App CA Security Assessment Summary Template 030408

7/27/2019 App CA Security Assessment Summary Template 030408

http://slidepdf.com/reader/full/app-ca-security-assessment-summary-template-030408 1/39

[Insert System Name/Acronym]

Security Categorization: [Insert Security Categorization]

Security Assessment Summary ReportVersion [Insert #]

[Ins e r t Dat e ]

Prepared by

[Insert Group/Organization/Company Name] [Insert Street Address]

[Insert City, State, and ip Code]



[Insert Group/Organization Name] [Insert System Acronym] !ersion [Insert #]

DOCUMENT CHANGE CONTRO

i

Version Re!ease Date Summary o" C#an$es AddendumNumber

Name

[!ersion "$] [Insert Date] [%irst Dra&t] [Insert Addendum #] [Insert Name]

[!ersion "'] [Insert Date] [%ina( Dra&t] [Insert Addendum #]

[Insert Name]

[!ersion $"] [Insert Date] [%ina(] [Insert Addendum #]

[Insert Name]




TA%E O& CONTENTS

'( E)ECUT*VE SUMMAR+ (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

,( *NTRODUCT*ON (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( -

2.1 System Description......................................................................................................................... .52.2 Purpose............................................................................................................................................52.3 Scope...............................................................................................................................................52.4 Structure..........................................................................................................................................6

.( METHODOOG+ (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((/

3.1 Step 1: Identify Threats.................................................................................................................. .7

3.1 .1 Thre at St at e me n t istin! ...............................................................................................7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7

Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7

System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7 Po#itica# ,ain........................................................................................................................................7 &conomic ,ain..................................................................................................................................... 7 -i#itary ,ain........................................................................................................................................7 i.e.' ,o$ernment /inanced0............................................................................................................. ..... 7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7

Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7 System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7 Po#itica# ,ain........................................................................................................................................7

&conomic ,ain..................................................................................................................................... 7 -i#itary ,ain........................................................................................................................................7 Denia# of Ser$ice.................................................................................................................................. 7 Threaten "arm to Indi$idua#s .............................................................................................................. 7 reate haos........................................................................................................................................7 i.e.' ,o$ernment /inanced0............................................................................................................. ..... 7 "i!hest #e$e# of sophistication......................................................................................... ................... ..7 "ac%in!................................................................................................................................................7

Impersonation.......................................................................................................................................7 Socia# &n!ineerin!................................................................................................................................7 System Intrusion' (rea%)ins.................................................................................................................. 7 *nauthori+ed system access..................................................................................................................7

&conomic ,ain..................................................................................................................................... 7 Po#itica# ,ain........................................................................................................................................7 utsider................................................................................................................................................ -any #e$e#s of sophistication................................................................................................................ "ac%in!................................................................................................................................................ Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................

ha##en!e..............................................................................................................................................

ii




&!o ee##ion.............................................................................................................................................. reate haos........................................................................................................................................ utsider................................................................................................................................................ -any #e$e#s of sophistication................................................................................................................ "ac%in!................................................................................................................................................

Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................

e$en!e................................................................................................................................................uriosity...............................................................................................................................................

&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 $ia Intranet ithin the firea##0...................................................................

Insider................................................................................................................................................... "i!h de!ree of technica# sophistication................................................................................................. *nauthori+ed ccess............................................................................................................................ (rosin! Proprietary Information............................................................................................ .......... .. /raud and Theft.................................................................................................................................... Input of /a#sified 8orrupt Information............................................................................ .......... .......... Saota!e...............................................................................................................................................

e$en!e................................................................................................................................................uriosity...............................................................................................................................................

&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 $ia Intranet ithin the firea##0................................................................... "i!h de!ree of technica# sophistication................................................................................................. *nauthori+ed ccess............................................................................................................................ (rosin! Proprietary Information............................................................................................ .......... .. /raud and Theft.................................................................................................................................... Input of /a#sified 8orrupt Information............................................................................ .......... ..........

Saota!e............................................................................................................................................... e$en!e................................................................................................................................................uriosity...............................................................................................................................................

&!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 and $ia ompany Intranet ithin the firea##0................................. .......... . -any #e$e#s of technica# sophistication................................................................................................. Socia# &n!ineerin!................................................................................................................................ System Intrusion' (rea%)ins.................................................................................................................. *nauthori+ed system access..................................................................................................................

uriosity............................................................................................................................................... &!o -onetary ,ain............................................................................................................................. ........ oca# physica##y on)site0 and $ia ompany Intranet ithin the firea##0................................. .......... . udimentary de!ree of technica# sophistication............................................................... .......... ........... Input of orrupt Information.................................................................................................... .......... .. *nintentiona# &rrors and missions.....................................................................................................3.2 Step 2: Identify 9u#nerai#ities..................................................................................... .......... ......... 3.3 Step 3: na#y+e is%.......................................................................................................................

3.3. 1 i%e#ihood ............................................................................................................................

3.3. 2 Impa ct ................................................................................................................................11

iii




3.3. 3 is% e$ e# ..........................................................................................................................113.4 Step 4: Identify ecommended orrecti$e ctions........................................................................123.5 Step 5: Document esu#ts.......................................................................................................... .... 12

0( R*S1 ASSESSM ENT RESUTS (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((' .

-( ACCRED*TAT*ON RECOMMENDAT*ON (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((' /5.1 Priority -iti!ation ctions........................................................................................................ .... 1

2( &UTURE ENHANCEMENTS (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('3

ACRON+MS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( '

APPEND*) A( RE&ERENCES((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

APPEND*) %( SECUR*T+ TEST AND EVAUAT*ON 4ST5E6(((((((((((((((((((((((((((((((((((((((((((((((((((('

(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

PR*VAC+ *MPACT ASSESSMENT 4P*A6 (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

APPEND*) C( E7AUTHENT*CAT*ON R*S1 ASSESSMENT ((((((((((((((((((((((((((((((((((((((((((((((((((((((('

APPEND*) D( AUD*T REPORTS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

ORGAN*8AT*ONA COMMON CONTROS SAR(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((('

i$




[)*is samp(e &ormat pro+ides a temp(ate &or preparing a Security Assessment Summary

eport &or systems )*e temp(ate is intended to -e used as a guide, and t*e preparer s*ou(dmodi&y t*e &ormat as necessary to comp(y .it* interna( po(icies *ere practica(, t*e guide pro+ides instructions [in -(ue, -o(ded te0t] &or comp(eting speci&ic sections

$




' ( E)ECUT*VE SUMMAR+

The [Insert System Name/Acronym] system has een determined to e a [Insert 1a2or or 1inor] System and has een determined to ha$e a security cate!ori+ation of [Insert 3ig*, 1oderate, or 4o.] .

The periodic assessment of ris% to a!ency operations or assets resu#tin! from the operation of aninformation system is an important acti$ity re;uired y /IS-. The [InsertGroup/Organization/Company Name] team prepared this Security ssessment Summary eportin accordance ith <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#icationSP0 ==)3=' Risk Management Guide for Information Technology Systems. The resu#ts capturedithin this eport are intended to e an addition to any e>istin! is% ssessments performedoutside of the ertification and ccreditation ?0 process. It summari+es the ris%s associatedith the $u#nerai#ities identified durin! the system@s Security Test ? &$a#uation ST?&0' Pri$acyImpact ssessment PI0' e)uthentication is% ssessment' audits' and any other ris%assessment acti$ities. This S a#so ser$es as the ST?& eport referenced in <IST SP ==)37'Guide for the Security Certification and Accreditation of Federal Information Systems. ##resu#ts ere ana#y+ed to pro$ide the ertifier ith an assessment of the mana!ement' operationa#'and technica# contro#s imp#emented to protect the confidentia#ity' inte!rity' and a$ai#ai#ity of thesystem' as documented in the System Security P#an SSP0. Ta#e 1 e#o pro$ides the tota#numer of system)specific security ris%s' y ris% #e$e# and contro# cate!ory.

