Presentation on theme: "Information Assurance (IA) What Every Manager Should Know"— Presentation transcript:
1 Information Assurance (IA) What Every Manager Should Know SecureIT conferenceLesson primarily focuses on the DITSCAP processDefense Information Technology Certification & Accreditation Process5 March 2008Presented by the IA Technical AuthorityMike Davis“EASY”buttonStatement A: Approved for public release; distribution is unlimited (10 JANUARY 2008)
2 What’s Wrong With This Picture? What level of security is provided here? I couldn’t get through the gate because it was completely locked. It was properly installed and configured. I could not get through it. But....
3 Summary (Preview) “Gotchas” Major resources KEY Success elements “Assuming” you don’t need IA (Standalone, have a firewall, etc…)Not adding in IA cost, schedule and performanceMajor resourcesKEY Success elementsBuild IA in up front (Requirements, ISSE, SEP, ISP, IAS, TEMP, etc)Start C&A early (C&A plan, CRR)Risk Management, Risk Management, Risk ManagementCAC cards needed,You will be, or already are, penetrated – are you prepared?
4 What is Information Assurance (IA)? “Measures that Protect and Defend Information and Information Systems by Ensuring Their Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. This Includes Providing for Restoration of Information Systems by Incorporating Protection, Detection, and Reaction Capabilities.”ConfidentialityAssurance that Information is Not Disclosed to Unauthorized Entities or ProcessesIntegrityQuality of Information System Reflecting Logical Correctness and Reliability of Operating SystemINFOSECAvailabilityDefinition/Exploit/Vulnerability/CounterConfidentiality: Keep information secret/Compromise of classified information/Transmission of classified information in the clear/Encryption(Ex: Physical Encryption, Code, Cipher, Stegenography)Integrity: No authorized modification to information/Undetected modification of/ information/Insertion of malicious code that modifies track information(Ex: Watermark, Wax Seal, Hashing/Digital Signal, Physical)Availability: information and systems are up when needed/Cannot access information when needed DOS network attacks/Network defense capabilities (IDS/FWS)(Ex: Covert Channel, TRANSEC LPI/LPD, CND)Authentication: 3 factors identify people/Processes/Systems/Unauthorized access to system(Ex: Something you know/have/are)Identification: Access control/Weak passwords/Enabling biometric log on/Strong passwordNon-Repudiation: Guarantee sender/receiverInformation AssuranceTimely, Reliable Access to Data and Information Services for Authorized UsersAuthenticationSecurity Measure Designed to Establish Validity of Transmission, Message, or OriginatorNon-RepudiationAssurance Sender of Data is Provided with Proof of Delivery and Recipient with Proof of Sender’s IdentityDATA is your most critical asset – is it adequately protected?
5 IA is a Critical National Issue Presidential DecisionDirective 63 (May 1998)“… a national effort to ensure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially the cyber-based infrastructure.”Many companies are part of CIP in some manner – are you ready?
6 The Threat is Real, Pervasive, and Increasing Why is IA so Important?WE all operate in a highly interactive environmentGlobal NetworksInterconnected Applications and ServicesPowerful Computing DevicesComponents routinely interact withOther Services, Governments, Allied/Coalition Partners, Agencies, Commercial PartnersIncident trend increasing - NCDOC reported 1,540 confirmed incidents between Jun06 - Jun07CND activities:Cyber Asset Reduction and Security (CARS) – response to recent DoD-wide incidentsEffective training (8570.1M)SECRET section to cover the data from Dan and Dave: NMCI, NCDOCJust as we rely on information to provide quality of life for everyday activities, such as; paying bills over the phone and internet, using electronic devices to open and secure your car, and accessing databases for banking account information,The Navy operates in a highly interactive environment regarding global networks, interconnected applications and services.The Navy also routine interacts with the other services, government agencies, ally/coalition partners, commercial and universities.The Threats are real with a wide range of capabilities, from the- Non-professionals to state sponsored hackers.- Whether unintentional or malicious, and the threat is never static based upon a- Rapidly changing technology.“COMPLEXITY OF TODAY’S SYSTEMS AND NETWORKS PRESENTS SIGNIFICANT SECURITY CHALLENGES FOR BOTH PRODUCERS AND CONSUMERS OF INFORMATION TECHNOLOGY.”“THE WARFIGHTER MUST BE ABLE TO TRUST THE NETWORKS AND DATA.”The next few slides I will be providing examples of headline news regarding Information Assurance/Information System threats.The Threat is Real, Pervasive, and Increasing
7 UNCLASSIFIEDSecure Enough?As what was previously presented concerning an adversary’s innovation, let’s revisit our scenario regarding providing access control to the Executive Parking Lot….When an organization does not put much thought into their security system, adversaries can easily get around what was thought to be a fool proof system.Not only should we provide a security gate, but we should have some means of checking/ensuring access control via security guard.Provide/establish a security perimeter.Provide defense in depth just in case the perimeter is breeched.And lastly, obtain a situational awareness of your surroundings to enhance the possibility of being proactive versus reactive.”There is NO single IA “Silver Bullet”Appearances of security can be deceiving, have hidden effects
8 UNCLASSIFIEDDefense-in-DepthAs what was previously presented concerning an adversary’s innovation, let’s revisit our scenario regarding providing access control to the Executive Parking Lot….When an organization does not put much thought into their security system, adversaries can easily get around what was thought to be a fool proof system.Not only should we provide a security gate, but we should have some means of checking/ensuring access control via security guard.Provide/establish a security perimeter.Provide defense in depth just in case the perimeter is breeched.And lastly, obtain a situational awareness of your surroundings to enhance the possibility of being proactive versus reactive.”There is NO single IA “Silver Bullet”But at what level - which methods, capabilities MUST we have?
