C &A CS-7493-01 Unit 2: C&A Process Overview using DITSCAP Jocelyne Farah Clinton Campbell

C &AC &ACS-7493-01CS-7493-01

UnitUnit 2: C&A Process Overview2: C&A Process Overview

using DITSCAPusing DITSCAP

Jocelyne FarahJocelyne FarahClinton Campbell Clinton Campbell

2

C&A Process OverviewC&A Process Overview

DIIDII C&A Principle PurposeC&A Principle Purpose Definitions and ScopeDefinitions and Scope C&A PrerequisitesC&A Prerequisites C&A process TailoringC&A process Tailoring Certifications LevelsCertifications Levels C&A Overall processC&A Overall process SSAASSAA C&A Phases Overview C&A Phases Overview

3

Defense Information Defense Information InfrastructureInfrastructure

Defense Information Infrastructure (DII)Defense Information Infrastructure (DII)

“ “The DII encompasses information transfer and The DII encompasses information transfer and processing resources, including information and processing resources, including information and data storage, manipulation, retrieval, and display. data storage, manipulation, retrieval, and display. More specifically, the DII is the More specifically, the DII is the shared or shared or interconnected system of computers, interconnected system of computers, communications, data, applications, security, communications, data, applications, security, people, training, and other support structurepeople, training, and other support structure, , serving the Department of Defense's serving the Department of Defense's locallocal and and worldwideworldwide information needs.” information needs.”

4

C&A Principal PurposeC&A Principal Purpose

Protect and secure the entities comprising Protect and secure the entities comprising the DII with a proper balance between the DII with a proper balance between – the benefits to the operational missionsthe benefits to the operational missions– the risks to those same missionsthe risks to those same missions– the life-cycle costs the life-cycle costs

5

Certification DefinitionCertification Definition

CertificationCertification

““Comprehensive Comprehensive evaluationevaluation of the technical and of the technical and non-technical non-technical security featuressecurity features of an IT system of an IT system and other safeguards, made in support of the and other safeguards, made in support of the accreditation process, to establish the extent accreditation process, to establish the extent that a particular design and implementationthat a particular design and implementation meets a set of specified security requirementsmeets a set of specified security requirements””

6

Certification ScopeCertification Scope

Certification is a security analysis in the Certification is a security analysis in the following areas (DII components):following areas (DII components):

– PhysicalPhysical– PersonnelPersonnel– AdministrativeAdministrative– InformationInformation– Information SystemsInformation Systems– CommunicationsCommunications

7

Accreditation DefinitionAccreditation Definition

AccreditationAccreditation

““Formal Formal declarationdeclaration by the by the DAA DAA that an IT system is that an IT system is approvedapproved to operate in a particular to operate in a particular security modesecurity mode using a prescribed using a prescribed set of set of safeguardssafeguards at an at an acceptable level of risk*acceptable level of risk*””

*Acceptable risk must consider the balance between*Acceptable risk must consider the balance between the benefits derived from the use of the systemthe benefits derived from the use of the system the risks posed to both the system and community the risks posed to both the system and community

usersusers the costs required to alleviate the risksthe costs required to alleviate the risks

8

C&A PrerequisitesC&A Prerequisites

System Description System Description ITSEC ClassificationITSEC Classification ReuseReuse

9

System DescriptionSystem DescriptionSlide from Previous LessonSlide from Previous Lesson

System Description OutlineSystem Description Outline1.1. Mission of the system. Mission of the system. 2.2. Functions this system will Functions this system will

perform. perform. 3.3. Interfaces with other systems. Interfaces with other systems. 4.4. Interactions across system Interactions across system

interfaces. interfaces. 5.5. Expected users of this system. Expected users of this system. 6.6. Information categories to be Information categories to be

processed. processed. 7.7. Time frame for developing and Time frame for developing and

implementing the system. implementing the system. 8.8. Components of the system that Components of the system that

will be automated versus will be automated versus manual. manual.

9.9. Budget limitations that may Budget limitations that may affect the system.affect the system.

10.10. Other system constraints or Other system constraints or assumptions that will impact the assumptions that will impact the system.system.