)a-(e $: Summary o& System Security is5s

[6opu(ate t*is ta-(e using t*e data in )a-(e $7 Insert t*e num-er o& ris5s &or eac* contro(category and ris5 (e+e( A(so, inc(ude tota( num-ers &or eac* co(umn and ro.]

Contro! Cate$ory

Ris9 e:e! Mana$ement Operationa! Tec#nica! Tota!

Hi$#

Medium

o;

Tota!

In certain instances' the system may not ha$e the technica# capai#ity to imp#ement a securitycontro# or the system oner may ma%e a ris%)ased decision not to imp#ement a contro# ased onthe cost or feasii#ity of imp#ementin! the contro# re#ati$e to ris%. Status of such contro#s isdocumented as ris%)ased in the SSP. summary of these contro#s and Austification for each are

pro$ided in Ta#e 2.

1




)a-(e 7: Summary o& is5 8ased Decisions

[6opu(ate t*is ta-(e using contro(s in t*e SS6 t*at *a+e -een designated as is5 8ased Decisions DO NO) 9S )8D or N/A None is an appropriate ans.er i& t*ere are no is5

8ased Decisions &or t*e system]

Mana$ement<Operationa!<or Tec#nica!

Contro!*denti"ier

Description =usti"ication

## [Insert Group/Organization/Company Name] systems re#y on certain or!ani+ationa# contro#sthat are imp#emented at the &nterprise e$e# e.!. Security Po#icies0. is%s re#atin! to theseor!ani+ationa# contro#s shou#d e considered assessin! the system@s security posture. Ta#e 3 pro$ides the tota# numer of [Insert Group/Organization/Company Name] or!ani+ationa#security ris%s' y impact #e$e# and contro# cate!ory. P#ease refer to ppendi> , for more detai#s

re!ardin! the or!ani+ationa# #e$e# ris%s.

)a-(e ;: Summary o& Organizationa( Security is5s

Contro! Cate$ory

Ris9 e:e! Mana$ement Operationa! Tec#nica! Tota!

Hi$#

Medium

o;

Tota!

Note> The detai#ed resu#ts of the or!ani+ationa# common contro#s are documented in the accompanyin! [InsertGroup/Organization/Company Name] r!ani+ationa# ommon ontro#s Security ssessment eport S0 dated

[Insert Date] . These common contro#s are updated and assessed annua##y for each /IS- year.

Ta#e 4 pro$ides a summary of the audit findin!s specific to the system.

)a-(e <: Summary o& System Audit %indings

[6opu(ate t*is ta-(e using app(ica-(e audit eports &or t*e system DO NO) 9S )8D or N/A None is an appropriate ans.er]

Audit &indin$ Date o" Audit Reported byAssociated N*ST Contro!

&ami!y

Ta#e 4a pro$ides a summary of the audit findin!s re#ated to the r!ani+ationa# ommonontro#s.

)a-(e <a: Summary o& Organization 4e+e( Audit %indings

2




[6opu(ate t*is ta-(e using app(ica-(e audit eports &or t*e organization DO NO) 9S )8D

or N/A None is an appropriate ans.er]

Audit &indin$ Date o" Audit Reported byAssociated N*ST Contro!

&ami!y

Ta#e 4 pro$ides a summary of [Insert Group/Organization/Company Name] materia#ea%nesses re#ated to computer security.

)a-(e <-: Summary o& Computer Security 1ateria( ea5nesses [6opu(ate t*is ta-(e .it* any computer security materia( .ea5nesses t*at *a+e -een identi&ied

&or t*e organization DO NO) 9S )8D or N/A None is an appropriate ans.er]

Materia! ?ea9ness Domain4s6

Associated N*ST Contro!

&ami!y

Due to the inherent re#ationship eteen the system and the under#yin! ,enera# SupportSystems0 ,SS0' ,SS ris%s may impact the o$era## system security posture. summary of the,SS ris%s is pro$ided in Ta#e 5 for the system oner to consider hen ma%in! the accreditationdecision. /or more information on the ris%s that ere identified for the ,SSs0 and status of themiti!ation of these ris%s' refer to the respecti$e P#an of ction and -i#estones P?-0 for the,SSs0.

)a-(e =: Summary o& GSS Security is5s [6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or eac* GSS .*ic* supports t*e systemO-tain t*e (ist o& supporting GSSs &rom t*e ?Interconnection@ ta-(e in section 7$= o& t*e

SS6 DO NO) 9S )8D or N/A None is an appropriate ans.er]

GSSGSS

AccreditationStatus@Date

Date o" GSSPOA5M

N*ST Contro! &ami!ies ;it# Vu!nerabi!ities*denti"ied @ Number o" POA5M *tems

4per N*ST Contro! &ami!y6

In order to pro$ide a more ho#istic $ie of the ris%s to the system' [InsertGroup/Organization/Company Name] inc#uded the ,SS components direct#y supportin! thesystem ithin the scope of the ST?&. The purpose of inc#udin! these ,SS components as partof the system ST?& is to specifica##y identify ,SS)#e$e# ris%s that may impact the security postureof the system' pro$idin! the Desi!nated ppro$in! uthority D0 ith a hi!her #e$e# ofassurance in ma%in! an accreditation decision for the system. The scope of the system ST?&inc#uded the fo##oin! ,SS components: [inc(ude a (isting o& systemspeci&ic GSS componentst*at .ere tested] . /or more information on the ris%s identified for the ,SS components' refer to

3




Ta#e 12a and the ST?& matri> #isted in ppendi> of the report. Ta#e 5a pro$ides a summaryof the ris%s identified for the ,SS components direct#y supportin! the system.

)a-(e =a: Summary o& is5s Identi&ied &or GSS Components Direct(y Supporting [Insert System Acronym]

[6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or systemspeci&ic GSS components .*ic*

.ere tested as part o& t*e system C>A e&&ort DO NO) 9S )8D or N/A None is anappropriate ans.er i& no GSS ris5s .ere identi&ied]

GSS GSS ComponentN*ST Contro! &ami!ies ;it# Vu!nerabi!ities *denti"ied @

Number o" POA5M *tems4per N*ST Contro! &ami!y6

efer to the [Insert System Acronym] ertification -emorandum for the accreditationrecommendation.

4




, ( *NTRODUCT*ON

The [Insert System Name/Acronym] system has een determined to e a [Insert 1a2or or 1inor] System and has een determined to ha$e a security cate!ori+ation of [Insert 3ig*, 1oderate, or 4o.] .

The periodic assessment of ris% to a!ency operations or assets resu#tin! from the operation of aninformation system is an important acti$ity re;uired y /IS-. [InsertGroup/Organization/Company Name] prepared this Security ssessment Summary eport inaccordance ith <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#ication SP0==)3=' Risk Management Guide for Information Technology Systems. It summari+es the ris%sassociated ith the findin!s identified durin! the system@s Security Test ? &$a#uation ST?&0'Pri$acy Impact ssessment PI0' e)uthentication is% ssessment' audits' and any other ris%assessment acti$ities. This report a#so ser$es as the ST?& eport referenced in <IST SP ==)37'Guide for the Security Certification and Accreditation of Federal Information Systems.

