C &A CS Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell

2 C&A Process Overview n DII n C&A Principle Purpose n Definitions and Scope n C&A Prerequisites n C&A process Tailoring n Certifications Levels n C&A Overall process n SSAA n C&A Phases Overview

3 Defense Information Infrastructure Defense Information Infrastructure (DII) “The DII encompasses information transfer and processing resources, including information and data storage, manipulation, retrieval, and display. More specifically, the DII is the shared or interconnected system of computers, communications, data, applications, security, people, training, and other support structure, serving the Department of Defense's local and worldwide information needs.” “The DII encompasses information transfer and processing resources, including information and data storage, manipulation, retrieval, and display. More specifically, the DII is the shared or interconnected system of computers, communications, data, applications, security, people, training, and other support structure, serving the Department of Defense's local and worldwide information needs.”

4 C&A Principal Purpose C&A Principal Purpose n Protect and secure the entities comprising the DII with a proper balance between –the benefits to the operational missions –the risks to those same missions –the life-cycle costs

5 Certification Definition Certification “Comprehensive evaluation of the technical and non- technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements”

6 Certification Scope Certification is a security analysis in the following areas (DII components): –Physical –Personnel –Administrative –Information –Information Systems –Communications

7 Accreditation Definition Accreditation “Formal declaration by the DAA that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk*” *Acceptable risk must consider the balance between n the benefits derived from the use of the system n the risks posed to both the system and community users n the costs required to alleviate the risks

8 C&A Prerequisites n System Description n ITSEC Classification n Reuse

9 System Description Slide from Previous Lesson System Description Outline 1.Mission of the system. 1.Mission of the system. 2.Functions this system will perform. 2.Functions this system will perform. 3.Interfaces with other systems. 3.Interfaces with other systems. 4.Interactions across system interfaces. 4.Interactions across system interfaces. 5.Expected users of this system. 5.Expected users of this system. 6.Information categories to be processed. 6.Information categories to be processed. 7.Time frame for developing and implementing the system. 7.Time frame for developing and implementing the system. 8.Components of the system that will be automated versus manual. 8.Components of the system that will be automated versus manual. 9.Budget limitations that may affect the system. 10.Other system constraints or assumptions that will impact the system. 1-System Description defines the boundaries of the system compared to those that this system may interact 2- It shall be sufficiently clear and comprehensive to provide an unambiguous definition of when the system may be certified and accredited 3-If information or understanding about the system is insufficient for that system description to be written, the DITSCAP is not ready to begin

10 ITSEC Classification Slide from Previous Lesson CharacteristicOperationDataInfrastructureSystemAlternatives Interfacing ModeBenign, Passive, or Active Processing Mode Dedicated Level, Compartmented Level, System High, or Multi-level Attribution ModeNone, Rudimentary, Basic, or Comprehensive Mission-Reliance Factor None, Cursory, Partial, or Total Accessibility Factor Reasonable, Soon, ASAP, or Immediate Accuracy FactorNot-applicable, Approximate, or Exact Information Categories Unclassified, Sensitive (Privacy Act, Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented/Special Access Classified

11 Initial Step Slide from Previous Lesson n Analyze existing systems to determine classes –Accredited systems become “models” –Applicable ITSEC requirements, high-level architectures and approved solutions are stored in a common repository n Requirements definition process collects ITSEC requirements into a common database  Reuse

12 C&A Process Life-Cycle/Tailoring n Applies to all systems requiring C&A throughout their life cycle n Is designed to be adaptable to any type of any IS and any computing environment and mission n May be adapted to include existing system certifications, evaluated products, new security technology or programs and adjusted to the applicable standards n May be mapped to any system life-cycle process n Is designed to adjust to the development, modification, and operational life-cycle phases  General & Flexible

13 Certification Levels 1/2 n Analyze system with respect to: –Business functions –Security Requirements –Criticality –Infrastructure –Users n Consider appropriate level of CIA & Accountability n Certifier recommends one of four levels –Level 1 – Basic Security Review –Level 2 – Minimum Analysis –Level 3 – Detailed Analysis –Level 4 – Comprehensive Analysis

14 Certification Levels 2/2 n Level 1 – Basic Security Review –Completion of the minimum security checklist –System user or an independent Certifier may complete the checklist n Level 2 – Minimum Analysis –Completion of the minimum security checklist – Independent certification analysis n Level 3 – Detailed Analysis –Completion of the minimum security checklist –A more in-depth, independent analysis n Level 4 – Comprehensive Extensive Analysis –Completion of the minimal security checklist –The most extensive independent analysis

