Upload
louisa-obrien
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
C &AC &ACS-7493-01CS-7493-01
UnitUnit 2: C&A Process Overview2: C&A Process Overview
using DITSCAPusing DITSCAP
Jocelyne FarahJocelyne FarahClinton Campbell Clinton Campbell
2
C&A Process OverviewC&A Process Overview
DIIDII C&A Principle PurposeC&A Principle Purpose Definitions and ScopeDefinitions and Scope C&A PrerequisitesC&A Prerequisites C&A process TailoringC&A process Tailoring Certifications LevelsCertifications Levels C&A Overall processC&A Overall process SSAASSAA C&A Phases Overview C&A Phases Overview
3
Defense Information Defense Information InfrastructureInfrastructure
Defense Information Infrastructure (DII)Defense Information Infrastructure (DII)
“ “The DII encompasses information transfer and The DII encompasses information transfer and processing resources, including information and processing resources, including information and data storage, manipulation, retrieval, and display. data storage, manipulation, retrieval, and display. More specifically, the DII is the More specifically, the DII is the shared or shared or interconnected system of computers, interconnected system of computers, communications, data, applications, security, communications, data, applications, security, people, training, and other support structurepeople, training, and other support structure, , serving the Department of Defense's serving the Department of Defense's locallocal and and worldwideworldwide information needs.” information needs.”
4
C&A Principal PurposeC&A Principal Purpose
Protect and secure the entities comprising Protect and secure the entities comprising the DII with a proper balance between the DII with a proper balance between – the benefits to the operational missionsthe benefits to the operational missions– the risks to those same missionsthe risks to those same missions– the life-cycle costs the life-cycle costs
5
Certification DefinitionCertification Definition
CertificationCertification
““Comprehensive Comprehensive evaluationevaluation of the technical and of the technical and non-technical non-technical security featuressecurity features of an IT system of an IT system and other safeguards, made in support of the and other safeguards, made in support of the accreditation process, to establish the extent accreditation process, to establish the extent that a particular design and implementationthat a particular design and implementation meets a set of specified security requirementsmeets a set of specified security requirements””
6
Certification ScopeCertification Scope
Certification is a security analysis in the Certification is a security analysis in the following areas (DII components):following areas (DII components):
– PhysicalPhysical– PersonnelPersonnel– AdministrativeAdministrative– InformationInformation– Information SystemsInformation Systems– CommunicationsCommunications
7
Accreditation DefinitionAccreditation Definition
AccreditationAccreditation
““Formal Formal declarationdeclaration by the by the DAA DAA that an IT system is that an IT system is approvedapproved to operate in a particular to operate in a particular security modesecurity mode using a prescribed using a prescribed set of set of safeguardssafeguards at an at an acceptable level of risk*acceptable level of risk*””
*Acceptable risk must consider the balance between*Acceptable risk must consider the balance between the benefits derived from the use of the systemthe benefits derived from the use of the system the risks posed to both the system and community the risks posed to both the system and community
usersusers the costs required to alleviate the risksthe costs required to alleviate the risks
8
C&A PrerequisitesC&A Prerequisites
System Description System Description ITSEC ClassificationITSEC Classification ReuseReuse
9
System DescriptionSystem DescriptionSlide from Previous LessonSlide from Previous Lesson
System Description OutlineSystem Description Outline1.1. Mission of the system. Mission of the system. 2.2. Functions this system will Functions this system will
perform. perform. 3.3. Interfaces with other systems. Interfaces with other systems. 4.4. Interactions across system Interactions across system
interfaces. interfaces. 5.5. Expected users of this system. Expected users of this system. 6.6. Information categories to be Information categories to be
processed. processed. 7.7. Time frame for developing and Time frame for developing and
implementing the system. implementing the system. 8.8. Components of the system that Components of the system that
will be automated versus will be automated versus manual. manual.
9.9. Budget limitations that may Budget limitations that may affect the system.affect the system.
10.10. Other system constraints or Other system constraints or assumptions that will impact the assumptions that will impact the system.system.