, ( ' Syst em Descripti o n [Insert description o& t*e -usiness purpose o& t*e system and system en+ironment, as descri-edin t*e systemBs System Security 6(an In addition, inc(ude a re&erence to t*e SS6 &or more

in&ormation a-out t*e system nsure t*is section is continuous(y updated .it* t*e (atestdescription &rom t*e System Security 6(an]

, ( , Purpo s eThe purpose of this Security ssessment Summary eport is to pro$ide the ertifier and theDesi!nated ppro$in! uthority ith a more ho#istic $ie of ris% re!ardin! the system. Itdocuments the security assessment acti$ities that ere performed on the system and the resu#ts ofthose acti$ities inc#udin! ST?&' PI' e)uthentication is% ssessment' audits' and any otherris% assessment acti$ities. This report pro$ides the system@s sta%eho#ders ith an assessment of

the ade;uacy of the mana!ement' operationa#' and technica# contro#s used to protect theconfidentia#ity' inte!rity' and a$ai#ai#ity of the system and the data it stores' transmits or processes.

, ( . Scop eThe scope of the report inc#udes the assessment of the system #e$e# mana!ement' operationa#' andtechnica# contro#s as documented in the system SSP and the ,SS components that direct#ysupport the system. The e$a#uation of the contro#s pro$ided y the ,SSs0 on hich the systemresides are documented in the indi$idua# ,SS ? pac%a!es. summary of the ,SS ris%s are pro$ided in Ta#es 5 and 5a for the D to consider hen ma%in! the accreditation decision.dditiona##y' contro#s considered to e common security controls' as defined in <IST SP ==)53'

ere assessed. The resu#ts of the assessment of these common contro#s are summari+ed in Ta#e3 in the &>ecuti$e Summary section of this report.

The fo##oin! system components ere assessed in this report: [8u((et point components o& t*e

system t*at .ere assessed and (isted in t*e -oundary scope memo see e0amp(e -e(o.]

App 1odu(e $

App 1odu(e 7

5




The fo##oin! ,SS components that direct#y support the system ere a#so assessed in this report: [8u((et point GSS components t*at direct(y support t*e system .*ic* .ere assessed and (istedin t*e -oundary scope memo see e0amp(e -e(o.]

9NI Ser+er EGSS F

Orac(e Data-ase Ser+er EGSS F

, ( 0 StructureThe remainder of the eport is structured as fo##os:

Section 3 B pro$ides an o$er$ie of Security ssessment -ethodo#o!y

Section 4 B pro$ides a summary of is% ssessment esu#ts

Section 5 B contains the ccreditation ecommendation

ppendices pro$ide the detai#ed findin!s from the ST?&' PI' e)uthentication is%ssessment' and udits

6




. ( METHODOOG+

This section descries the methodo#o!y used to conduct the security assessment for the system.The methodo#o!y consists of the fo##oin! steps:

Step 1. Identify Threats Step 2. Identify 9u#nerai#ities

Step 3. na#y+e is%s

Step 4. Identify ecommended orrecti$e ctions

Step 5. Document esu#ts

. ( ' Ste p '> *denti"y T#rea ts

This step e!ins ith compi#in! a threat statement #istin! potentia# threat)sources that areapp#ica#e to the system.

.( ' ( ' T#reat Statement istin$

Ta#e 6 pro$ides an o$er$ie of the threat sources considered for the system ris% assessment.

)a-(e : )*reat Source 4ist

*denti"ier

Source and Type Capabi!ities T#reat Scenarios *ntentions@Moti:ations Resources

T)=1 /orei!n Inte##i!enceSer$ice o$er theInternet

utsider • "i!hest #e$e# of

sophistication

• "ac%in!• Impersonation• Socia# &n!ineerin!

• System Intrusion'(rea%)ins

• *nauthori+ed systemaccess

-a#icious• Po#itica# ,ain• &conomic ,ain

• -i#itary ,ain

Sustantia#• i.e.'

,o$ernment

/inanced0

T)=2 Terrorist o$er theInternet


sophistication

• "ac%in!• Impersonation• Socia# &n!ineerin!• System Intrusion'

(rea%)ins• *nauthori+ed system

access

-a#icious• Po#itica# ,ain• &conomic ,ain• -i#itary ,ain• Denia# of Ser$ice• Threaten "arm to

Indi$idua#s• reate haos

Sustantia#• i.e.'

,o$ernment/inanced0

T)=3 r!ani+ed rimeo$er the Internet


sophistication

• "ac%in!• Impersonation• Socia# &n!ineerin!• System Intrusion'


access

-a#icious• &conomic ,ain• Po#itica# ,ain

-oderate toSustantia#

7




)a-(e : )*reat Source 4ist

*denti"ier

Source and Type Capabi!ities T#reat Scenarios *ntentions@Moti:ations Resources

T)=4 Indi$idua# "ac%ero$er the Internet

utsider • -any #e$e#s of

sophistication

• "ac%in!• Socia# &n!ineerin!•

System Intrusion'(rea%)ins

• *nauthori+ed systemaccess

-a#icious• ha##en!e•

&!o• ee##ion• reate haos

-inima# to-oderate

T)=5 Dis!runt#ed /ormer&mp#oyee o$er theInternet

utsider • -any #e$e#s of

sophistication

• "ac%in!• Socia# &n!ineerin!• System Intrusion'


access

-a#icious• e$en!e• uriosity• &!o• -onetary ,ain

-inima# to-oderate

T)=6 Dis!runt#ed&mp#oyee B Systemadministrator'&n!ineerin! team• oca# physica##y

on)site0 $iaIntranet ithinthe firea##0

Insider • "i!h de!ree of

technica#sophistication

• *nauthori+ed ccess• (rosin! Proprietary

Information• /raud and Theft• Input of /a#sified

8orrupt Information• Saota!e


-oderate

T)=7 Dis!runt#ed&mp#oyee BTechnica# support

personne#• oca# physica##y

on)site0 $iaIntranet ithinthe firea##0

Insider • "i!h de!ree of

technica#sophistication

• *nauthori+ed ccess• (rosin! Proprietary

Information• /raud and Theft• Input of /a#sified

8orrupt Information• Saota!e


-oderate

T)= #eanin! cre'

ser$ice repair cre• oca# physica##yon)site0 and $iaompany Intranetithin thefirea##0

Insider •

-any #e$e#s oftechnica#sophistication

• Socia# &n!ineerin!•

System Intrusion'(rea%)ins• *nauthori+ed system

access

-a#icious•

uriosity• &!o• -onetary ,ain

-oderate

T)= are#ess c#erica#emp#oyee• oca# physica##y

on)site0 and $iaompany Intranetithin thefirea##0

Insider • udimentary

de!ree oftechnica#sophistication

• Input of orruptInformation

<on7-a#icious• *nintentiona# &rrors

and missions

-inima#

. ( , St ep ,> *de nt i" y Vu!n er ab i!i ti e s

The !oa# of this step is to de$e#op a #ist of the system $u#nerai#ities f#as or ea%nesses0 thatcou#d e e>p#oited y the potentia# threat)sources. The identification of $u#nerai#ities can ta%emany forms ased on $arious types of ris% assessments. The fo##oin! as used to determine the$u#nerai#ities ithin the systemC

The ST?& as used to determine the comp#eteness and effecti$eness of the system@ssecurity contro#s. ppendi> pro$ides a detai#ed #istin! of findin!s.




The Pri$acy Impact ssessment as uti#i+ed to determine the system@s comp#ianceith federa# Pri$acy re;uirements. ppendi> D pro$ides a detai#ed #istin! of findin!s.

The e)uthentication is% ssessment as uti#i+ed to determine the system@scomp#iance ith federa# e)uthentication re;uirements. ppendi> & pro$ides adetai#ed #istin! of findin!s.

Security is% ssessments and &n!ineerin! is% (ased e$ies ere re$ieed' ifa$ai#a#e' to determine ris%s identified as part of the System De$e#opment ifecyc#e oras part of a separate technica# e$a#uation.

