Certification and Accreditation CS Unit 1: Background LTC Tim O’Hara Ms Jocelyne Farah Mr Clinton Campbell

2DoD Resource the Fight -Policies / Plans / $ -NCA Plan the Fight -Central Command Fight the Fight -3 Infantry Division Tactical Strategic Operational

3DoD F(Pr) = (Mi+Mo+Pe) Tactical Strategic Operational

4 DoD IT Certification Previous: -Not a big issue -Tactical vs. Non Tactical -IT systems ProprietaryCurrent: -In everything…. -$$$$$$$ Tactical Strategic Operational

5Background n Why do we have a DITSCAP and who cares? Protect against IT threats Ensure management is aware of vulnerabilities and weaknesses Ensure implementation sound risk management principles Manage IT TCO Good Business Practices Commanders have a legal and ethical responsibility to ensure IT resources are protected. Public Law National Policies DOD Regulations Mandated Requirements

6 Threats & Vulnerabilities n Natural/Environmental Threats –Controlled –Uncontrolled n Human Threats: –Unintentional –Malicious n Direction of Threat –Internal –External n Vulnerabilities and Weaknesses –Not the same, Different responses n Vulnerability points –Data or information, Software –Hardware, People n Determine –Ease of exploitation, potential rewards –Probability of occurrence –Related threat –Residual risk

7 Computer Security Act of 1987 n Public Law , Title 101, Statute 1724 –Improve security/privacy of sensitive information in federal systems; –Federal agencies to establish standards & guidelines –Requires that any federal computer system that processes sensitive information have a customized security plan (SSAA). –Requires that users of those systems undergo security training. n NIST responsible, NSA to advise. –assessing the vulnerability of federal computer systems, –developing standards, –providing technical assistance with NSA support, and –developing training guidelines for federal personnel

8 Computer Fraud & Abuse Act n Public Law : prohibits unauthorized or fraudulent access to government computer systems. –Maximum fine of up to $5000 or double the value of anything obtained via the unauthorized access, plus up to 5 years imprisonment. n Included in Title 18, U.S. Code. –Unauthorized Access to Govt. System (1030); Possession of Illegal Access Devices (1029) n Crime committed when system entered –Accessing Federal Interest Computer (FIC) to acquire national defense information, to obtain financial information, to deny the use of the computer, to affect a fraud –Damaging or denying use of an FIC thru transmission of code, program, information or command –Furthering a fraud by trafficking in passwords

9 Copyright Act n Software Copyright Protection Bill,Title 18 US Code, 2319 –Amended in Title 17 US Code, 504C & 506A (Copyright Act) –10 or more illegal copies or more than $2500 — Felony! –Criminal penalty of five years or $250,000 –Civil penalty $100,000 per infringed work n Software Publishers Association (SPA) –Supported by US Marshal Service –Responds to any report of illegal software

10 National Security Policy & Directives n n NSDD 145: Must protect both classified and unclassified; but also sensitive information. n n NTISSP 6: Federal agencies must have a C&A program for national security systems n n NTISSP 20: Federal systems must meet C2 levels standards of trust. n n NSTISSP 11: IA must be considered on national security information systems; must use evaluated products. n n NSTISSP 600: Must have invitation and consent for penetration testing involving "owner of system" and legal counsel n n NSTISSI 4012: National training standards for DAAs n n NSTISSI 1000: Federal C&A process

11 DoD Policy, Directives & Instructions n n DoD Directive , Security Requirements for Automated Information Systems, March 21, 1989 (to be updated under DOD 8500 series) n n DoD CIO Policy , Global Information Grid – Network Operations, Aug 24, 2000 n n DoD CIO Policy , DOD Global Information Grid Networks, Aug 24, 2000 n n DoD R, Mandatory Procedures for Major Defense Acquisition Programs (MDAPS) & Major Automated Information System (MAIS) Acquisition Programs, Jan n n DoD Instruction , DoD Information Technology Security C&A Process (DITSCAP), Dec 30, 1997 (supplemented by DOD M, Applications Manual, Jul 2000)

12 What is a “system”? n Information System (a.k.a: Automated Information System, Information Technology System) –“Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”

13 Designated Approving Authority n An executive with the authority and ability to evaluate the mission, business case, and budgetary needs for the system in view of the security risks. n Must have the authority to oversee budget and business operations of systems under his/her purview. n Official with the authority to determine & formally assume responsibility for operating a system or network at an acceptable level of risk. n Authority to permit or deny operations or use based on unacceptable security risk. Accountable to senior leadership and public through Federal Law and regulation.

14 Program Manager & Certification Authority n Program Manager –Represents the interests of the system throughout its life cycle management (acquisition or maintenance, life cycle schedules, funding responsibility, system operation, system performance, and maintenance). The organization that the program manager represents is determined by the phase in the life cycle of the system. n Certification Authority (Certifier) and certification team –Provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA. The certifier determines the level of residual risk and makes an accreditation recommendation to the DAA.

15 User Representative n Operational interests of system users are vested in the User Representative. –Concerned with system availability, access, integrity, functionality, and performance in addition to confidentiality as they relate to the mission environment.

16 Certification & Accreditation n Certification –The comprehensive evaluation of the technical and non- technical security features of an information system and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a specified set of security requirements. n Accreditation –A formal declaration by the DAA that an information system is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.

17 DITSCAP Benefits n Establishes a standard C&A process/documentation n Process is applicable, regardless of lifecycle n Process applies to any type acquisition strategy or development n Describes generic process activities and tasks DAA/PM/CA/User

Questions