9 IA is an Enabler for all IT/IS We Count on Information Superiority to Improve Combat EffectivenessFull Spectrum DominanceNetwork Centric WarfareIA Enables Information Superiority in a Network-Centric ParadigmGlobal Secure, Interoperable NetworkState-of-the Art Protection for Information InfrastructureInformation AssuranceTrusted ApplicationsSecure NetworksDynamic OperationsTrained WorkforceNaval TransformationPower Projection Precision EngagementFocused Logistics Assured AccessNetwork Centric WarfareInfo Sharing Virtual CollaborationStreamlined Planning Better AwarenessInformation SuperiorityDecision Superiority Knowledge ManagementUninterrupted Info Flow Integrated C4ISRWarfighters must trust the network and the information provided if they will use it.If the network is not trusted we will not achieve information dominance.Designing and integrated IA capabilities into our applications and network infrastructure will result in a secure NETCENTRIC environment.Lack of IA can:Destroy confidence in the information provided to decision makersCast doubt on the integrity of core systemsFosters doubt and confusion leading to non-net centric methodsIncreases time needed for decision cycles and kill chain cyclesIA must protect, but not encumber the user
10 Who’s Against Us ? Malicious Outsider Attacks Espionage & Sabotage Insider AttacksHardware/Software Distribution AttacksEspionage & SabotageDisasters & AccidentsPassive Intercept AttacksEVERYONE – Especially criminals “for their profit / your loss”
11 Threat Vectors (review – note MOST are operational, not technical *) SourceIntentionalInsiderOutsiderUnintentionalPoorly trained administratorAccidentsLazy or untrained employeeFiresFloodsPower failuresNaturalWhere do the threat agents come from?Natural – Forces of natureE.g. Hurricanes in – CHWildfire in – SDUnintentionalIntestinalInsiderOutsiderDOS attacksBecome insidersForeign intelligence agentsTerroristsCriminalsCorporate raidersCrackersFired employeeDisgruntled employeeSubverted employeeService providersContractors* Lack of adequate “CM” (including useable, reportable audits) are “THE” main IA control most often not met
12 Some Sources of Threat (we have met the enemy, and they are us…;-(( Threats Resulting from Crime or LossNaturaland PhysicalUnintentional 55%Intentional 25%Natural and Physical 20%IntentionalUnintentionalSource: Computer Security Institute6Example: IAVA 2006-A-0012 – MS Office vulnerabilityImpact: Someone can use to create new accounts with rights of logged in userYour Risk Management Plan should address ALL this
13 Attack Sophistication is on the Rise Increased speed and automationIncreased sophisticationAttacks are increasingly asymmetricIncreased threats from Infrastructure attacksAutomation; speed of attack toolsThe level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing. A. Scanning for potential victims. Widespread scanning has been common since Today, scanning tools are using more advanced scanning patterns to maximize impact and speed. B. Compromising vulnerable systems. Previously, vulnerabilities were exploited after a widespread scan was complete. Now, attack tools exploit vulnerabilities as a part of the scanning activity, which increases the speed of propagation. C. Propagate the attack. Before 2000, attack tools required a person to initiate additional attack cycles. Today, attack tools can self-initiate new attack cycles. We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours. D. Coordinated management of attack tools. Since 1999, with the advent of distributed attack tools, attackers have been able to manage and coordinate large numbers of deployed attack tools distributed across many Internet systems. Today, distributed attack tools are capable of launching denial of service attacks more efficiently, scanning for potential victims and compromising vulnerable systems. Coordination functions now take advantage of readily available, public communications protocols such as Internet Relay Chat (IRC) and instant messaging (IM).Increasing sophistication of attack toolsAttack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anitforensic nature, dynamic behavior, and modularity of the tools. A. Anti-forensics. Attackers use techniques that obfuscate the nature of attack tools. This makes it more difficult and time consuming for security experts to 2 analyze new attack tools and to understand new and rapidly developing threats. Analysis often includes laboratory testing and reverse engineering. B. Dynamic behavior. Early attack tools performed attack steps in single defined sequences. Today’s automated attack tools can vary their patterns and behaviors based on random selection, predefined decision paths, or through direct intruder management. C. Modularity of attack tools. Unlike early attack tools that implemented one type of attack, tools now can be changed quickly by upgrading or replacing portions of the tool. This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance. In addition, attack tools are more commonly being developed to execute on multiple operating system platforms. As an example of the difficulties posed by sophisticated attack tools, many common tools use protocols like IRC or HTTP (HyperText Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic.Increasingly asymmetric threatSecurity on the Internet is, by its very nature, highly interdependent. Each Internet system’s exposure to attack depends on the state of security of the rest of the systems attached to the global Internet. Because of the advances in attack technology, a single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow.Increasing threat from infrastructure attacksInfrastructure attacks are attacks that broadly affect key components of the Internet. They are of increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to carry out day-to-day business. Four types of infrastructure attacks are briefly described below.Attack 1 – Distributed denial of service Attack 2 – Worms Attack 3 – Attacks on the Internet Domain Name System (DNS) Attack 4 – Attacks against or using routersAsymmetrical cyber warfare – we fix many holes, they find one
14 Statutes Clinger-Cohen Act (CCA), 1996 Requires an Information Assurance strategy consistent with the Department’s Global Information GridGovernment Information Security Reform Act (GISRA), 2000Requires federal agencies to assess the security of their non-classified information systems and to provide risk assessment and report the security needs of all systemsFederal Information Security Management Act (FISMA), 2002Requires each agency to develop, document, and implement an agency-wide information security programIT Security policy recently incorporated into FAROMB Circular A-130, 2000Establishes a minimum set of controls to be included in Federal automated information security programsFISMAThe Federal Acquisition Regulations (FAR) recently (Sept ) incorporated the IT security provisions of Federal Information Security Management Act (FISMA) in order to focus "much-needed attention on the importance of system and data security by contracting officials and other members of the acquisition team.” There is an increased need to focus on the role of contractors in security as more and more federal agencies outsource various information technology functions. The rule requires contracting officers to seek advice from information security specialists when buying IT goods and services. It also mandates that buyers adhere to Federal Information Processing Standards and agency-specific security requirements when making technology purchases. In addition, the rule establishes a formal definition of the term information security.There are mandates, laws, acts, regulations we MUST follow
15 Directives and Instructions DoDD Information Assurance (IA), Oct 02DoDI IA Implementation, Feb 03DoDI IA in the Defense Acquisition System, July 04DoDD The Defense Acquisition System, May 03DoDI Operation of the Defense Acquisition System, May 03DoDI DoD Information Assurance Certification and Accreditation Process (DIACAP)DoDI DITSCAP, Dec 97Overarching DoD IA requirement 24 Oct 02 establishes IA policy and defines responsibilities.Implementation procedures. Provides a set of baseline IA controls that must be applied.Integration of IA into Defense Acquisition Systems.Certification and Accreditation Policy document.Applicable to systems processing TS GENSER and below information not applicable to systems processing SCI separate set of directives E.g. DCID 6/3 are applicable POC at ONI.Note: SCI has additional directives that take precedence.Other references in backup – DIACAP is now the one!
16 Serious Recognition of CyberCrime Federal Criminal Code Related to Computer Crime18 U.S.C. § 1029. Fraud and Related Activity in Connection with Access Devices18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers18 U.S.C. § 362. Communication Lines, Stations, or Systems18 U.S.C. § 2511. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited18 U.S.C. § 2701. Unlawful Access to Stored Communications18 U.S.C. § 2702. Disclosure of Contents18 U.S.C. § 2703. Requirements for Governmental AccessOther related crimesCopyright Offenses17 U.S.C. 506, 18 U.S.C. 2319, 18 U.S.C. 2318Copyright Management Offenses17 U.S.C. 1201, 17 U.S.C. 1202, 17 U.S.C. 1203, 17 U.S.C. 1204, 17 U.S.C. 1205Bootlegging Offenses18 U.S.C. 2319ATrademark Offenses18 U.S.C. 2320Trade Secret Offenses18 U.S.C. 1831, 18 U.S.C. 1832, 18 U.S.C. 1833, 18 U.S.C. 1834, 18 U.S.C. 1835, 18 U.S.C. 1836, 18 U.S.C. 1837, 18 U.S.C. 1838, 18 U.S.C. 1839Offenses Relating to the Integrity of IP Systems17 U.S.C. 506(c-d), 17 U.S.C. 506(e), 18 U.S.C. 497, 35 U.S.C. 292Offenses Relating to the Misuse of Dissemination Systems18 U.S.C. 1341, 18 U.S.C. 1343, 18 U.S.C. 2512, 47 U.S.C. 553, 47 U.S.C. 605LOTS of laws, many more crimes!