/indin!s identified as part of the ao$e)mentioned ris% assessment acti$ities ere re$ieed and!rouped into ris%s y <IST SP ==)53 contro# fami#ies or y findin!s that ere re#ated to oneanother. dditiona##y' durin! the conso#idation process' findin!s ere !rouped y <IST SP ==)53 mana!ement' operationa#' and technica# contro# c#asses in order to faci#itate the process ofeportin! ris%s in Ta#e 1 of this document.

. ( . Step .> Ana!y e Ris9

The ris% ana#ysis for each $u#nerai#ity consists of assessin! the threats and compensatin! contro#sto determine the #i%e#ihood that $u#nerai#ity cou#d e e>p#oited and the potentia# impact shou#dthe $u#nerai#ity e e>p#oited. !enera# depiction of the ana#ysis is shon in /i!ure 1' here ris%is the intersection of a threat and $u#nerai#ity' inf#uenced y #i%e#ihood and impact:

&i$ure '( in9 %et;een i9e!i#ood< *mpact and Ris9

&ssentia##y' ris% is proportiona# to oth #i%e#ihood of e>p#oitation and possi#e impact. Thefo##oin! sections pro$ide a rief description of each component used to determine the ris%.

.(. ( ' i9e!i#ood

The #i%e#ihood that a !i$en $u#nerai#ity i## e e>p#oited y a threat is determined y ana#y+in!

the effecti$eness of compensatin! contro#s a!ainst the threat capai#ity. ompensatin! contro#sconsist of measures in p#ace that assist in miti!atin! the ma!nitude of a !i$en $u#nerai#ity. Threatcapai#ity is defined as the means' opportunity' and moti$e of a !i$en threat a!ent. Threatcapai#ities are defined in Ta#e 7.




)a-(e H: )*reat Capa-i(ity Components

Component Description

Means-eans is the mechanism for fu#fi##ment in e>p#oitin! the $u#nerai#ity. Threat a!entsare continuous#y achie$in! a hi!her #e$e# of means due to the #e$e# of sophistication

a$ai#a#e in easi#y otained intrusion too#s.

Opportunity

The opportunity for attac% is determined y the threat a!ents@ #e$e# of access to thesystem. ne of the !reatest opportunity differences eteen threat a!ents is aninsider $ersus an outsider to the or!ani+ation' ith the insider ha$in! far moreopportunity to e>p#oit $u#nerai#ities.

MotieThe moti$e of a threat a!ent is his or her desire to e>p#oit $u#nerai#ity. -oti$e can

e inf#uenced y the sensiti$ity of data' desire for monetary !ain' or the potentia# pu#icity imp#ications of an attac% a!ainst a hi!h#y $isi#e or!ani+ation.

nce the threat capai#ity and compensatin! contro# effecti$eness is assessed' for the$u#nerai#ity' the o$era## #i%e#ihood of the threat e>p#oitin! the $u#nerai#ity is determined usin!

the matri> in Ta#e .

)a-(e : 4i5e(i*ood 1atri0

Compensatin$ Contro! E""ecti:eness

T#reatCapabi!ity

!o" Medium #igh

#igh "i!h "i!h -edium

Medium -edium -edium o

!o" o o o

The #i%e#ihood of the $u#nerai#ity ein! e>p#oited is the intersection of the threat capai#itycate!ory and the compensatin! contro# effecti$eness cate!ory. /or e>amp#e' if the compensatin!contro# effecti$eness is #igh'E the resu#tin! #i%e#ihood of e>p#oitation is MediumE #i%e#ihood fora #ighE threat capai#ity' !o"E #i%e#ihood for a MediumE threat capai#ity. Ta#e shos thedefinitions for each #i%e#ihood #e$e#. <ote that a #ighE effecti$eness for compensatin! contro#scannot comp#ete#y reduce the #i%e#ihood of e>p#oitation of a #ighE capai#ity threat.

)a-(e ': 4i5e(i*ood Descriptions

i9e!i#ood Description

#ighThe capai#ity of the threat is si!nificant' and compensatin! contro#s to reduce the

proai#ity of $u#nerai#ity e>p#oitation are insufficient

MediumThe capai#ity of the threat is medium' and imp#emented compensatin! contro#s#essen the proai#ity of $u#nerai#ity e>p#oitation.

!o"The capai#ity of the threat is #imited' and compensatin! contro#s are in p#ace thateffecti$e#y reduces the proai#ity of $u#nerai#ity e>p#oitation.

1=




.(.( , *mpact

Impact refers to the ma!nitude of potentia# harm that may e caused y successfu# e>p#oitation. Itis determined y the $a#ue of the resource at ris%' oth in terms of its inherent rep#acement0

$a#ue' its importance critica#ity0 to usiness missions' and the sensiti$ity of data contained ithinthe system. The resu#ts of the system security cate!ori+ation estimations for each system'discussed in each system@s respecti$e SSP' is used as an aid to determinin! indi$idua# impactestimations for each findin!. The #e$e# of impact is rated as "i!h' -edium' or o and adescription for each #e$e# of impact is pro$ided in Ta#e 1=.

)a-(e $": Impact De&initions

Ma$nitudeo" *mpact

*mpact De"initions

#igh

&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a se$ere or catastrophic ad$erse effect on

or!ani+ationa# operations' or!ani+ationa# assets' or indi$idua#s. se$ere or catastrophic ad$erseeffect means that' for e>amp#e' the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 causea se$ere de!radation in or #oss of mission capai#ity to an e>tent and duration that theor!ani+ation is not a#e to perform one or more of its primary functionsF ii0 resu#t in maAordama!e to or!ani+ationa# assetsF iii0 resu#t in maAor financia# #ossF or i$0 resu#t in se$ere orcatastrophic harm to indi$idua#s in$o#$in! #oss of #ife or serious #ife threatenin! inAuries.

Moderate

&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a serious ad$erse effect on or!ani+ationa#operations' or!ani+ationa# assets' or indi$idua#s. serious ad$erse effect means that' for e>amp#e'the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 cause a si!nificant de!radation inmission capai#ity to an e>tent and duration that the or!ani+ation is a#e to perform its primaryfunctions' ut the effecti$eness of the functions is si!nificant#y reducedF ii0 resu#t in si!nificantdama!e to or!ani+ationa# assetsF iii0 resu#t in si!nificant financia# #ossF or i$0 resu#t insi!nificant harm to indi$idua#s that does not in$o#$e #oss of #ife or serious #ife threatenin!

inAuries.

!o"

&>ercise of the $u#nerai#ity cou#d e e>pected to ha$e a #imited ad$erse effect on or!ani+ationa#operations' or!ani+ationa# assets' or indi$idua#s. #imited ad$erse effect means that' for e>amp#e'the #oss of confidentia#ity' inte!rity' or a$ai#ai#ity mi!ht: i0 cause a de!radation in missioncapai#ity to an e>tent and duration that the or!ani+ation is a#e to perform its primary functions'

ut the effecti$eness of the functions is noticea#y reducedF ii0 resu#t in minor dama!e toor!ani+ationa# assetsF iii0 resu#t in minor financia# #ossF or i$0 resu#t in minor harm toindi$idua#s.

.(. ( . Ris9 e:e!

The ris% #e$e# for the findin! is the intersection of the #i%e#ihood $a#ue and impact $a#ue asdepicted in Ta#e 11.

)a-(e $$: is5 4e+e( 1atri0

11




*mpact

i9e!i#ood #igh Moderate !o"

#igh "i!h -edium o

Medium -edium -edium o

!o" o o o

. ( 0 St ep 0> *denti"y Rec om m e n d e d Corre cti :e Action sThe findin! and associated ris% #e$e# as used to determine the recommendations that shou#d eapp#ied as a means to miti!ate the ris%. Ghen identifyin! recommendations' the fo##oin! ereta%en into consideration: #e$e# of effort' costs' emer!in! techno#o!ies' time constraints' andfeasii#ity.