1-System Description defines 1-System Description defines the boundaries of the system the boundaries of the system compared to those that this compared to those that this system may interactsystem may interact
2- It 2- It shall be sufficiently clear shall be sufficiently clear and comprehensive to and comprehensive to provide an unambiguous provide an unambiguous definition of when the definition of when the system may be certified and system may be certified and accreditedaccredited
3-3-If information or If information or understanding about the understanding about the system is insufficient for that system is insufficient for that system description to be system description to be written, the DITSCAP is not written, the DITSCAP is not ready to beginready to begin
10
ITSEC ClassificationITSEC ClassificationSlide from Previous LessonSlide from Previous Lesson
Characteristic Operation Data Infrastructure System Alternatives
Interfacing Mode Benign, Passive, or Active
Processing Mode
Dedicated Level, Compartmented Level, System High, or Multi-level
Attribution Mode None, Rudimentary, Basic, or Comprehensive
Mission-Reliance Factor
None, Cursory, Partial, or Total
Accessibility Factor
Reasonable, Soon, ASAP, or Immediate
Accuracy Factor Not-applicable, Approximate, or Exact
InformationCategories
Unclassified, Sensitive (Privacy Act, Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented/Special Access Classified
11
Initial StepInitial StepSlide from Previous LessonSlide from Previous Lesson
Analyze existing systems to determine Analyze existing systems to determine classesclasses– Accredited systems become Accredited systems become “models”“models”– Applicable ITSEC requirements, high-level Applicable ITSEC requirements, high-level
architectures and approved solutions are stored architectures and approved solutions are stored in a in a common repositorycommon repository
Requirements definition process collects Requirements definition process collects ITSEC requirements into a ITSEC requirements into a common databasecommon database
ReuseReuse
12
C&A Process C&A Process Life-Cycle/TailoringLife-Cycle/Tailoring
Applies to Applies to all systemsall systems requiring C&A throughout requiring C&A throughout their life cycletheir life cycle
Is designed to be Is designed to be adaptableadaptable to any type of any IS to any type of any IS and any computing environment and missionand any computing environment and mission
May be adapted to include existing system May be adapted to include existing system certifications, evaluated products, new security certifications, evaluated products, new security technology or programs and technology or programs and adjustedadjusted to the to the applicable standardsapplicable standards
May be mapped to May be mapped to any system life-cycleany system life-cycle process process Is designed to adjust to the development, Is designed to adjust to the development,
modification, and operational life-cycle phases modification, and operational life-cycle phases
General & FlexibleGeneral & Flexible
13
Certification Levels Certification Levels 1/21/2
Analyze system with respect to:Analyze system with respect to:– Business functionsBusiness functions– Security RequirementsSecurity Requirements– CriticalityCriticality– InfrastructureInfrastructure– UsersUsers
Consider appropriate level of CIA & AccountabilityConsider appropriate level of CIA & Accountability Certifier recommends one of four levelsCertifier recommends one of four levels
– Level 1 – Basic Security ReviewLevel 1 – Basic Security Review– Level 2 – Minimum AnalysisLevel 2 – Minimum Analysis– Level 3 – Detailed AnalysisLevel 3 – Detailed Analysis– Level 4 – Comprehensive AnalysisLevel 4 – Comprehensive Analysis
14
Certification Levels Certification Levels 2/22/2
Level 1 – Basic Security ReviewLevel 1 – Basic Security Review– Completion of the minimum security checklist Completion of the minimum security checklist – System user or an independent Certifier may complete the System user or an independent Certifier may complete the
checklistchecklist Level 2 – Minimum Analysis Level 2 – Minimum Analysis
– Completion of the minimum security checklistCompletion of the minimum security checklist– Independent certification analysisIndependent certification analysis
Level 3 – Detailed Analysis Level 3 – Detailed Analysis – Completion of the minimum security checklistCompletion of the minimum security checklist– A more in-depth, independent analysisA more in-depth, independent analysis
Level 4 – Comprehensive Extensive Analysis Level 4 – Comprehensive Extensive Analysis – Completion of the minimal security checklistCompletion of the minimal security checklist– The most extensive independent analysis The most extensive independent analysis