17 IA covers more than Networks Land-mobile radio cryptographic and key management systems (high and medium assurance)SONAR buoy and other disposable sensor clandestine communicationsAircraft wireless intercom systemsSoftware cryptography (medium & basic) assuranceSoftware anti-tamper systemsRF identification devices (RFID) securityOPSEC/COMSEC monitoring systems (i.e., monitoring software)Spectrum management inclusion of TRANSECEmanations security (TEMPEST and other vulnerability assessments)VoIP integration with E-911 servicesSecurity markings standards & softwareOpen Source software security (freeware and shareware)Secure CHAT (XMPP) systemsComplex needs, complex systemscomplex securityWE need an enterprise “protections” risk management approach
18 GIG IA Protection Strategy Evolution Transactional “Enterprise IA” Protection ModelRequired level of Information Protection “Specified” for each TransactionStatic “Perimeter” Protection ModelCommon level of Information Protection provided by System High EnvironmentCommon User Trust Level (Clearances) across sys-high environmentUser Trust Level sufficient across Transaction/COI – varies for enterprisePrivilege gained by access to environment and rudimentary rolesPrivilege assigned to user/device based on operational role and can be changedTodayFutureInformation “authority” determines required level of protection (QoP) for the most sensitive information in the sys-high environment – high water mark determines IT/IA/“Comms” Standards for all informationInformation “authority” determines required level of end-to-end protection (QoP) required to access information – translates to a set of IT/IA/“Comms” Standard that must be met for the Transaction to occurManual Review to Release Information Classified at Less than Sys-highManual Analysis and Procedures determine allowed interconnectsAutomated mechanisms allow information to be Shared (“Released”) when users/devices have proper privilege and Transaction can meet QoP requirementsWe will be loosely connected, sharing information – and protected?
19 160.2: CRYPTO & Key Management 160.5: Future Enterprise Networking Local US Navy IA/Security entityPEO C4I provides most IA/Security for the fleetProgram Management Warfare (PMW) 160 is the Navy IA Acquisition agentPMW 160PMW 160.1: Afloat Networks160.2: CRYPTO & Key Management160.3: Messaging160.4: Network Security160.5: Future Enterprise NetworkingISNS/PCSCN ImplementationSCI NetworksSubLANCENTRIXSPPL / SSILCMPOCrypto ProductsEKMS and KMIKG-3X APMKG-40AR & MLCSPKISecure VoiceDMSDEBS / NREMSLegacy SystemsTactical Messaging / NAVMACS***Network SecurityCNDCDS JCDXRadiant MercuryCDS BoundaryCANESADNS and VIXSCANES Core ServicesCOMPOSENetwork Management:PLM Tool / EMIOInterior CommunicationsBuying IA/Security products is “easy” – “CM” is really, really hard
20 Information Communities While the Federal government has many levels of data classification needs and access control,So do you (public, admin, proprietary, business confidential, B2B, etc)Special Capabilities Network (SpecCap Net)Weapons Picture/control (SAP)Reliable & Assured Info ExchangeIntelligence Oriented Network (JWICS-like)INTEL Picture/TACTICAL INTEL AwarenessOrder of Battle/Warfare ProfileCollaboration toolsCoalition NetsTOP SECRET Exchange AreaAll GENSER TS collaboration/messagingCareful Info ExchangeTactical Classified Network (SIPRNET-like)Common Sensor PictureTactical Awareness/ExchangeWarfare Profile/Collaboration toolsCoalition NetsClassified Network (SIPRNET-like)voice (PSTN - STE/STU gateway)audio/video/data streamingdata (as available)Collaboration toolsCoalition NetsUnclassified Network (NIPRNET-like)voice (PSTN connection)audio/ videodata streamingdata (as available)Collaboration toolsCoalition NetsCareful Info ExchangeSBUSBU - community of interest isolationWhat types and levels of data, hence security, do you NEED?
21 Systems Security Engineering Implementations Computer Security COMPUSEC - Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware, and information being processed, stored, and communicated.Communications Security COMSEC – Measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includescryptosecurity,transmission security (TRANSEC),emission security (EMSEC or TEMPEST), andphysical security of COMSEC material.Electronic Security ELSEC - Protection resulting from measures designed to deny unauthorized individuals information derived from the interception and analysis of non-communications electromagnetic radiations.