. ( - Step -> Docum en t Resu!t sThe resu#ts of the ris% assessment ere documented pro$idin! the findin!' usiness impact

statement' recommended correcti$e actions' #i%e#ihood' impact' and ris% #e$e#. efer to section4.= of this report for the ris% assessment resu#ts.

12




0 ( R*S1 AS SES SMENT RESUTS

This section documents the technica# and non)technica# security ris%s to the system. These ris%sha$e een determined y app#yin! the methodo#o!y out#ined in Section 3 of this document to the$u#nerai#ities identified y the $arious security re$ies that ha$e een performed for the system

as app#ica#e ) ST?&' PI' e)uthentication is% ssessment' and any other ris% assessmentacti$ities0. The security ris%s identified in this section #ar!e#y constitute the asis for theaccreditation recommendation pro$ided in Section 5 of this document.

The ris% assessment resu#ts for the system are documented in Ta#es 12 and 12a. The fo##oin! pro$ides a rief description of the information documented in each co#umn:

Identi&ier: Pro$ides a uni;ue numer used for referencin! each $u#nerai#ity.

Source: Indicates the source here the $u#nerai#ity as identified e.!.' ST?&' PI'e)uthentication is% ssessment' or any other ris% assessment acti$ities.0

is5: Pro$ides a rief description of the ris%.

8usiness Impact Statement: Indicates the impact to the usiness of a threat e>p#oitin!the $u#nerai#ity. The fo##oin! are e>amp#es of potentia# impacts to usiness datathat cou#d e rea#i+ed y the e>p#oitation of an system $u#nerai#ity:

• Completeness$ ## transactions that occurred are entered and accepted for processin! y the system.

• Accuracy$ Transactions are proper#y recorded' and on a time#y asis in the proper period0F %ey data e#ements input for transactions are accurate and datae#ements are processed accurate#y y systems that produce re#ia#e resu#ts.

• %alidity$ ## recorded transactions actua##y occurred are rea#0' re#ate to theor!ani+ation' and ere appro$ed y desi!nated personne#.

• Confidentiality$ System data and eports are protected a!ainst unauthori+edaccess.

ecommended Correcti+e Action: Pro$ides a rief description of the correcti$eactions0 recommended for miti!atin! the ris%s associated ith the findin!.

4i5e(i*ood: Pro$ides the #i%e#ihood of a threat e>p#oitin! the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.

Impact: Pro$ides the impact of a threat e>p#oitin! the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.

is5 4e+e(: Pro$ides the ris% #e$e# hi!h' medium' #o0 for the $u#nerai#ity. This isdetermined y app#yin! the methodo#o!y out#ined in Section 3 of this document.

The ris%s identified in the ta#e e#o are ased on security $u#nerai#ities from $arious sourcesinc#udin! ST?&' PI' e)uthentication is% ssessment' and any other ris% assessment acti$ities.The security $u#nerai#ities from the ST?& are #isted in the findin! matri> in ppendi> of thereport. These findin!s are ased on the ST?& resu#ts that are documented in the ST?& P#an.#so' p#ease refer to the source documents e.!.' PI' e)uthentication is% ssessment0inc#uded in the ? pac%a!e for more detai#ed information on the ris%s associated ith non)ST?& findin!s.

13




)a-(e $7: is5 Assessment esu(ts

[nsure t*at a(( ris5s t*at .ere identi&ied as part o& ris5 assessment acti+ities Eie, S)>, 6IA, eAut*entication is5 Assessment,and any ot*er ris5 assessment acti+itiesF are (isted in t*e ta-(e -e(o. nsure t*at t*e ?Impact@ (e+e( &or a(( ris5s identi&ied in)a-(e $7 is t*e same as t*e security categorization (e+e( &or t*e system]

*denti"ier

Source Ris9 %usiness *mpact Statement Recommended Correcti:eAction

i9e!i#ood *mpact Ris9e:e

$ A164:

App S)>%indings 1atri0

A97 EAppF

7

R&'.

<

=

14




Supportin$ GSS Component Ris9sTa#e 12a pro$ides a #ist of ris%s that ere identified for the ,SS components direct#y supportin! the system that may impact thesecurity posture of the system. The ,SS components direct#y supportin! the system that ere inc#uded ithin the scope of the systemST?& are as fo##os: [inc(ude a (isting o& systemspeci&ic GSS components t*at .ere tested] . The ris%s identified in the ta#e e#oere not inc#uded in the tota# count of ris%s ta##ied in Ta#e 1: Summary of System Security is%s. These ris%s i## e incorporatedinto the respecti$e ,SS P?-s0.

)a-(e $7a: Supporting GSS Component is5 Assessment esu(ts [6opu(ate t*is ta-(e using app(ica-(e C>A resu(ts &or systemspeci&ic GSS components .*ic* .ere tested as part o& t*e system

C>A e&&ort nsure t*at t*e ?Impact@ (e+e( &or a(( ris5s identi&ied in )a-(e $7a is t*e same as t*e security categorization (e+e( &ort*e GSS t*at t*e ris5 .as identi&ied &or DO NO) 9S )8D or N/A None is an appropriate ans.er i& no GSS ris5s .ere

identi&ied]

*denti"ier

Source Ris9 %usiness *mpact Statement Recommended Correcti:eAction

i9e!i#ood *mpact Ris9e:e

GSS$ A164:

App S)>%indings 1atri0

A= EGSS indo.s 7""; Ser+erF

GSS7

15




Miti$ated Resu!tsTa#e 12 pro$ides a #ist of the ris%s that ere identified in the resu#ts of ris% assessment acti$ities here actions ha$e een ta%en tomiti!ate these ris%s after ris% assessment acti$ities ere performed. The [Insert Group/Organization/Company Name] Issueeso#ution Process as used to confirm that each of the ST?& findin!s noted e#o ha$e een miti!ated. Therefore' these ris%s are pro$ided in this report for informationa# purposes on#y and do not ha$e an impact on the accreditation recommendation.

)a-(e $7-: 1itigated esu(ts [6opu(ate t*e ta-(e -e(o. .it* ris5s t*at *a+e -een mitigated Eie, S)> and SA ris5s t*at *a+e -een correctedF Any ris5s t*at

*a+e not -een mitigated s*ou(d -e p(aced in )a-(e $7 a-o+e and s*ou(d not -e p(aced in t*is ta-(e DO NO) 9S )8D or N/A None is an appropriate ans.er i& a SA .as not per&ormed]

*denti"ier Source Ris9 %usiness *mpact Statement Recommended Correcti:e

Action

i9e!i#ood *mpact Ris9

e:e

$ A164:

App SA,dated "$/"7/"H

"$

C17

7 A164: App S)>%indings 1atri0

IA7 EAppF

16




- ( ACCRED*TAT*ON RECOMMENDAT*ON

[6opu(ate t*is section -ased on t*e ris5s identi&ied in t*is report and inc(ude a re&erence to t*esystemBs Certi&ication 1emorandum &or t*e accreditation recommendation )*e &o((o.ing isan e0amp(e:

A tota( o& nine system ris5s .ere identi&ied &or App O& t*e nine ris5s, t.o .ere deemed as

1edium and se+en .ere deemed as 4o. )*e ris5s identi&ied in Section <, )a-(e $7 .it*int*is report inc(uded .ea5nesses in t*e area o& Access Contro(s and Identi&ication and

Aut*entication 6(ease re&er to t*e App Certi&ication 1emorandum &or t*e accreditationrecommendation]

The /edera# Information Security -ana!ement ct /IS-0 re;uires that a P#an of ction and-i#estones P?-0' usin! the format !uidance prescried y -(' e uti#i+ed as the primarymechanism for trac%in! a## system security ea%nesses and issues. The authori+in! officia#accreditor0' i## need to ta%e onership of these ris%s and ensure they are inc#uded in theea%ness repository and that the P?- for the system is updated' monitored' and pro!resseported ;uarter#y throu!h your /IS- coordinator.