15
C&A Overall ProcessC&A Overall Process
Phase 1Definition
Phase 2Verification
Phase 3Validation
Phase 4**Post Accreditation
--The The activitiesactivities defined in these four phases are defined in these four phases are mandatorymandatory--Implementation Implementation details details of these activities of these activities may be may be tailoredtailored
****Follow-up actions to ensureFollow-up actions to ensure
that the approved IS or system component that the approved IS or system component
continues to operate in its computing continues to operate in its computing environmentenvironment
according to its accreditationaccording to its accreditation
16
C&A Process Key: An C&A Process Key: An AgreementAgreement
PlayersPlayers– DAADAA– CertifierCertifier– Program ManagerProgram Manager– User RepresentativeUser Representative
Areas / IssuesAreas / Issues– Critical scheduleCritical schedule– BudgetBudget– SecuritySecurity– FunctionalityFunctionality– Performance issuesPerformance issues
17
C&A Process DocumentationC&A Process Documentation
DITSCAP uses a DITSCAP uses a single documentsingle document approach approach All the information relevant to the C&A is collected All the information relevant to the C&A is collected
into the one document, the Systems Security into the one document, the Systems Security Authorization Agreement (Authorization Agreement (SSAASSAA))
SSAA is designed to fulfill the requirements for a SSAA is designed to fulfill the requirements for a security plansecurity plan and to meet all the needs for C&A and to meet all the needs for C&A support documentationsupport documentation
SSAA is an SSAA is an evolvingevolving, yet , yet bindingbinding, agreement on the , agreement on the level of security required before the system level of security required before the system development begins or changes to a system are development begins or changes to a system are mademade
After accreditation, the SSAA becomes the After accreditation, the SSAA becomes the baselinebaseline security configuration documentsecurity configuration document
18
SSAA DefinitionSSAA Definition
Systems Security Authorization Agreement Systems Security Authorization Agreement (SSAA) (SSAA) ““The SSAA is a formal agreement among the The SSAA is a formal agreement among the
DAA(s), Certifier, user representative, and DAA(s), Certifier, user representative, and program manager. The SSAA is used program manager. The SSAA is used throughout the entire DITSCAP process to throughout the entire DITSCAP process to guide actionsguide actions, , document decisionsdocument decisions, specify , specify IA IA requirementsrequirements, document , document certification tailoring certification tailoring and level of effortand level of effort, , identify possible solutionsidentify possible solutions, , and and maintain operational systems securitymaintain operational systems security.” .”
19
SSAA Characteristics SSAA Characteristics 1/21/2
1.1. Describes the operating environment and Describes the operating environment and threatthreat
2.2. Describes the system security architectureDescribes the system security architecture3.3. Establishes the C&A boundary of the Establishes the C&A boundary of the
system to be accreditedsystem to be accredited4.4. Documents the formal agreement among Documents the formal agreement among
the DAA(s), Certifier, user representative, the DAA(s), Certifier, user representative, and program managerand program manager
5.5. Documents all requirements necessary for Documents all requirements necessary for accreditation accreditation
20
SSAA Characteristics SSAA Characteristics 2/22/2
6.6. Documents all security criteria for use Documents all security criteria for use throughout the IS life cycle.throughout the IS life cycle.
7.7. Minimizes documentation requirements by Minimizes documentation requirements by consolidating applicable information into the consolidating applicable information into the SSAA (security policy, concept of operations, SSAA (security policy, concept of operations, architecture description, etc.).architecture description, etc.).
8.8. Documents the DITSCAP plan.Documents the DITSCAP plan.9.9. Documents test plans and procedures, Documents test plans and procedures,
certification results, and residual risk.certification results, and residual risk.10.10. Forms the baseline security configuration Forms the baseline security configuration
document. document.
21
SSAA Outline SSAA Outline 1/81/8
1.0 MISSION DESCRIPTION AND SYSTEM IDENTIFICATION1.0 MISSION DESCRIPTION AND SYSTEM IDENTIFICATION
2.0. ENVIRONMENT DESCRIPTION2.0. ENVIRONMENT DESCRIPTION
3.0. SYSTEM ARCHITECTURAL DESCRIPTION3.0. SYSTEM ARCHITECTURAL DESCRIPTION
4.0. SYSTEM SECURITY REQUIREMENT 4.0. SYSTEM SECURITY REQUIREMENT