15 C&A Overall Process Phase 1 Definition Phase 2 Verification Phase 3 Validation Phase 4** Post Accreditation - The activities defined in these four phases are mandatory - Implementation details of these activities may be tailored ** Follow-up actions to ensure that the approved IS or system component that the approved IS or system component continues to operate in its computing environment according to its accreditation according to its accreditation

16 C&A Process Key: An Agreement n Players – DAA –Certifier –Program Manager –User Representative n Areas / Issues –Critical schedule –Budget –Security –Functionality –Performance issues

17 C&A Process Documentation n DITSCAP uses a single document approach n All the information relevant to the C&A is collected into the one document, the Systems Security Authorization Agreement (SSAA) n SSAA is designed to fulfill the requirements for a security plan and to meet all the needs for C&A support documentation n SSAA is an evolving, yet binding, agreement on the level of security required before the system development begins or changes to a system are made n After accreditation, the SSAA becomes the baseline security configuration document

18 SSAA Definition Systems Security Authorization Agreement (SSAA) Systems Security Authorization Agreement (SSAA) “The SSAA is a formal agreement among the DAA(s), Certifier, user representative, and program manager. The SSAA is used throughout the entire DITSCAP process to guide actions, document decisions, specify IA requirements, document certification tailoring and level of effort, identify possible solutions, and maintain operational systems security.”

19 SSAA Characteristics 1/2 1. Describes the operating environment and threat 2. Describes the system security architecture 3. Establishes the C&A boundary of the system to be accredited 4. Documents the formal agreement among the DAA(s), Certifier, user representative, and program manager 5. Documents all requirements necessary for accreditation

20 SSAA Characteristics 2/2 6. Documents all security criteria for use throughout the IS life cycle. 7. Minimizes documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations, architecture description, etc.). 8. Documents the DITSCAP plan. 9. Documents test plans and procedures, certification results, and residual risk. 10. Forms the baseline security configuration document.

21 SSAA Outline 1/8 1.0 MISSION DESCRIPTION AND SYSTEM IDENTIFICATION 2.0. ENVIRONMENT DESCRIPTION 3.0. SYSTEM ARCHITECTURAL DESCRIPTION 4.0. SYSTEM SECURITY REQUIREMENT 5.0. ORGANIZATIONS AND RESOURCES 6.0. DITSCAP PLAN Appendices. System C&A artifacts Optional appendices may be added to meet specific needs

22 SSAA Outline 2/ MISSION DESCRIPTION AND SYSTEM IDENTIFICATION 1.1. System Name and Identification 1.1. System Name and Identification 1.2. System Description 1.2. System Description 1.3. Functional Description 1.3. Functional Description System Capabilities System Capabilities System Criticality System Criticality Classification and Sensitivity of Data Processed Classification and Sensitivity of Data Processed System User Description and Clearance Levels System User Description and Clearance Levels Life Cycle of the System Life Cycle of the System 1.4. System CONOPS Summary 1.4. System CONOPS Summary

23 SSAA Outline 3/ ENVIRONMENT DESCRIPTION 2.1. Operating Environment 2.1. Operating Environment Facility Description Facility Description Physical Security Physical Security Administrative Issues Administrative Issues Personnel Personnel COMSEC COMSEC TEMPEST TEMPEST Maintenance Procedures Maintenance Procedures Training Plans Training Plans 2.2. Software Development and Maintenance Environment 2.2. Software Development and Maintenance Environment 2.3. Threat Description 2.3. Threat Description

24 SSAA Outline 4/ SYSTEM ARCHITECTURAL DESCRIPTION 3.1. System Architecture Description 3.1. System Architecture Description 3.2. System Interfaces and External Connections 3.2. System Interfaces and External Connections 3.3. Data Flow 3.3. Data Flow 3.4. Accreditation Boundary 3.4. Accreditation Boundary

25 SSAA Outline 5/ SYSTEM SECURITY REQUIREMENT 4.1. National and DoD Security Requirements 4.1. National and DoD Security Requirements 4.2. Governing Security Requisites 4.2. Governing Security Requisites 4.3. Data Security Requirements 4.3. Data Security Requirements 4.4. Security CONOPS 4.4. Security CONOPS 4.5. Network Connection Rules 4.5. Network Connection Rules 4.6. Configuration Management Requirements 4.6. Configuration Management Requirements 4.7. Reaccreditation Requirements 4.7. Reaccreditation Requirements