22 IA Across the Stack Application Information Information Presentation Computer Network SensorsSIGSEC/COMSEC MonitoringEvent Detect/CorrelationApplicationCOMPUSECInformationOperationsInformationAssurancePresentationSessionComputer Network DefenseTransportCOMSECNetworkOperations SecurityData LinkElectronic WarfarePhysicalELSEC & EMSECEvent Response**ISO/IEC Open Systems Interconnection Reference Model
23 IA 10 Distinct Activities IA1 - Defend the Network & InfrastructureIA2 - Defend the Enclave BoundaryIA3 - Defend the Computing EnvironmentIA4 - Supporting InfrastructuresIA5 - System Security MethodologyIA6 - Security ManagementIA7 - Defensive Information OperationsIA8 - Training and AwarenessIA9 - Management and OperationsIA10 - Tactical Environment
25 Network Defense Products/Services CryptoHigh Assurance Type-1Modular Crypto SystemImbedded CryptoUnclassified Crypto (FIPS 140-2)Virtual Private NetworkHigh Assurance GuardsCross Domain SystemsRadiant MercurySecure VoiceTelephone and TacticalSTU, STESecure Voice GatewaysVoice Over IP (VoIP)Wireless LANNetworks
26 Defend the Enclave Boundary DOD GlobalInformationGridNavyMarine CorpsIntranetUSNUserEnclavesShip/ShoreEnclaveDISA IntrusionDetectionN/MCIIntrusionDetectionFleet EnclaveIntrusionDetectionGroup 1DoD DefenseInfo NetworkGroup 2InternetNIPRNETGroup 3Router BlockFilterGroup N..DISAFirewallN/MCIFirewallShip/ShoreGateway FirewallLANLocalFirewallsInformation Assurance Boundaries ExtendThroughout the Enterprise – “Defense In Depth”
27 Computer Network Defense (CND) Shore and Afloat Infrastructure DISNTrusted Navy NetworksComputer Network Defense in DepthExternal AttacksNetwork Intrusion Detection Sensor (Force Level Only)Fleet NOCPremise RouterOuter Security Screening RouterHost-BasedIntrusion Protection SensorsDNSLoad LevelerVPNInformation Assurance Security Tools (SCCVI/SCRI)FWFWNIDS/IPSNIFVSCANLoad LevelerHIPS (HBSS)Inner Security Screening RouterHostPacket ShaperNIDSIASMFleet RouterShip RouterMalevolent InsiderExtending the Security Boundaries Beyond the NOCComprehensive IA Suite at all Fleet NOCsDefense in depth strategy at the afloat unit levelProtection, detection, reaction capabilities end-to-end
28 Electronic Key Management System (EKMS): Architecture Overview EKMS provides;FY04Completed 99% of Tier 2 Account Transition to Phase 4 EKMSDesignated by CNO As the POC for All Tier 2 User Application Software to Assure Compatibility With CUAS and LCMSCompleted Evaluation of SDS and SKL First EDMs and Software and Provide Test ReportsDeveloped EKMS Manager’s GuideDeveloped COI for Phase 4 EKMS Manager CourseCompleted CT3 Operator Manual and DMD ManualCompleted Draft COI for the CT3 and DMD Course for FY05 Training StartCompleted the CT3 Version 3.2 Development for the DTD That Is Required to Interface With SDS and SKL SoftwareCompleted a Pilot of KEYMAN! With Five AccountsCompleted Demonstration of NKM at IASWS and PACOM ConferencesNSA Became a Partner on NKM Including Providing Development FundsReviewed the KMI ORD and KMI CI-2 Tech PackageFY05Start Implementation of EKMS Phase 5, New Fill Devices, CUAS and DMD, New LMDs, New Version of SCO (5.07), LCMS Version 5.X, New Architecture, Net Key Management, IP Based Tier 0-2EKMS Provides:Automated ordering, generation, distribution, and destruction of electronic KEY MATerial (KEYMAT); accounting for cryptographic items; and reduced risk of mishandling or compromising KEYMAT
29 HIDS: Host Based Intrusion Detection Operational StrategyProvide the ISSM IDS AfloatRealSecure Host Based Intrusion Detection System (HIDS) on All ISNS ServersAddress the Insider ThreatImplementation StrategyCOTS With Central Management Hierarchical and AuditingInstalled on All ISNS Servers and High Value WorkstationsDetects Attempted Attacks on the Targeted PlatformAccomplishments and EffortsIT-21 Interoperability Test and Evaluation CompletedRequest for Addition to the Preferred Products List Underway
31 Common Intrusion Detection Framework Common Operating Picture Defensive Information Operations (IO)IO = CNE + CAN + EW + OPSECThis medium is classifiedUS Government propertySECRETTrinitronGCCSIA COPIntellComponentsCINCSCYBERWATCHARFORNAVFORAFFORMARFORDISA-GOSCEUCOMSPACECOMSTRATCOMTRANSCOMSOCOMSOUTHCOMPACOMACOMCENTCOMINTELLINKWATCHCONNMCCNSIRCMIDDIIINFOCONRed TeamCommon Intrusion Detection FrameworkInfo AssuranceCommon Operating Picture
32 Certification and Accreditation (C&A) Terminology Certification: “Comprehensive evaluation of the technical and non-technical security features of an Automated Information System (AIS) and other safeguards, made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.” ** DoDI , DoD Information Technology Security Certification and Accreditation Process (DITSCAP) 12/30/97Accreditation: “Formal declaration by a Designated Approving Authority (DAA) that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.” ** CNSS No. 4009, National Information Systems Security (INFOSEC) GlossaryThese terms often get inter-changed, not well understoodCertification: How well does a system meet its security requirements?Lab testing/operational testing/risk assessmentAccreditation: Formal acceptance of the risk of operating the system. Balances operational need with risk assessment.
33 USN Compliance Roadmap Security of Federal AutomatedInformation ResourcesAppendix III, OMB Circular A-130Management of Federal Information ResourcesPath is well established, yet programs have a hard time following, complyingInformation AssuranceDODD Oct 24, 2002Protecting Sensitive Compartmented Information Within Information Systems DCID 6/3 June 5, 1999Information Assurance ImplementationDODI Feb 6, 2003Department of the Navy Information Systems Security (INFOSEC)SECNAVINST A Dec 20, 2004Navy Information Assurance (IA) ProgramOPNAVINST B Nov 9, 1999
34 DITSCAP / DIACAP Roles and Responsibilities Designated Approving Authority (DAA)Formally assumes responsibility for operating a system at an acceptable level of risk (often said they have 51% of the vote)Program Manager (PM) (or System Manager – SM)Responsible for the overall procurement, development, integration, modification, or operation and maintenance of the IT systemSenior IA Official (SIAO)Establish and enforce C&A process, act as or delegate CA oversightCertification Authority (CA)Responsible for making a technical judgment of the system’s compliance with stated requirements, assessing the system’s security risk, and coordinating certification activitiesDoD IS User Representative (UR)Represents the user community in defining operational requirementsIA Managers (IAMs)Support PM/SM, provide C&A status, direction to IAOsDoDD , para. E.3.3.1The key to the DITSCAP is the agreement between the IT system program manager(4), the DAA, the CA, and the user representative.
35 DIACAP ProcessThe DoD Information Assurance Certification and Accreditation Process (DIACAP) is a dynamic, information assurance (IA) certification and accreditation (C&A) process that supports and complements the net-centric, Global Information Grid (GIG)-based environment.The DIACAP establishes a standard process for:Identifying, implementing, and validating standardized IA ControlsAuthorizing the operation of DoD information systemsManaging an IA posture across the DoD information system life cycleThe core activities of the DIACAP are consistent with DoDD , DoDI , DoDI , the acquisition life cycle requirements of DoDD and DoDI , FISMA security requirements, Appendix III of OMB A-130, industry best practices, and lessons learned.(DoDI supersedes the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) (defined in DoDI and DoD M).)
