agreement on Level of Effort and Schedule n Objective: To agree on the C&A level of effort and schedule. n Description: This task ensures that the DAA, Certifier, program manager, and user representative agree to the level of effort and schedule for the C&A activities

32 32 Task 12: Approve Phase 1 SSAA n Objective: To obtain the DAA's approval on the Phase 1 SSAA. n Description: DAA makes a decision on approving the system functionality, operating environment, development environment, potential threats, security requirements, system architecture, organization and resource requirements, tailoring factors, certification level, and DITSCAP plan

33 33 PHASE 1 ROLES AND RESPONSIBILITIES

34 34 DAA Responsibilities n DAA Responsibilities n Define accreditation requirements. n Obtain a threat assessment for the system. n Assign a Certifier to conduct vulnerability and risk assessments. n Support the DITSCAP tailoring and level of effort determination. n Approve the SSAA

35 35 Certifier and Certification Team Responsibilities n Support the DAA as the technical expert in the certification process. n Begin vulnerability and risk assessments. n Review threat definition. n Identify the security requirements. n Tailor the DITSCAP, determine the appropriate certification level, and prepare the DITSCAP Plan. n Provide level of effort and resource requirements. n Develop the SSAA. n Provide oversight for the CRR.

36 36 ISSO Responsibilities n Assist the DAA, Certifier, and certification team in the certification effort n Review the business case or mission statement to determine that it accurately describes the system n Review the environment description to verify that it accurately describes the system

37 37 User Representative Responsibilities n Support the DITSCAP tailoring and level of effort determination n Provide a business case or mission statement n Validate or define system performance, availability, and functionality requirements n Provide data sensitivity, end user functionality, and user organization information n Verify the ability to comply with the SSAA during operations

38 38 Acquisition or Maintenance Organization Responsibilities n Program Manager Responsibilities – –Initiate the dialogue with the DAA, Certifier, and user representative. – –Define the system schedule and budget. – –Support the DITSCAP tailoring and determine the certification level. – –Define the system architecture. – –Integrate system security requirements into the system. – –Prepare Life-Cycle Management Plans. – –Define the security architecture.

39 39 Developer, Integrator or Maintainer Responsibilities n n Provide technical equipment environment requirements. n n Provide target hardware and software architecture. n n Provide information regarding the system development organization. n n Determine the feasibility of technical solutions and security requirements.

40 40 Configuration Management Responsibilities n The configuration management staff support the program manager in the development and maintenance of system and system documentation

41 41 System Administration Responsibilities n There are no system administration responsibilities in Phase 1.

42 42Questions

Download ppt "Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.

METRICS AND CONTROLS FOR DEFENSE IN DEPTH AN INFORMATION TECHNOLOGY SECURITY ASSESSMENT INITIATIVE.
Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
1 Samples The following slides are provided as samples and references for the Quarterly Reviews Additional slides will be added.

1 Samples The following slides are provided as samples and references for the Quarterly Reviews Additional slides will be added.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
7.2 System Development Life Cycle (SDLC)

7.2 System Development Life Cycle (SDLC)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google