5.0. ORGANIZATIONS AND RESOURCES 5.0. ORGANIZATIONS AND RESOURCES
6.0. DITSCAP PLAN 6.0. DITSCAP PLAN
Appendices. Appendices. System C&A artifactsSystem C&A artifactsOptional appendices may be added to meet specific needsOptional appendices may be added to meet specific needs
22
SSAA Outline SSAA Outline 2/82/8
1.0. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION1.0. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION
1.1. System Name and Identification1.1. System Name and Identification
1.2. System Description1.2. System Description
1.3. Functional Description1.3. Functional Description
1.3.1. System Capabilities1.3.1. System Capabilities
1.3.2. System Criticality1.3.2. System Criticality
1.3.3. Classification and Sensitivity of Data Processed1.3.3. Classification and Sensitivity of Data Processed
1.3.4. System User Description and Clearance Levels1.3.4. System User Description and Clearance Levels
1.3.5. Life Cycle of the System1.3.5. Life Cycle of the System
1.4. System CONOPS Summary 1.4. System CONOPS Summary
23
SSAA Outline SSAA Outline 3/83/8
2.0. ENVIRONMENT DESCRIPTION2.0. ENVIRONMENT DESCRIPTION 2.1. Operating Environment2.1. Operating Environment
2.1.1. Facility Description2.1.1. Facility Description 2.1.2. Physical Security2.1.2. Physical Security 2.1.3. Administrative Issues2.1.3. Administrative Issues 2.1.4. Personnel 2.1.4. Personnel 2.1.5. COMSEC2.1.5. COMSEC 2.1.6. TEMPEST2.1.6. TEMPEST 2.1.7. Maintenance Procedures 2.1.7. Maintenance Procedures 2.1.8. Training Plans2.1.8. Training Plans
2.2. Software Development and Maintenance 2.2. Software Development and Maintenance EnvironmentEnvironment
2.3. Threat Description 2.3. Threat Description
24
SSAA Outline SSAA Outline 4/84/8
3.0. SYSTEM ARCHITECTURAL DESCRIPTION3.0. SYSTEM ARCHITECTURAL DESCRIPTION
3.1. System Architecture Description3.1. System Architecture Description
3.2. System Interfaces and External 3.2. System Interfaces and External ConnectionsConnections
3.3. Data Flow3.3. Data Flow
3.4. Accreditation Boundary3.4. Accreditation Boundary
25
SSAA Outline SSAA Outline 5/85/8
4.0. SYSTEM SECURITY4.0. SYSTEM SECURITY REQUIREMENTREQUIREMENT
4.1. National and DoD Security Requirements4.1. National and DoD Security Requirements
4.2. Governing Security Requisites4.2. Governing Security Requisites
4.3. Data Security Requirements4.3. Data Security Requirements
4.4. Security CONOPS4.4. Security CONOPS
4.5. Network Connection Rules4.5. Network Connection Rules
4.6. Configuration Management Requirements4.6. Configuration Management Requirements
4.7. Reaccreditation Requirements4.7. Reaccreditation Requirements
26
SSAA Outline SSAA Outline 6/86/8
5.0. ORGANIZATIONS AND RESOURCES5.0. ORGANIZATIONS AND RESOURCES
5.1. Organizations 5.1. Organizations
5.2. Resources5.2. Resources
5.3. Training5.3. Training
5.4. Other Supporting Organizations5.4. Other Supporting Organizations
27
SSAA Outline SSAA Outline 7/87/8
6.0. DITSCAP PLAN6.0. DITSCAP PLAN 6.1. Tailoring Factors6.1. Tailoring Factors
6.1.1. Programmatic Considerations6.1.1. Programmatic Considerations 6.1.2. Security Environment6.1.2. Security Environment 6.1.3. IS Characteristics6.1.3. IS Characteristics 6.1.4. Reuse of Previously Approved 6.1.4. Reuse of Previously Approved
SolutionsSolutions 6.2. Tasks and Milestones6.2. Tasks and Milestones 6.3. Schedule Summary6.3. Schedule Summary 6.4. Level of Effort6.4. Level of Effort 6.5. Roles and Responsibilities6.5. Roles and Responsibilities
28
SSAA Outline SSAA Outline 8/88/8
Appendix A AcronymsAppendix A Acronyms
Appendix B DefinitionsAppendix B Definitions Appendix C ReferencesAppendix C References Appendix D System Concept of OperationsAppendix D System Concept of Operations Appendix E Information System Security PolicyAppendix E Information System Security Policy Appendix F Security Requirements and/or Requirements Traceability MatrixAppendix F Security Requirements and/or Requirements Traceability Matrix Appendix G Certification Test and Evaluation Plan and Procedures (Type only)Appendix G Certification Test and Evaluation Plan and Procedures (Type only) Appendix H Security Test and Evaluation Plan and ProceduresAppendix H Security Test and Evaluation Plan and Procedures Appendix I Applicable System Development Artifacts or System DocumentationAppendix I Applicable System Development Artifacts or System Documentation Appendix J System Rules of BehaviorAppendix J System Rules of Behavior Appendix K Incident Response PlanAppendix K Incident Response Plan Appendix L Contingency PlansAppendix L Contingency Plans Appendix M Personnel Controls and Technical Security ControlsAppendix M Personnel Controls and Technical Security Controls Appendix N Memorandums of Agreement – System Interconnect AgreementsAppendix N Memorandums of Agreement – System Interconnect Agreements Appendix O Security Education, Training, and Awareness PlanAppendix O Security Education, Training, and Awareness Plan Appendix P Test and Evaluation Report(s)Appendix P Test and Evaluation Report(s) Appendix Q Residual Risk Assessment ResultsAppendix Q Residual Risk Assessment Results Appendix R Certification and Accreditation StatementAppendix R Certification and Accreditation Statement