36 DIACAP Process“C&A” - Now more automated, IA controls based, but still a pain…
37 DoDDIA requirements shall be included in all information system acquisitions or upgradesIA shall be “a visible element of all investment portfolios” including competitively-sourced ISAll DoD IS shall be assigned an appropriate Mission Assurance CategoryCommunity risk shall be assessed and measures taken to mitigate that risk prior to interconnecting systemsAll DoD IS shall be certified and accredited IAWAll IA or IA-enabled IT must be validated in compliance with NSTISSP 11Systems enabling coalition operations shall be approved by the responsible Combatant Commander and DAAsDoD /2 vs Orange Book mid 80’sNetwork Centric Systems focusedOperation open environment Trusted computing baseDefense in depth andbreadth focus (layering Focus in technical controlsof solutions and understanding in system designInterdependencies)COTS GOTSOne of the government's major IA / C&A directives
38 NSTISSP 11 IA Products IA Enabled Products Mandates the use of Common Criteria evaluated products in national security systems for IA or IA-Enabled products/systemsIA ProductsFirewallVirtual Private Network (VPN)Intrusion Detection Systems (IDS)Anti-VirusIA Enabled ProductsOperating Systems (e.g., NT, XP, Linux)Database Management systemsNetwork Management systemsWeb Browsers (e.g., Netscape or IE)National Security Telecommunications Information Systems Security PolicyCommon Criteria represent an international agreement.Basically, if a product is there, use it.FIPS: Crypto modules for COI separationCommon Criteria: COTS software/appliance solutionsNSA: IA Encryption devicesAnother major technical reference to understand
39 QDR Identified IA Gaps Trusting the Edge Distributed Trust Model – nodes and usersHigh assurance platformsSecurity Management InfrastructureAutomated and adaptable dynamic policy applicationsRisk adaptive access controlSecure mobility for future GIG warfighter networksWireless security architecturesAuthenticated User/DevicesAssured Information SharingCross Domain SolutionsSituational Awareness and Response/Enterprise HealthNode-based situational assessmentAutomated network reconfiguration, recovery, and reconstitutionWhat our senior leadership thinks is lacking (circa 2006)
40 Acquisition perspective on IA issues Lack of overall IA ComplianceMinimal C&A effectiveness (can’t inspect in security)IA / CND Products need modernization / evolutionIA designed in better – SETR processNeed an Enterprise Risk Management approachLack of an IA Master Plan / StrategyPoor IA/Security Configuration ManagementNeed more enterprise IA/Security SolutionsIA training at all levels… lacking PEO / PMW IAM guidanceInstall process cumbersome, non-user-friendlySound familiar - you have them, are resolutions in work?
41 IA/Security Axioms to consider / accommodate / educate Security and complexity are often inversely proportional.Security and usability are often inversely proportional.Good security now is better than perfect security never.A false sense of security is worse than a true sense of insecurity.Your security is only as strong as your weakest link.It is best to concentrate on known, probable threats.Security is an investment, not an expense.
42 IA / Security “Best Practices” Best practices are not a panacea, complete or what YOU need to doDo you even know your business protection needs? Do you have a current asset inventory?Determine what is “good enough” or “minimally acceptable?Quantify your environment’s threats and vulnerabilitiesyour list should have 10 – 50 or so threats assessedHave a security policy that’s useful, complete, VIP endorsedyes, that’s HAVE A POLICY, choose a model, then enforce it too!Run self-assessment on security measures (use accepted tests, STIGs, etc) and compliance (HIPAA, PCI, CFR, SOX, etc)Training and awareness programs – needed, but not a black holeTEST your continuity, recovery plans, backup – can you restore?Encrypt where you can (do you need it for: IM, Chat, , file transfer, online meetings, storage, backup, etc)Be familiar with the “NIST” IA/Security series – they are great!Always use capabilities off the preferred products lists (PPLs)A risk management plan should roll all these into one effortYou can somewhat control what you plan, but get what you enforce…
43 Overall IA/Security Approach ALL IA/security environments should include the below top-ten elements to ensure a well-integrated, effective, and “best value” data protection approach.1 - Comprehensive security policy - must have, and strictly enforce, a rule set and execution process that accommodates dynamic priorities, compliance, auditing, leadership changes and enforcement methods, while detailing policy at the required levels with specific ownership.2 - Distribute clear governance - technical, administrative and operational “chain of commands” must be delineated, including rules of engagement and communication paths between them and all stakeholders.3 - Build in defense-in-depth - maintain multiple protection fronts - operations center, gateway, network access control (NAC), desktop, storage centers, remote access, etc.4 - Develop, maintain and follow a strategy, master plan - use an enterprise architecture to capture and track all requirements and capabilities.5 - Strict configuration management - automated, tracking and reporting to enable enforcement. You must have an inventory management knowledge that covers all elements: hardware, software and “settings” - where a mis-configured system causes a false sense of security.6 - Develop an effective tool suite - stress automation where possible, and KISS, for SLAs, testing, metrics, etc.IA/Security is more leadership, strategic direction, than technical!
44 Overall IA/Security Approach 7 - Guard against major hacker entry points - stealing passwords, trojan horses, software defaults, man-in-the-middle attacks, numerous wireless vulnerabilities, social engineering (general awareness and PII info), using vulnerability research against you (zero day, etc), phased attacks (slow, multi-level, methodical, engineered), lack of user education/awareness and apathy, un-enforced time-outs and failed access tries, and multiple insider threats (gain access as an employee), etc…8 - Actively guard malware entry points / methods:a - Monitor all web traffic - assess trends - on forums, file-sharing, blogs, corporate drives, portals, etcb - Use content filters - assess / scan ALL file types - zip, word, etc - including uploaded files and instant messenger (and don’t trust file extensions, as “txt” can be renamed to “exe”) - prevent downloading executables, shareware, etc…c - Block rouge URLs/inappropriate web sites dynamically and use URL filtering on both in and out bound traffic9 - Test critical elements - continuity and recovery plans, training programs, compliance levels, key vulnerabilities, etc…10 - Develop and periodically update an enterprise “protections” risk assessment. Always understand your current threats, vulnerabilities and impacts to business and warfighter effectiveness… Establish what is “good enough” or minimally acceptable… minimize what you don’t know you don’t know…IA/Security is more leadership, strategic direction, than technical!
45 Online Services - INFOSEC Web Site Anti-VirusIA Publicationsand PoliciesNCDOC“Ask The Expert” IA Bulletin BoardAdvisoriesCustomer ServiceINFOSEC ChatIAVMTrainingHelp with INFOSECProducts & Services(i.e., VPN, FORTEZZA, Firewalls, Intrusion Detection, Secure Voice, EKMS, TEMPEST)Fleet Internet Security Handbook
47 IA/security resources This site has almost everything you needother IA/Security sites (cont):Main sitesother IA/Security sites:Great ISSE / SSE SiteGreatSitestooPPL sites in backup
48 Summary (Review) “Gotchas” Major resources KEY Success elements “Assuming” you don’t need IA (Standalone, have a firewall, etc…)Not adding in IA cost, schedule and performanceMajor resourcesKEY Success elementsBuild IA in up front (Requirements, ISSE, TEMP, etc)Start C&A early (C&A plan, CRR)Risk Management, Risk Management, Risk ManagementCAC cards needed, BUT much is on the CD ROM provided“EASY”button
50 Why Should You Care About IA Why Should You Care About IA? In a net-centric world, a risk taken by one is a risk shared by allMigration from stove-piped systems has enhanced the concept of the “weakest link” in security.Physical controls and link encryption is no longer sufficient.Without adequate IA/Security – our organizations will fail
51 Program Protection Overview (one perspective (Anti-Tamper)) PPPCPIThreat Vuln. RiskOPSEC SCG INFOSECPERSEC PHYSEC COMSECINFO ASSURANCE SECEDSSE/AT FOREIGN DISCLOSUREPUBLIC AFFAIRS TA/CPBuilding BlocksProgram Protection Planning: The overarching security process for an acquisition programCritical Program Information: What toProtect ‘program unique”Threat, Vulnerability &Risk AnalysisCountermeasuresDocumentsSCGOPSEC Plans (as needed)Policy (DoD, AF,NISPOM)Local OperatingInstructions,SecurityManuals, etc.Program Protection Overview (one perspective (Anti-Tamper))However you parse it, “IA” threads/interfaces are pervasive
52 Preferred Product Lists (PPL) Generally programs should strive to use PPL devices / processes in building their systems. Other than the type-1 COMSEC devices, which require individual certification letters held by the companies, the list below is probably the 90% solution without getting industry groups such as ICSA labs.NIST FIPS 140 certifications:NIST algorithm certifications:NIAP/Common Criteria:DISA IASE:NSA IAD:NOTE - A PPL list can range from algorithms to specific equipment configurations. For example, one radio might have FIPS approval when ordered using model number 123 and an NSA type-1 certification when ordered using model number Same is true for a router, IPS, Yet even if a device has a CC EAL-4 certification, you still need to ensure that the protection profile used and the security target meets your specific application.