1-System Description defines 1-System Description defines the boundaries of the system the boundaries of the system compared to those that this compared to those that this system may interactsystem may interact

2- It 2- It shall be sufficiently clear shall be sufficiently clear and comprehensive to and comprehensive to provide an unambiguous provide an unambiguous definition of when the definition of when the system may be certified and system may be certified and accreditedaccredited

3-3-If information or If information or understanding about the understanding about the system is insufficient for that system is insufficient for that system description to be system description to be written, the DITSCAP is not written, the DITSCAP is not ready to beginready to begin

10

ITSEC ClassificationITSEC ClassificationSlide from Previous LessonSlide from Previous Lesson

Characteristic Operation Data Infrastructure System Alternatives

Interfacing Mode Benign, Passive, or Active

Processing Mode

Dedicated Level, Compartmented Level, System High, or Multi-level

Attribution Mode None, Rudimentary, Basic, or Comprehensive

Mission-Reliance Factor

None, Cursory, Partial, or Total

Accessibility Factor

Reasonable, Soon, ASAP, or Immediate

Accuracy Factor Not-applicable, Approximate, or Exact

InformationCategories

Unclassified, Sensitive (Privacy Act, Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented/Special Access Classified

11

Initial StepInitial StepSlide from Previous LessonSlide from Previous Lesson

Analyze existing systems to determine Analyze existing systems to determine classesclasses– Accredited systems become Accredited systems become “models”“models”– Applicable ITSEC requirements, high-level Applicable ITSEC requirements, high-level

architectures and approved solutions are stored architectures and approved solutions are stored in a in a common repositorycommon repository

Requirements definition process collects Requirements definition process collects ITSEC requirements into a ITSEC requirements into a common databasecommon database

ReuseReuse

12

C&A Process C&A Process Life-Cycle/TailoringLife-Cycle/Tailoring

Applies to Applies to all systemsall systems requiring C&A throughout requiring C&A throughout their life cycletheir life cycle

Is designed to be Is designed to be adaptableadaptable to any type of any IS to any type of any IS and any computing environment and missionand any computing environment and mission

May be adapted to include existing system May be adapted to include existing system certifications, evaluated products, new security certifications, evaluated products, new security technology or programs and technology or programs and adjustedadjusted to the to the applicable standardsapplicable standards

May be mapped to May be mapped to any system life-cycleany system life-cycle process process Is designed to adjust to the development, Is designed to adjust to the development,

modification, and operational life-cycle phases modification, and operational life-cycle phases

General & FlexibleGeneral & Flexible

13

Certification Levels Certification Levels 1/21/2

Analyze system with respect to:Analyze system with respect to:– Business functionsBusiness functions– Security RequirementsSecurity Requirements– CriticalityCriticality– InfrastructureInfrastructure– UsersUsers

Consider appropriate level of CIA & AccountabilityConsider appropriate level of CIA & Accountability Certifier recommends one of four levelsCertifier recommends one of four levels

– Level 1 – Basic Security ReviewLevel 1 – Basic Security Review– Level 2 – Minimum AnalysisLevel 2 – Minimum Analysis– Level 3 – Detailed AnalysisLevel 3 – Detailed Analysis– Level 4 – Comprehensive AnalysisLevel 4 – Comprehensive Analysis

14

Certification Levels Certification Levels 2/22/2

Level 1 – Basic Security ReviewLevel 1 – Basic Security Review– Completion of the minimum security checklist Completion of the minimum security checklist – System user or an independent Certifier may complete the System user or an independent Certifier may complete the

checklistchecklist Level 2 – Minimum Analysis Level 2 – Minimum Analysis

– Completion of the minimum security checklistCompletion of the minimum security checklist– Independent certification analysisIndependent certification analysis

Level 3 – Detailed Analysis Level 3 – Detailed Analysis – Completion of the minimum security checklistCompletion of the minimum security checklist– A more in-depth, independent analysisA more in-depth, independent analysis

Level 4 – Comprehensive Extensive Analysis Level 4 – Comprehensive Extensive Analysis – Completion of the minimal security checklistCompletion of the minimal security checklist– The most extensive independent analysis The most extensive independent analysis