26 SSAA Outline 6/ ORGANIZATIONS AND RESOURCES 5.1. Organizations 5.1. Organizations 5.2. Resources 5.3. Training 5.3. Training 5.4. Other Supporting Organizations 5.4. Other Supporting Organizations

27 SSAA Outline 7/ DITSCAP PLAN 6.1. Tailoring Factors 6.1. Tailoring Factors Programmatic Considerations Programmatic Considerations Security Environment Security Environment IS Characteristics IS Characteristics Reuse of Previously Approved Solutions Reuse of Previously Approved Solutions 6.2. Tasks and Milestones 6.2. Tasks and Milestones 6.3. Schedule Summary 6.3. Schedule Summary 6.4. Level of Effort 6.4. Level of Effort 6.5. Roles and Responsibilities 6.5. Roles and Responsibilities

28 SSAA Outline 8/8 Appendix A Acronyms Appendix A Acronyms Appendix B Definitions Appendix B Definitions Appendix C References Appendix C References Appendix D System Concept of Operations Appendix D System Concept of Operations Appendix E Information System Security Policy Appendix E Information System Security Policy Appendix F Security Requirements and/or Requirements Traceability Matrix Appendix F Security Requirements and/or Requirements Traceability Matrix Appendix G Certification Test and Evaluation Plan and Procedures (Type only) Appendix G Certification Test and Evaluation Plan and Procedures (Type only) Appendix H Security Test and Evaluation Plan and Procedures Appendix H Security Test and Evaluation Plan and Procedures Appendix I Applicable System Development Artifacts or System Documentation Appendix I Applicable System Development Artifacts or System Documentation Appendix J System Rules of Behavior Appendix J System Rules of Behavior Appendix K Incident Response Plan Appendix K Incident Response Plan Appendix L Contingency Plans Appendix L Contingency Plans Appendix M Personnel Controls and Technical Security Controls Appendix M Personnel Controls and Technical Security Controls Appendix N Memorandums of Agreement – System Interconnect Agreements Appendix N Memorandums of Agreement – System Interconnect Agreements Appendix O Security Education, Training, and Awareness Plan Appendix O Security Education, Training, and Awareness Plan Appendix P Test and Evaluation Report(s) Appendix P Test and Evaluation Report(s) Appendix Q Residual Risk Assessment Results Appendix Q Residual Risk Assessment Results Appendix R Certification and Accreditation Statement Appendix R Certification and Accreditation Statement

29 SSAA Tailoring n Authority –DAA – Certifier – User representative –Program manager n Reason: To meet the characteristics of the –IS –Operational requirements –Security policy –Prudent risk management

30 SSAA Flexibility n SSAA format is flexible enough to permit adjustment throughout the system's life cycle as conditions warrant n SSAA is updated to accommodate the new components –New requirements may emerge from design necessities –Existing requirements may need to be modified –DAA's overall view of acceptable risk may change n

31 SSAA Generation Tool n Assists the user with the task of preparing a System Security Authorization Agreement (SSAA) document. n Permits the user to develop an SSAA over time by saving changes and working on the document one section at a time. n For Windows 95/98/NT/2000 –“JAVA-based word processing" tool creates a basic SSAA, excluding the appendices. – It includes some examples/sample statements and clarifications to help generate a meaningful SSAA. –The output document is created in Rich Text Format or RTF. –This format is read by word processing applications MS Word, WordPerfect, etc. –Zipped File size: 8,956 KB

32 Phase 1: Definition Overview n Key players agree on the intended system mission, security reqs, C&A boundary, schedule, level of effort, and required resources n Agreement is documented in the SSAA Document Mission Need Preparation Registration Negotiation Agreement? SSAA No Yes

33 Phase 2: Verification Overview n Verify system’s compliance with SSAA reqs n Goal is to obtain integrated system for certification testing and accreditation System Development Certification Analysis Pass? SSAA No Yes Ready for Certification? No Yes A Phase 1 Definition Phase 3 Validation

34 Phase 3: Validation Overview n System on-hand ( fully integrated system in its specific operating environment and configuration) n Validates system compliance w/SSAA reqs n Goal is to obtain full approval to operate system (accreditation) Certify System? SSAA Certification Evaluation Of Integrated System Develop Recommendation Yes Accreditation Granted? No Yes Phase 4: Post Accreditation No A Phase 1 Definition

35 Phase 4: Post Accreditation Overview n Starts after site accreditation n Objective is to maintain an acceptable level of residual risk n DITSCAP responsibilities shift to site/O&M Orgs n Ends with system termination Phase 1: Definition SSAA System Operation Compliance Validation Validation Req’d? No Yes No Change Required? Yes

36 Questions