53 Information “Protections” Overview (or why “IA” is so complex / hard…) andCNODefendAttackExploitCIOFISMAOperationsIAMsCNDCMI/KMIpPKI/CACID MgmtppPPCA SupportC&ApPPppPPIAPpPPPPolicyTrainingIA ServicesIA includes much more than the ISSP.Hard IA Product are the hi-grade IA products that are expensive and require a long time to develop.Hard IA products are the “must-have” products of the ISSP and should have priority.Soft IA products are the commercial - grade IA products that are often COTS..Soft IA products can be (and often are) ) bought with non-ISSP funds..Without enough ISSP funding ,Navy should fund the “must - have “ Hard IA Products at the expense of Soft IA product s and CA S upport that can be funded by other.Program Elements.Multiple playersMultiple PEs/LinesMultiple threatsMultiple PMW/S/AsTypical Acquisition partEnterprise Risk Mgmt.RequirementsP = Hard IA Productp = Soft IA ProductIA/Security Strategy AND Governance critical to success
54 USN IA Issues/Challenges Rapidly evolving Navy threats-vulnerabilites to critical assetsCrypto ModernizationData exfiltrationWeb based threatsTechnology evolution challenges fielding effortsProvide IA engineering to translate ForceNet capabilities into Computer Network Defense solutionsInstallation processes - SHIPMAIN/FRCBIntegration and coordination between ProgramsRemediation of system assests to meet standard baseline buildsIntegration of IAVA/BSSAA / C&A coordinationVerification of site security complianceCertification & Accreditation (CA) of systemsTraining (at all levels, especially maintenance)You too will have these challenges at some level
55 Navy Specific IA Policy Guidance SECNAVINST , DON Info. Sys. Security Program and SECNAV Manual M-5239Basic Policy/Guidelines for Security of National Security SystemsOPNAVINST B, Navy IA ProgramEstablish Policies and Procedures for Proper Management and Protection of Information and Information SystemsNavy IA Publications Series 5239Introduction to Information Systems SecurityTerms Abbreviations, and AcronymsInformation Systems Security ManagerInformation Systems Security OfficersNetwork Security OfficersAssessed Products ListIntroduction to C&A
56 DITSCAP to DIACAPThe recent release of DOD interim guidance for the Defense Information Assurance Certification and Accreditation Program (DIACAP - DoDI ) supersedes:DoDI : DITSCAP InstructionDoDI M: DOD DITSCAP Application ManualHowever, Service specific guidance has not been released.Currently signed DITSACP Phase I, II, or III > remains in DITSCAPNavy programs remain in DITSCAP until DON CIO submits their guidanceJoint ProgramsAre transitioning based on guidance from the lead ServiceNavy specific guidance/transition point not finalized, yet, everyone in DOD must develop DIACAP transition plansMore can be found on the IDSA Web Site atNavy specific guidance and updates at under the documentation tab
57 DoD IA Controls Subject Areas Technical and Non-TechnicalSecurity Design & ConfigurationIdentification & AuthenticationEnclave & Computing EnvironmentEnclave Boundary DefensePhysical & EnvironmentalPersonnelContinuityVulnerability & Incident ManagementMobile Code/CCB/Testing/Ports & Protocols/DocumentationThe DoD IA controls are organized into eight subject areas. The subject areas reflect a defense-in-depth approach, and are drawn from the Information Assurance Technical Framework and supporting IA infrastructures, system life cycle concepts, OMB A-130, and the DoD definition for information assurance.Documentation/Policy Compliance/Configure Management/Mobile Code Use- Security Design and Configuration (31) - Controls directed towards ensuring security during the system’s development cycle. CCB/Testing/Design/Mobile Code Use/Ports and Protocals- Identification and Authentication (9) – Password implementation/Key management.- Enclave and Computing Environment (48) – Audit trails/Host based IDS/Access controls/Date integrity controls/Encryption/Virus protection.- Enclave Boundary Defenses (8) – Firewalls/Network IDS/Remote access/VPNs.- Physical and Environmental (27) – Emergency lighting/Fire protection/Physical access *screen locks.- Personnel (7) – Rules of behavior/Training/Clearances *Need to know restrictions.- Continuity (24) – Disaster recovery procedures/Alternate sites/Spares.- Vulnerability and Incident Management (3) – Reporting incidents and conducting vulnerability assessments.