15

C&A Overall ProcessC&A Overall Process

Phase 1Definition

Phase 2Verification

Phase 3Validation

Phase 4**Post Accreditation

--The The activitiesactivities defined in these four phases are defined in these four phases are mandatorymandatory--Implementation Implementation details details of these activities of these activities may be may be tailoredtailored

****Follow-up actions to ensureFollow-up actions to ensure

that the approved IS or system component that the approved IS or system component

continues to operate in its computing continues to operate in its computing environmentenvironment

according to its accreditationaccording to its accreditation

16

C&A Process Key: An C&A Process Key: An AgreementAgreement

PlayersPlayers– DAADAA– CertifierCertifier– Program ManagerProgram Manager– User RepresentativeUser Representative

Areas / IssuesAreas / Issues– Critical scheduleCritical schedule– BudgetBudget– SecuritySecurity– FunctionalityFunctionality– Performance issuesPerformance issues

17

C&A Process DocumentationC&A Process Documentation

DITSCAP uses a DITSCAP uses a single documentsingle document approach approach All the information relevant to the C&A is collected All the information relevant to the C&A is collected

into the one document, the Systems Security into the one document, the Systems Security Authorization Agreement (Authorization Agreement (SSAASSAA))

SSAA is designed to fulfill the requirements for a SSAA is designed to fulfill the requirements for a security plansecurity plan and to meet all the needs for C&A and to meet all the needs for C&A support documentationsupport documentation

SSAA is an SSAA is an evolvingevolving, yet , yet bindingbinding, agreement on the , agreement on the level of security required before the system level of security required before the system development begins or changes to a system are development begins or changes to a system are mademade

After accreditation, the SSAA becomes the After accreditation, the SSAA becomes the baselinebaseline security configuration documentsecurity configuration document

18

SSAA DefinitionSSAA Definition

Systems Security Authorization Agreement Systems Security Authorization Agreement (SSAA) (SSAA) ““The SSAA is a formal agreement among the The SSAA is a formal agreement among the

DAA(s), Certifier, user representative, and DAA(s), Certifier, user representative, and program manager. The SSAA is used program manager. The SSAA is used throughout the entire DITSCAP process to throughout the entire DITSCAP process to guide actionsguide actions, , document decisionsdocument decisions, specify , specify IA IA requirementsrequirements, document , document certification tailoring certification tailoring and level of effortand level of effort, , identify possible solutionsidentify possible solutions, , and and maintain operational systems securitymaintain operational systems security.” .”

19

SSAA Characteristics SSAA Characteristics 1/21/2

1.1. Describes the operating environment and Describes the operating environment and threatthreat

2.2. Describes the system security architectureDescribes the system security architecture3.3. Establishes the C&A boundary of the Establishes the C&A boundary of the

system to be accreditedsystem to be accredited4.4. Documents the formal agreement among Documents the formal agreement among

the DAA(s), Certifier, user representative, the DAA(s), Certifier, user representative, and program managerand program manager

5.5. Documents all requirements necessary for Documents all requirements necessary for accreditation accreditation

20

SSAA Characteristics SSAA Characteristics 2/22/2

6.6. Documents all security criteria for use Documents all security criteria for use throughout the IS life cycle.throughout the IS life cycle.

7.7. Minimizes documentation requirements by Minimizes documentation requirements by consolidating applicable information into the consolidating applicable information into the SSAA (security policy, concept of operations, SSAA (security policy, concept of operations, architecture description, etc.).architecture description, etc.).

8.8. Documents the DITSCAP plan.Documents the DITSCAP plan.9.9. Documents test plans and procedures, Documents test plans and procedures,

certification results, and residual risk.certification results, and residual risk.10.10. Forms the baseline security configuration Forms the baseline security configuration

document. document.