29
SSAA TailoringSSAA Tailoring
AuthorityAuthority– DAADAA– CertifierCertifier– User representativeUser representative– Program manager Program manager
Reason: To meet the characteristics of theReason: To meet the characteristics of the– ISIS– Operational requirementsOperational requirements– Security policySecurity policy– Prudent risk managementPrudent risk management
30
SSAA FlexibilitySSAA Flexibility
SSAA format is flexible enough to permit SSAA format is flexible enough to permit adjustment throughout the system's life adjustment throughout the system's life cycle as conditions warrantcycle as conditions warrant
SSAA is updated to accommodate the new SSAA is updated to accommodate the new components components – New requirements may emerge from design New requirements may emerge from design
necessitiesnecessities– Existing requirements may need to be modifiedExisting requirements may need to be modified– DAA's overall view of acceptable risk may DAA's overall view of acceptable risk may
changechange
31
SSAA Generation ToolSSAA Generation Tool
Assists the user with the task of preparing a Assists the user with the task of preparing a System Security Authorization Agreement System Security Authorization Agreement (SSAA) document.(SSAA) document.
Permits the user to develop an SSAA over Permits the user to develop an SSAA over time by saving changes and working on the time by saving changes and working on the document one section at a time. document one section at a time.
For Windows 95/98/NT/2000For Windows 95/98/NT/2000– ““JAVA-based word processing" tool creates a basic SSAA, excluding the appendices.JAVA-based word processing" tool creates a basic SSAA, excluding the appendices.– It includes some examples/sample statements and clarifications to help generate a It includes some examples/sample statements and clarifications to help generate a
meaningful SSAA.meaningful SSAA.– The output document is created in Rich Text Format or RTF.The output document is created in Rich Text Format or RTF.– This format is read by word processing applications MS Word, WordPerfect, etc.This format is read by word processing applications MS Word, WordPerfect, etc.– Zipped File size: 8,956 KBZipped File size: 8,956 KB
32
Phase 1: DefinitionPhase 1: DefinitionOverviewOverview
Key players agree on Key players agree on the intended system the intended system mission, security reqs, mission, security reqs, C&A boundary, C&A boundary, schedule, level of effort, schedule, level of effort, and required resourcesand required resources
Agreement is Agreement is documented in the documented in the SSAASSAA
Document Mission Need
Preparation
Registration
Negotiation
Agreement?
SSAA
No
Yes
33
Phase 2: VerificationPhase 2: VerificationOverviewOverview
Verify system’s Verify system’s compliance with SSAA compliance with SSAA reqsreqs
Goal is to obtain Goal is to obtain integrated system for integrated system for certification testing certification testing and accreditationand accreditation
System Development
Certification Analysis
Pass?
SSAA
No
Yes
Ready forCertification?
No
Yes
APhase 1
Definition
Phase 3 Validation
34
Phase 3: ValidationPhase 3: ValidationOverviewOverview
System on-handSystem on-hand((fully integrated system in its fully integrated system in its
specific operating specific operating environment and environment and configuration)configuration)
Validates system Validates system compliance w/SSAA compliance w/SSAA reqsreqs
Goal is to obtain full Goal is to obtain full approval to operate approval to operate system (accreditation)system (accreditation)
CertifySystem?
SSAA
Certification EvaluationOf Integrated System
Develop Recommendation
Yes
AccreditationGranted?
No
YesPhase 4: Post Accreditation
NoA
Phase 1Definition
35
Phase 4: Post AccreditationPhase 4: Post AccreditationOverviewOverview
Starts after site Starts after site accreditationaccreditation
Objective is to maintain an Objective is to maintain an acceptable level of acceptable level of residual riskresidual risk
DITSCAP responsibilities DITSCAP responsibilities shift to site/O&M Orgsshift to site/O&M Orgs
Ends with system Ends with system termination termination
Phase 1: Definition
SSAA
System Operation
Compliance Validation
ValidationReq’d?
No
Yes
NoChangeRequired?
Yes
36
QuestionsQuestions