17




- ( ' Priorit y Miti $a ti o n Acti on s

[Comp(ete t*is section i& t*ere are ma2or mitigation actions t*at must -e comp(etedOt*er.ise, remo+e t*is section in its entirety )*is section must -e comp(eted &or any systemsissued an IA)O]

&ach item in the P?- is important for the o$era## security of the system. <e$erthe#ess' asma##er set of chan!es is re;uired to merit uthori+ation to perate under !uide#ines documentedin <IST Specia# Pu#ication ==)37. These items are considered so si!nificant that theertification !ent is uni##in! to recommend unrestricted operation of the system unti# the$u#nerai#ities ha$e een sustantia##y corrected. Ta#e 13 presented e#o depicts the prioritymiti!ation actions for the system. These miti!ation actions are suset of hat is presented in thesystem P?- document.

)a-(e $;: 6riority 1itigation Actions

Ris9 e:e! Ris9 *denti"ier Vu!nerabi!ity Description

1




2 ( &UTURE ENHANCEMENTS

The fo##oin! p#anned chan!es to the [Insert System Acronym] en$ironment are pro$ided herefor informationa# purposes on#y. t the time of the current system ? re$ie' these chan!esere sti## in de$e#opment' and therefore not enou!h information as a$ai#a#e to accurate#y

document and test the security contro#s p#anned for imp#ementation ith these enhancements.These future enhancements i## e documented and tested as part of the ne>t update to thesystem ? pac%a!e.

[I& section =$ .as comp(eted a-o+e, c*ange t*e ta-(e -e(o. to )a-(e $<]

)a-(e $;: %uture n*ancements

&uture En#ancementTit!e

&uture En#ancement Description *mp!ementationDate4s6

1




ACRON+MS [9pdate t*e acronym (ist -ased on t*e acronyms used in t*is document]

uthentication ate!ory

P ssurance Profi#eT uthori+ation to perate

? ertification ? ccreditation

TS ommercia# ff the She#f

D Desi!nated ppro$in! uthority

/IPS P*( /edera# Information Processin! Standard Pu#ication

/IS- /edera# Information Security -ana!ement ct

,SS ,enera# Support System

IT Interim uthori+ation to perate

ID Identification

IT Information Techno#o!y

< oca# rea <etor%

<IST <ationa# Institute of Standards and Techno#o!y

-( ffice of -ana!ement and (ud!et

PI Pri$acy Impact ssessment

P?- P#an of ction and -i#estones

P Point of ontact

is% ssessment

S System dministrator

S Security ssessment eport

SD System De$e#opment ife yc#e

SP Specia# Pu#ication

SSP System Security P#an

ST?& Security Test and &$a#uation

1




APPEND*) A( RE&ERENCES

a;s and Re$u!ations>

/edera# Information Security -ana!ement ct of 2==2' Tit#e III B Information Security'P.. 1=7)347.

onso#idated ppropriations ct of 2==5' Section 522.

*S PTIT ct P.. 1=7)560' ctoer 2==1.

OM% Circu!ars>

-( ircu#ar )13=' Management of Federal Information Resources' <o$emer 2===.

-( -emorandum -)=5)24' Imp#ementation of "ome#and Security Presidentia#Directi$e "SPD0 12CPo#icy for a ommon Identification Standard for /edera#&mp#oyees and ontractors' u!ust 2==5.

-( -emorandum -)=6)16' Protection of Sensiti$e !ency Information' Hune' 2==6.

&*PS Pub!ications> /IPS P*( 1' Standards for Security Categori(ation of Federal Information and

Information Systems

/IPS P*( 2==' Minimum Security Re)uirements for Federal Information and Information Systems

/IPS P*( 2=1' *ersonal Identity %erification +*I%, of Federal -mployees andContractors

N*ST Pub!ications>

<IST ==)1' Guide for eeloping Security *lans for Information Technology Systems

<IST ==)26' Security Self&Assessment Guide for Information Technology Systems <IST ==)3=' Risk Management Guide for Information Technology Systems

<IST ==)34' Contingency *lanning Guide for Information Technology Systems

<IST ==)47' Security Guide for Interconnecting Information Technology Systems

<IST ==)53' Recommended Security Controls for Federal Information Systems

<IST ==)53a' Guide for Assessing the Security Controls in Federal Information System

<IST ==)6=' Guide for Mapping Types of Information and Information Systems toSecurity

<IST ==)63' -lectronic Authentication Guideline$ Recommendations of the /ational Institute of Standards and Technology

<IST ==)64' Security Considerations in the Information System eelopment !ifeCycle

1




[Insert System Acronym] Re"erences

[Insert any -usinessre(ated (a.s/regu(ations t*at app(y to t*e system]

2




APPEND*) %( SECUR*T+ TEST AND EVAUAT*ON

4ST5E6

n ST?& as performed on [Insert Dates] at [Insert 4ocation] for the system. The resu#ts of the

ST?& are presented in the comp#eted ST?& p#an hich is part of the ? pac%a!e. The security$u#nerai#ities identified durin! the ST?& are pro$ided e#o. Testin! a!ainst the system and,SS components that direct#y support [Insert System Acronym] operations as conducted. TheST?& for the system inc#uded the fo##oin! components: [8u((et point components o& t*e

system t*at .ere assessed and (isted in t*e -oundary scope memo see e0amp(e -e(o.]

App 1odu(e $

App 1odu(e 7

The ST?& for the ,SS components that direct#y support the system inc#uded the fo##oin!: [8u((et point GSS components t*at direct(y support t*e system .*ic* .ere assessed and (istedin t*e -oundary scope memo see e0amp(e -e(o.]

9NI Ser+er EGSS F

Orac(e Data-ase Ser+er EGSS F

9u#nerai#ities disco$ered for the system components hich ere tested are #isted under theSystem !eel Findings section in this appendi>. 9u#nerai#ities disco$ered on the supportin! ,SScomponents are #isted under the Supporting GSS Component Findings section in this appendi>. Note: O-tain t*e S)> 6(an and %indings 1atri0 &or t*e system to comp(ete t*is appendi0

A(so, -e sure to ro(( up dup(icate &indings and p(ace &inding statement in a (ist &or t*at speci&iccontro( in t*e appropriate component section o& t*e ?System 4e+e( %indings@ ta-(e -e(o.%or e0amp(e, i& &i+e test cases &ai(ed &or IA7, ta5e t*e uniJue (anguage in t*ose test cases and

put it into an entry &or IA7 under t*e appropriate component section in t*e ta-(e -e(o. Eie, I& an IA7 test case &ai(s &or ?App 1odu(e $@, p(ace t*e (anguage under t*is componentsection in t*e ta-(e I& an IA7 test case &ai(s &or ?App 1odu(e $@, as .e(( as &or t*e ?App 1odu(e 7@, sp(it t*e &indings up according(y and p(ace entries &or IA7 into eac* o& t*esesections o& t*e ta-(eF

System e:e! &indin$s9u#nerai#ities disco$ered for the system components hich ere tested are #isted in the ta#e e#o. The composite ris%s and ris% #e$e#s for system $u#nerai#ities are captured in Ta#e 12 ofthe report a#on! ith the usiness impact statement and recommended correcti$e actions.