21

SSAA Outline SSAA Outline 1/81/8

1.0 MISSION DESCRIPTION AND SYSTEM IDENTIFICATION1.0 MISSION DESCRIPTION AND SYSTEM IDENTIFICATION

2.0. ENVIRONMENT DESCRIPTION2.0. ENVIRONMENT DESCRIPTION

3.0. SYSTEM ARCHITECTURAL DESCRIPTION3.0. SYSTEM ARCHITECTURAL DESCRIPTION

4.0. SYSTEM SECURITY REQUIREMENT 4.0. SYSTEM SECURITY REQUIREMENT

5.0. ORGANIZATIONS AND RESOURCES 5.0. ORGANIZATIONS AND RESOURCES

6.0. DITSCAP PLAN 6.0. DITSCAP PLAN

Appendices. Appendices. System C&A artifactsSystem C&A artifactsOptional appendices may be added to meet specific needsOptional appendices may be added to meet specific needs

22


1.0. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION1.0. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION

1.1. System Name and Identification1.1. System Name and Identification

1.2. System Description1.2. System Description

1.3. Functional Description1.3. Functional Description

1.3.1. System Capabilities1.3.1. System Capabilities

1.3.2. System Criticality1.3.2. System Criticality

1.3.3. Classification and Sensitivity of Data Processed1.3.3. Classification and Sensitivity of Data Processed

1.3.4. System User Description and Clearance Levels1.3.4. System User Description and Clearance Levels

1.3.5. Life Cycle of the System1.3.5. Life Cycle of the System

1.4. System CONOPS Summary 1.4. System CONOPS Summary

23


2.0. ENVIRONMENT DESCRIPTION2.0. ENVIRONMENT DESCRIPTION 2.1. Operating Environment2.1. Operating Environment

2.1.1. Facility Description2.1.1. Facility Description 2.1.2. Physical Security2.1.2. Physical Security 2.1.3. Administrative Issues2.1.3. Administrative Issues 2.1.4. Personnel 2.1.4. Personnel 2.1.5. COMSEC2.1.5. COMSEC 2.1.6. TEMPEST2.1.6. TEMPEST 2.1.7. Maintenance Procedures 2.1.7. Maintenance Procedures 2.1.8. Training Plans2.1.8. Training Plans

2.2. Software Development and Maintenance 2.2. Software Development and Maintenance EnvironmentEnvironment

2.3. Threat Description 2.3. Threat Description

24


3.0. SYSTEM ARCHITECTURAL DESCRIPTION3.0. SYSTEM ARCHITECTURAL DESCRIPTION

3.1. System Architecture Description3.1. System Architecture Description

3.2. System Interfaces and External 3.2. System Interfaces and External ConnectionsConnections

3.3. Data Flow3.3. Data Flow

3.4. Accreditation Boundary3.4. Accreditation Boundary

25


4.0. SYSTEM SECURITY4.0. SYSTEM SECURITY REQUIREMENTREQUIREMENT

4.1. National and DoD Security Requirements4.1. National and DoD Security Requirements

4.2. Governing Security Requisites4.2. Governing Security Requisites

4.3. Data Security Requirements4.3. Data Security Requirements

4.4. Security CONOPS4.4. Security CONOPS

4.5. Network Connection Rules4.5. Network Connection Rules

4.6. Configuration Management Requirements4.6. Configuration Management Requirements

4.7. Reaccreditation Requirements4.7. Reaccreditation Requirements

26


5.0. ORGANIZATIONS AND RESOURCES5.0. ORGANIZATIONS AND RESOURCES

5.1. Organizations 5.1. Organizations

5.2. Resources5.2. Resources

5.3. Training5.3. Training

5.4. Other Supporting Organizations5.4. Other Supporting Organizations

27


6.0. DITSCAP PLAN6.0. DITSCAP PLAN 6.1. Tailoring Factors6.1. Tailoring Factors

6.1.1. Programmatic Considerations6.1.1. Programmatic Considerations 6.1.2. Security Environment6.1.2. Security Environment 6.1.3. IS Characteristics6.1.3. IS Characteristics 6.1.4. Reuse of Previously Approved 6.1.4. Reuse of Previously Approved

SolutionsSolutions 6.2. Tasks and Milestones6.2. Tasks and Milestones 6.3. Schedule Summary6.3. Schedule Summary 6.4. Level of Effort6.4. Level of Effort 6.5. Roles and Responsibilities6.5. Roles and Responsibilities