58 Mission Assurance Categories Confidentiality LevelsMission Assurance CategoriesMAC I – vital to operational readiness or mission effectiveness of deployed or contingency forces. Loss of integrity or availability unacceptable. Requires most stringent protective measures.MAC II – important to the support of deployed or contingency forces. Loss of integrity unacceptable, unavailability tolerable only for short time. Require additional safeguards beyond best practices.MAC III – necessary to conduct of day-to-day business. Protection commensurate with commercial best practices.LEVELDEFINITIONHighClassified InformationMediumSensitive Information, Not Cleared for Public ReleaseBasicInformation Cleared for Public ReleaseInformation assurance requirements have traditionally been identified through a process of answering four questions: (1) What is the operational value of the information? (2) What is the threat? (3) What statutory and policy requirements must the system satisfy? and (4) What operational, environmental, or technical factors may impact IA solutions?DoD Directive , Information Assurance, establishes how DoD will describe the operational value of information in terms of confidentiality, availability and integrity. It establishes three mission assurance categories that set availability and integrity levels, and three confidentiality levels relative to information classification, sensitivity and need-to-know.As early as possible in its life cycle, each DoD information system is assigned a MAC and confidentiality levelMAC levels determine how robust your system needs to be (ie. Availability & Integrity).For example, NMCI is MAC II.This is a cost concern. MAC is most expensive.MAC II and high level = 110 Controls
59 Statutory & Regulatory Compliance SSEE Federal Information Security Management Act (FISMA)Privacy ActHealth Insurance Portability and Accountability Act (HIPAA)Family Educational Rights and Privacy Act (FERPA)Government Paperwork Elimination Act (GPEA)Information Technology Management Reform Act (Klinger-Cohen)Public Company Accounting Reform and Investor Protection Act(Sarbanes-Oxley)E-Government ActComputer Security ActNational Information Infrastructure Protection ActElectronic Signature in Global and National Commerce ActFinancial Modernization Act of 1999, (Gramm-Leach-Bliley)National Institute of Standards and Technology Act (as applies to IA certifications and broad agency standards)Presidential Directive 24, "Telecommunications Protection PolicyNational Security Directive 145,...Executive Orders 12958, 12333,...Federal Criminal Codes Related to Computer CrimeFederal information protection and ownership statutesDOD 85xx series Information Assurance directivesDODD C , Communications Security (COMSEC)CJCSI C - Information Assurance and Computer Network DefenseSECNAVINST A, Department of the Navy Information Assurance (IA) PolicyOPNAVINST B, Navy Information Assurance (IA) Program13,564 STE/FNBDT units fielded to dateSTE OMNIAfloat 4,048Shore: 240Shore 5,884SECTERA Wireless (GSM) SECTERA WirelineAfloat: 59Shore: 2,110Shore: 1,233Afloat completed to date: 136 Ships (63%), 23 Submarines (33%)Fielded 13,564 STE/FNBDT Devices (to Date)Provided Over 500 Technical AssistsProvided a FNBDT Capable Conference Bridge to Support Operation Iraqi Freedom, Conference Bridge Still in OperationManaged STU-III Screening/Repair Facility to Maintain Fleet ReadinessDeveloped Naval Advanced Secure Voice ArchitectureDeveloped Variable Data Rate (VDR) Algorithm With Range of 2.4kbps (MELP Compatible Base Rate) up to 32kpbsSuccessfully Completed JUICE 04 ExerciseComplete Replacement of Mission Critical Shore and Afloat STU-IIIs With STE/FNBDT Terminals, Perform Shipboard FNBDT IWF TEMPALT to Provide FNBDT Capability to Underway Platforms, Enhance Strategic/Tactical InteroperabilityInstall Tactical Shore Gateways (TSG) FY05-FY07Initiate Next Generation Tactical Secure Voice/Data Device Requirements Study
60 PEO ACT Documents Program Protection Plan (PPP) PPP is only required for programs that have Critical Program Information (CPI).Established to identify and protect classified and other sensitive information from foreign intelligence collection or unauthorized disclosure.Clinger-Cohen Act (CCA)CCA applies to programs containing Mission Critical (MC) or Mission Essential (ME) IT systems including NSSFor additional information go toSystem Security Authorization Agreement (SSAA)
61 IA Roadmap Correlation to DoD 5000 Lifecycle Establish an IA organizationIdentify IA requirementsDevelop an acquisition IA strategySecure resources for IAIf you don’t start the IA Engineering and C&A process early in the development cycle, you are adding risk to schedule and cost for the program.Initiate DITSCAPIncorporate IA solutionsTest and evaluate IA solutions(IATO’s/ATO) Accredit the systemMaintain the system’s security posture throughout its life-cycleNote: An IATO may be required to support demonstrations, test events, and/or initial fielding
62 IA Roadmap Steps Establish an IA organization Identify IA requirements Develop an acquisition IA strategySecure resources for IAInitiate DITSCAPIncorporate IA solutionsTest and evaluate IA solutionsAccredit the systemMaintain the system’s security posture throughout its life-cycle
63 Navy DITSCAP Relationships DAANETWARCOMApproval Flow:Request from the PM to the DAA via the CACertification Authority to the DAADAA to NETWARCOMCASPAWAR 05Cert.AgentsPMDoDD , para. E.3.3.1The DAA, the CA, and the user representative resolve critical schedule, budget, security, functionality, and performance issues. This agreement is documented in the SSAA that is used to guide and document the results of the C&A. The objective is to use the SSAA to establish a binding agreement on the level of security required before the system development begins or changes to a system are made. The System Security Authorization Agreement (SSAA) contains a formal and binding agreement between the IT system program managers, the DAA, the CA, and the user representative that establish the level of security required before the system development begins or changes to a system are made. The SSAA is used to guide and document the results of the certification and accreditation (C&A) and the implementation of IT security requirements. The SSAA resolves several issues, including the: critical schedule for the C&A The schedule for the planning and certification actions.budget. The SSAA identifies all costs relevant to the C&A process. The program manager adds a C&A funding line item to the program budget to ensure the funds are available. Funding covers any travel or program contractor costs associated with certification, test development, testing and accreditation.security requirements based on the group or class into which the system falls.functionality of the system. This means the operational and security functionality of the system.performance issues.Resourcedby PMUserRep.Resource SponsorDefault for PORs
64 SSAA System Security Authorization Agreement (SSAA) Documents All requirements for accreditationAll security criteriaDITSCAP planSystem architectureC&A level of effortAgreement among Government entitiesObjectives of the SSAADocument the formal agreement among the DAA(s), the CA, the user representative, and the program manager. Document all requirements necessary for accreditation. Document all security criteria for use throughout the IT system life-cycle. Minimize documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations (CONOPS), plans, architecture description, etc.). Document the DITSCAP plan.The SSAA idenitifies: the system mission. The requirements of the system and its intended capabilitiesthe system architecture. The hardware and software design, security, and communications (the interfaces between this and other systems).the security requirements of an AIS. It is used throughout the entire DITSCAP to guide actions, document decisions, specify Information Technology Security (ITSEC) requirements, document certification tailoring and level of effort, identify possible solutions, and maintain operational systems security. the level of effort. The level of effort necessary to achieve accreditation. the principals of the agreement. The SSAA is an agreement among government entities. To be binding on the government's contractors, the provisions must be included in separate contractual documents between the government and any contractors.See SSAA format in DoDD , encl. 6.
65 DoDIE Information assurance shall be traced as a programmatic entity in the Planning, Programming, and Budgeting System (PPBS) and visibility extended into budget execution. Strategic IA goals and annual IA objectives shall be established according to the DoD Information Management Strategic Plan (reference (ai)), and funding and progress toward those objectives shall be tracked, reported, and validated.IA must be an integral part of programmatic processes.