[6opu(ate t*e ta-(e -e(o. using t*e &indings identi&ied &or system components t*at .ere testedas part o& t*e S)> see t*e e0amp(e -e(o.]

ST5E Contro!Number and

Name

App!icab!e N*ST SP B7-. Contro!4s6 ST5E &indin$ Statement

[Insert name o& system component ie, App 1odu(e $]

1




ST5E Contro!Number and

Name

App!icab!e N*ST SP B7-. Contro!4s6 ST5E &indin$ Statement

SA=: In&ormation System Documentatio

n

)*e organization ensures t*at adeJuatedocumentation &or t*e in&ormation system andits constituent components is a+ai(a-(e,

protected .*en reJuired, and distri-uted to

aut*orized personne(

[Insert &inding statement &rom S)> esu(ts 1atri0 and &ai(ed test casenum-erEsF]

A164: AdeJuate documentation &or App is notmaintained EA66SA="$A, A66SA="$8F

[Insert name o& system component ie, App 1odu(e 7]

C1:Con&iguration

Settings

)*e organization: EiF esta-(is*es mandatorycon&iguration settings &or in&ormationtec*no(ogy products emp(oyed .it*in t*ein&ormation systemK EiiF con&igures t*esecurity settings o& in&ormation tec*no(ogy

products to t*e most restricti+e modeconsistent .it* in&ormation system operationa(reJuirementsK EiiiF documents t*econ&iguration settingsK and Ei+F en&orces t*e

con&iguration settings in a(( components o& t*ein&ormation system

[Insert &inding statement &rom S)> esu(ts 1atri0 and &ai(ed test casenum-erEsF]

2




Supportin$ GSS Component &indin$sIn order to pro$ide a more ho#istic $ie of the ris%s to the system' [Insert

Group/Organization/Company Name] inc#uded the ,SS components direct#y supportin! systemithin the scope of the system ST?&. The purpose of inc#udin! these ,SS components as partof the ST?& is to specifica##y identify ,SS)#e$e# ris%s that may impact the security posture of the

system' pro$idin! the D ith a hi!her #e$e# of assurance in ma%in! an accreditation decisionfor the system. The composite ris%s and ris% #e$e#s for the su pportin! ,SS omponent$u#nerai#ities are captured in Ta#e 12a of the report a#on! ith the usiness impact statementand recommended correcti$e actions. summary of the ,SS ris%s are pro$ided in Ta#es 5 and5a of the report.

[6opu(ate t*e ta-(e -e(o. using t*e &indings identi&ied &or GSS components t*at .ere testedas part o& t*e S)> see t*e e0amp(e -e(o. DO NO) 9S )8D or N/A None is anappropriate ans.er i& no GSS &indings .ere identi&ied]

ST5EContro!

Number andName

App!icab!e N*ST SP B7-.Contro!4s6

ST5E &indin$ Statement

[Insert name o& GSS component ie, 9NI Ser+er EGSS F]

C1:Con&iguration

Settings

)*e organization: EiF esta-(is*esmandatory con&iguration settings &orin&ormation tec*no(ogy productsemp(oyed .it*in t*e in&ormationsystemK EiiF con&igures t*e securitysettings o& in&ormation tec*no(ogy

products to t*e most restricti+e modeconsistent .it* in&ormation systemoperationa( reJuirementsK EiiiFdocuments t*e con&iguration settingsKand Ei+F en&orces t*e con&iguration

settings in a(( components o& t*ein&ormation system

[Insert &inding statement &rom S)> esu(ts 1atri0and &ai(ed test case num-erEsF]

SI$$: rror 3and(ing

)*e in&ormation system identi&ies and*and(es error conditions in ane0peditious manner


[Insert name o& GSS component ie, Orac(e Data-ase Ser+er EGSS F]

C1:Con&iguration

Settings

)*e organization: EiF esta-(is*esmandatory con&iguration settings &orin&ormation tec*no(ogy productsemp(oyed .it*in t*e in&ormationsystemK EiiF con&igures t*e securitysettings o& in&ormation tec*no(ogy

products to t*e most restricti+e modeconsistent .it* in&ormation systemoperationa( reJuirementsK EiiiFdocuments t*e con&iguration settingsKand Ei+F en&orces t*e con&igurationsettings in a(( components o& t*ein&ormation system


3




ST5EContro!

Number andName

App!icab!e N*ST SP B7-.Contro!4s6

ST5E &indin$ Statement

C1H: 4east%unctiona(ity

)*e organization con&igures t*ein&ormation system to pro+ide on(yessentia( capa-i(ities and speci&ica((y

pro*i-its and/or restricts t*e use o& t*e &o((o.ing &unctions, ports, protoco(s,and/or ser+ices: [Assignment:organizationde&ined (ist o& pro*i-itedand/or restricted &unctions, ports,

protoco(s, and/or ser+ices]


4




PR*VAC+ *MPACT ASSESSMENT 4P*A6

A 6IA .as per&ormed or re+ised &or t*e system as part o& t*e C>A acti+ities A copy o& t*e 6IA is5 1emo is presented in t*is appendi0 )*e security ris5s identi&ied -ased on t*e 6IA

are documented in a )a-(e $7 o& t*is report

[Insert 6IA is5 1emo *ere]

Or

A 6IA .as per&ormed or re+ised &or t*e system as part o& t*e C>A acti+ities A copy o& t*e 6IA is5 1emo is presented in t*is appendi0 )*ere .ere no security ris5s identi&ied -asedon t*e 6IA

[Insert 6IA is5 1emo *ere]

Or

A 6IA is not reJuired &or t*is system )*ere&ore, a copy o& t*e 6IA is5 1emo is not presented in t*is appendi0

1




APPEND*) C( E7AUTHENT*CAT*ON R*S1

ASSESSMENT

[Insert System Acronym] *as -een determined to -e a %edera( System t*at does not reJuire e Aut*entication security contro(s to -e imp(emented due to t*e nature o& t*e transactions

processed on t*e system

Or

n e)uthentication is% ssessment as performed or re$ised for the system as part of the? acti$ities. copy of the e)uthentication is% ssessment is presented in this appendi>.The security ris%s identified ased on the e)uthentication is% ssessment are documented inTa#e 12 of this report.

*ntroductionThe purpose of this e)uthentication ssurance e$e# Determination eport is to document the

e)uthentication ris% assessment acti$ities that ere performed accordin! to the -(Presidentia# -emorandum -)=4)=4' e)uthentication Guidance for Federal Agencies' ecem0er122'3 and /edera# Information Processin! Standards /IPS0 2=1' *ersonal Identity %erification+*I%, of Federal -mployees and Contractors3 and the resu#ts of those acti$ities. This eport pro$ides mana!ement ith an assessment of the assurance impact profi#e #e$e# of e#ectronicsystem transactions of remote users to ensure that authentication processes pro$ide theappropriate #e$e# of assurance.

O:er:ie;n e)uthentication assurance #e$e# determination as conducted in accordance ith the -(Presidentia# -emorandum -)=4)=4' e)uthentication Guidance for Federal Agencies' ecem0er

122'' <ationa# Institute of Standards and Techno#o!y <IST0 Specia# Pu#ication SP0 ==)63' -lectronic Authentication Guideline3 4une 12253 and /edera# Information Processin! Standards/IPS0 2=1' *ersonal Identity %erification +*I%, of Federal -mployees and Contractors.

In order to compi#e a comprehensi$e re$ie of the systems and their transactions' an inter$ietranspired eteen the e)uthentication ssurance is% ssessment Profi#e Team ssessmentTeam0' and the point of contact for [Insert System Name EAcronymF] . ris% assessment on neand e>istin! e#ectronic transactions as conducted to ensure that current authentication processes pro$ide the appropriate #e$e# of assurance.