66 DoDI 8500.2 Enclosure 4 Attachments DoD IA ControlsCombinationNoMACConfidentialityDoDI Enclosure 4 AttachmentsIA Control Count1MAC IClassified1 and 41102Sensitive1 and 51043Public1 and 6794MAC II2 and 452 and 562 and 67MAC III3 and 410783 and 59893 and 673Together, the MAC and Confidentiality Level identify the baseline set of DoD IA Controls that apply to a DoD information system. The baseline set contains IA Controls from each of the eight subject areas.Information found inControl count – number of requirements the system must meet.
67 Common Criteria Version 2.1 International vs. U.S. standardU.S., Canada, France, Germany, UK, Russia, et alISO Standard 15408, “Evaluation Criteria for Information Technology Security” (June 1999)BenefitsSpecification of security features and assurances based on an international standardProvides common vocabulary for describing requirements and product featuresTechnical oversight provided by government expertsReduced testing costs to sponsors of evaluations15 Countries recognize:US,Canada,UK,Germany,France, Australia,NZ,Netherlands, Finland, Greece, Italy, Norway, Spain,Israel, Sweden, Austria. Being Considered by Japan, S. Korea, RussiaCommon Criteria also replaces National Computer Security Center’s Trusted Computer System Evaluation Criteria (TCSEC) or “Orange Book” as of December 31, (NSTISSAM COMPUSEC/1-99) This also effects one of the books in the National Computer Security Center’s “Purple Books” as well.ISO. The source of ISO 9000 and more than International Standards for business, government and society. A network of national standards institutes from 140 countries working in partnership with international organizations, governments, industry, business and consumer representatives. A bridge between public and private sectors.Validated products listed:
68 DoD IM/IT Policy Framework Realigns all DoD IM/IT related issuances to the 8000 Series8000 – Capstone IM/IT Policy & Procedures8100 – Information Resources Management8200 – Mission & Functional Processes8300 – Information Infrastructure Design & Engineering8400 – Information Technology8500 – Information Assurance
69 IA Policy FrameworkRealigns all IA related DoD issuances to the 8500 SeriesGeneralCertification and AccreditationSecurity Management (SMI, PKI, KMI, EKMS)Computer Network Defense /Vulnerability MgtInterconnectivity/Multi-Level Security (SABI)Network/Web (Access, Content, Privileges)Assessments (Red Team, TEMPEST Testing & Monitoring)Education, Training, AwarenessOther (Mobile Code, IA OT&E, IA in Acquisition)
70 Baseline IA Levels - The Process Step 1: Determine the System Mission Assurance Category:Category I :Vital to Effectiveness/Readiness of Deployed ForcesAny Loss UnacceptableImmediate/Sustained Loss of Mission EffectivenessMost Stringent Protection Measures RequiredCategory II:Important to Support Deployed ForcesLoss of Integrity Unacceptable; Loss of Availability Difficult to ManageLoss/Degradation only tolerable for short term = May Seriously Impact Mission Effectiveness/Operational ReadinessAdditional Safeguards Beyond Best Practices RequiredCategory III:Needed for Day-to-Day business, Does Not Affect Support to Deployed or Contingency Forces in the short-termLoss Tolerated or Overcome without Significant Impact on Mission Effectiveness or Operational ReadinessProtective Measures Commensurate with Commercial Best Practices
71 Baseline IA Levels - The Process Step 2: Based on the Mission Category, Determinethe Target Levels of Robustness for Integrityand AvailabilityBasicIIIMediumHighIIIAvailability LevelIntegrity LevelMission Category
72 Baseline IA Levels - The Process Step 3: Consult Enclosure 4 Appendix 1, 2 or 3 for Integrity and Availability Controls (Category I Examples Below)IA Service: Integrity Control Class: Security ArchitectureControl Number: ARNR-1 Control Name: Non-repudiationImplementation of specific non-repudiation capabilities such as digital signatures exists ifmission accomplishment requires non-repudiation. NIST FIPS validated cryptography (e.g.DoD PKI Class 3 or 4 token) is used for encryption, key exchange, digital signature, andhash (AES, 3DES, SKIPJACK, SHA 1, New standards as available, DSA, KEA).IA Service: Availability Control Class: Personnel SecurityControl Number: PSRB-1 Control Name: Security Rules of Behavioror Acceptable Use PolicyA set of rules that describe the IA operations of the enclave or DoD information system andclearly delineate IA responsibilities and expected behavior of all personnel is in place. Therules include the consequences of inconsistent behavior or non-compliance. Signedacknowledgement of the rules is a condition of access.
73 Baseline IA Levels - The Process Step 4: Determine the Target Level ofRobustness for ConfidentialityBasicPublicMediumSensitive and Unclassified Not Cleared for Public ReleaseHighClassifiedConfidentiality LevelClassification, Sensitivity, and Need-to-Know
74 Baseline IA Levels - The Process Step 5: Consult Enclosure 4, Appendix 4, 5, or 6 for Confidentiality Controls (Examples for Sensitive or Unclassified Information Not Cleared for Public Release Below)IA Service: Confidentiality Control Class: AuditControl Number: AURR-2 Control Name: Audit Record RetentionAudit records are retained for at least one (1) year.IA Service: Confidentiality Control Class: Enclave BoundaryControl Number: EBBD-2 Control Name: Boundary DefenseBoundary defense mechanisms to include firewalls and network IDS are deployed at theenclave boundary to the WAN, and at layered or internal enclave boundaries as required.All Internet access is proxied through internet access points under the management andcontrol of the enclave manager.Control Number: EBPW-1 Control Name: Public WAN ConnectionConnections between DoD enclaves and public WANs require a DMZ.
75 IA Control Taxonomy Each IA Control is Comprised of 4 Elements: Control Class: AcquisitionControl Number: ACCS-2Control Name: Configuration SpecificationsControl Text: A Departmental reference document such as a Protection Profile or a Security Technical Implementation Guide (STIG) constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IT assets.
76 Control Classes CLASS CODE CLASS NAME AC ACQUISITION AR SECURITY ARCHITECTUREAUAUDITCCCHANGE CONTROLCECOMPUTING ENVIRONMENTCMCONFIGURATION MANAGEMENTCOCONTINUITY OF OPERATIONSCUCRITICAL UTILITIES AND SUPPLIESEBENCLAVE BOUNDARYEFENVIRONMENTAL AND FACILITIESLALOGICAL ACCESSPAPHYSICAL ACCESSPBPROGRAM & BUDGETPSPERSONNEL SECURITYSCSESSION CONTROLSSDSECURITY DOCUMENTATIONSTSECURITY TESTING
77 Follow Best Commercial Standards Internet Engineering Task Force (IETF) The IETF is the protocol engineering and development arm of the Internet. Though it existed informally for some time, the group was formally established by the IAB in 1986 with Phill Gross as the first Chair.AreasArea Working Groups
78 IA Engineering Information Assurance Core Capabilities Information OperationsCore CapabilitiesCOMSECElectronic WarfareELSECComputer Network DefenseCOMPUSECPsychological OperationsMilitary DeceptionOperations SecurityComputer Network SensorsSIGSEC/COMSEC Monitoring