ScopeThis eport incorporates an ana#ysis of the e>terna# and interna# facin! e)uthentication

transactions on the fo##oin! components: [Insert System Acronym] .

StructureThe eport is structured as fo##os:

• esu#ts of the e)uthentication ris% assessmentF

• Transaction eport pro$ided y the e)uthentication ris% assessment too#.

1




E7AUTHENT*CAT*ON R*S1 ASSESSMENT RESUTS

Assessment *nter:ie; Summary A164:)*e assessment team per&ormed a te(ep*one inter+ie. .it* on ednesday, Septem-er 7$,7""= at ':"" A1 )*e assessment team used t*e stream(ined set o& assurance Juestionnaire.or5s*eets to guide t*e inter+ie. and used a *ardcopy o& t*e .or5s*eet to record responses

&rom t*e inter+ie.ees No nota-(e departures &rom t*e .or5s*eet structure occurred

System Operations A164: App reJuires aut*entication &or Go+ernment mp(oyees o+er t*e Organization Intranet A(( users are considered interna( users )*e num-er o& user sessions in a year are (ess t*an7"" )*e system 94 pro+ides t*e &ront door in&ormation page &or t*e App system 9sersaccess t*e N) App System Ser+er -y uti(izing t*e .or5stationBs Netscape -ro.ser and

Organization Intranet Einside t*e Organization &ire.a((sF *en t*e 94 &or t*e Appsystem is entered, a La+a app(et is do.n(oaded into t*e .or5stationBs memory )*e user is

t*en prompted &or a (ogin id and pass.ord com-ination &or t*e system I& t*e (oginid/pass.ord com-ination matc*es .*at is stored in t*e App data-ase Epass.ord is encryptedin t*e data-aseF &or t*at user, t*e system t*en c*ec5s t*e (ist o& aut*orized I6 addresses Ea(sostored in t*e data-aseF to determine i& t*e userBs .or5station is aut*orized to access App)*e user is granted access on(y i& t*e I6 address o& *is/*er .or5station matc*es one o& t*e I6addresses a((ocated to t*at user %rom t*is point on, t*e system ser+er passes reJuests &romt*e c(ient .or5station to t*e App data-ase ser+er using Orac(e, a commercia( o&&t*es*e(&ECO)SF so&t.are 9sers do not *a+e direct access to t*e App data-ase ser+er or to t*e App

data-ase at any time

Transactions

Ta#e 1 pro$ides a summary of the e)uthentication Transaction Gor%sheet resu#ts for [Insert System Name] . The Ta#e uses the fo##oin! si> e#ements to de#ineate each transaction:

• *D B uni;ue associationE identifier used to #in% a transaction ith a## other ;ua#itati$e

e#ements of the e)uthentication assurance profi#in! process: security cate!ories S0'threat statements' $u#nerai#ities' authentication cate!ory impacts' $u#nerai#ity #i%e#ihoodratin!s' assurance #e$e#s' ris% #e$e#s' miti!ations' and assurance #e$e# impact profi#es e.!.'' (' 0F

• Action B Transaction type: a $erE e.!.' in;uire' create' modify' de#ete0F

• Asset B Data oAect: the oAect ein! acted upon y the ctor e.!.' persona# profi#e' ta>

record' ta> credit' emp#oyee record0F

• Attributes B Set' in ritin!' the apparent authentication characteristics e.!.' sensiti$ity' pri$acy' a$ai#ai#ity' user8!roup restrictions' non)repudiation needs0F

• Actor B *ser type: a suAectE e.!.' citi+en' federa# a!ency /0' usiness' e>terna# fi#in!

partner' emp#oyee' administratorJF and

• A:enue B &ntry point: the instrumenta# $ehic#e for the transaction e.!.' Internet'

re!istered user porta#' emp#oyee user porta#' intranet' e>tranet0.

2




• Aut#entication Cate$ory 4AC6 B -( uthentication Potentia# Impact ate!ory' or

uthentication ate!oryE 0 for each transaction. ccordin! to -( -)=4)=4'cate!ories of harm and impact inc#ude:1 B Incon$enience' distress' or dama!e to standin! or reputationF2 B /inancia# #oss or a!ency #iai#ityF

3 B "arm to a!ency pro!rams or pu#ic interestsF4 B *nauthori+ed re#ease of sensiti$e informationF5 B Persona# safetyF and6 B i$i# or crimina# $io#ations.

• Assurance Pro"i!e 4AP6 77 The four assurance profi#e #e$e#s for each security cate!ory

are:e$e# 1: itt#e or no confidence in the asserted identity@s $a#idity.e$e# 2: Some confidence in the asserted identity@s $a#idity.e$e# 3: "i!h confidence in the asserted identity@s $a#idity.e$e# 4: 9ery hi!h confidence in the asserted identity@s $a#idity.

Tab!e '( System Transaction Summary

A164

AC

ID Name Action Asset Attributes Actor Avenue 1 2 3 4 5 6 AP

App-X-001User-Manage

AccountModify Employee Record C, I, P,

!o"ernmentEmployees

Intranet # # # # # M 3

App-X-00$ User-%ie& Report In'uire Employee Record C, I, P, !o"ernmentEmployees


App-X-00( Admin-%ie&Reports

In'uire Employee Record C, I, P, !o"ernmentEmployees


App-X-00) Admin-CreateUser Account

Create Employee Record C, I, P, !o"ernmentEmployees


App-X-00* Admin-ModifyUser Account

Modify Employee Record C, I, P, !o"ernmentEmployees


Conc!usion A164:

As indicated in )a-(e $ in t*e rig*tmost co(umn, (a-e(ed ?A6,@ t*e assurance pro&i(e (e+e( &or t*is system is a 4e+e( ;

)*e system *as missionspeci&ic transactions .*ic* need to -e carried out -y Organization users In addition t*ere is a moderate (e+e( o& impact resu(ting &rom an aut*entication &ai(ure.*ic* can (ead to ci+i( or crimina( +io(ations )*is impact is primari(y due to t*econseJuences o& unaut*orized access to t*e system .*ic* can resu(t in unaut*orized access tosensiti+e in&ormation A(t*oug* on(y t*ose users .*o *a+e admin pri+i(eges may modi&y or

update t*is in&ormation, t*ere must -e a *ig* (e+e( o& con&idence t*at t*e indi+idua( (oggingin is indeed t*e aut*orized indi+idua(

3




3o.e+er, tec*nica((y at a (e+e( ; assurance (e+e( t.o &actor aut*entication is reJuired suc* as

a onetime pass.ord t*roug* a cryptograp*ic protoco( )*e use o& an t*e I6 c*ec5er .*ic*on(y a((o.s users .it* aut*orized I6 addresses Estored in t*e data-aseF to access App on(y i&t*eir I6 address o& t*eir .or5station matc*es one o& t*e I6 addresses a((ocated to t*at user, pro+ides a mitigation contro(

4




APPEND*) D( AUD*T REPORTS

Audit &indings *a+e -een identi&ied &or t*e system esu(ts &rom t*e re(e+ant audit eports are presented in t*is appendi0 )*e security +u(nera-i(ities identi&ied -ased on t*ese eports are

documented in a ta-(e in section < o& t*e report

[6ro+ide re(e+ant audit eports *ere]

Or

Audit &indings *a+e not -een identi&ied &or t*e system As suc*, no audit eports are presented in t*is appendi0

1




ORGAN*8AT*ONA COMMON CONTROS SAR

P#ease refer to the or!ani+ationa# common contro#s S dated [Insert Date] for moreinformation.

Documents

App CA Security Assessment Summary Template 030408