28


Appendix A AcronymsAppendix A Acronyms

Appendix B DefinitionsAppendix B Definitions Appendix C ReferencesAppendix C References Appendix D System Concept of OperationsAppendix D System Concept of Operations Appendix E Information System Security PolicyAppendix E Information System Security Policy Appendix F Security Requirements and/or Requirements Traceability MatrixAppendix F Security Requirements and/or Requirements Traceability Matrix Appendix G Certification Test and Evaluation Plan and Procedures (Type only)Appendix G Certification Test and Evaluation Plan and Procedures (Type only) Appendix H Security Test and Evaluation Plan and ProceduresAppendix H Security Test and Evaluation Plan and Procedures Appendix I Applicable System Development Artifacts or System DocumentationAppendix I Applicable System Development Artifacts or System Documentation Appendix J System Rules of BehaviorAppendix J System Rules of Behavior Appendix K Incident Response PlanAppendix K Incident Response Plan Appendix L Contingency PlansAppendix L Contingency Plans Appendix M Personnel Controls and Technical Security ControlsAppendix M Personnel Controls and Technical Security Controls Appendix N Memorandums of Agreement – System Interconnect AgreementsAppendix N Memorandums of Agreement – System Interconnect Agreements Appendix O Security Education, Training, and Awareness PlanAppendix O Security Education, Training, and Awareness Plan Appendix P Test and Evaluation Report(s)Appendix P Test and Evaluation Report(s) Appendix Q Residual Risk Assessment ResultsAppendix Q Residual Risk Assessment Results Appendix R Certification and Accreditation StatementAppendix R Certification and Accreditation Statement

29

SSAA TailoringSSAA Tailoring

AuthorityAuthority– DAADAA– CertifierCertifier– User representativeUser representative– Program manager Program manager

Reason: To meet the characteristics of theReason: To meet the characteristics of the– ISIS– Operational requirementsOperational requirements– Security policySecurity policy– Prudent risk managementPrudent risk management

30

SSAA FlexibilitySSAA Flexibility

SSAA format is flexible enough to permit SSAA format is flexible enough to permit adjustment throughout the system's life adjustment throughout the system's life cycle as conditions warrantcycle as conditions warrant

SSAA is updated to accommodate the new SSAA is updated to accommodate the new components components – New requirements may emerge from design New requirements may emerge from design

necessitiesnecessities– Existing requirements may need to be modifiedExisting requirements may need to be modified– DAA's overall view of acceptable risk may DAA's overall view of acceptable risk may

changechange

31

SSAA Generation ToolSSAA Generation Tool

Assists the user with the task of preparing a Assists the user with the task of preparing a System Security Authorization Agreement System Security Authorization Agreement (SSAA) document.(SSAA) document.

Permits the user to develop an SSAA over Permits the user to develop an SSAA over time by saving changes and working on the time by saving changes and working on the document one section at a time. document one section at a time.

For Windows 95/98/NT/2000For Windows 95/98/NT/2000– ““JAVA-based word processing" tool creates a basic SSAA, excluding the appendices.JAVA-based word processing" tool creates a basic SSAA, excluding the appendices.– It includes some examples/sample statements and clarifications to help generate a It includes some examples/sample statements and clarifications to help generate a

meaningful SSAA.meaningful SSAA.– The output document is created in Rich Text Format or RTF.The output document is created in Rich Text Format or RTF.– This format is read by word processing applications MS Word, WordPerfect, etc.This format is read by word processing applications MS Word, WordPerfect, etc.– Zipped File size: 8,956 KBZipped File size: 8,956 KB

32

Phase 1: DefinitionPhase 1: DefinitionOverviewOverview

Key players agree on Key players agree on the intended system the intended system mission, security reqs, mission, security reqs, C&A boundary, C&A boundary, schedule, level of effort, schedule, level of effort, and required resourcesand required resources

Agreement is Agreement is documented in the documented in the SSAASSAA

Document Mission Need

Preparation

Registration

Negotiation

Agreement?

SSAA

No

Yes

33

Phase 2: VerificationPhase 2: VerificationOverviewOverview

Verify system’s Verify system’s compliance with SSAA compliance with SSAA reqsreqs

Goal is to obtain Goal is to obtain integrated system for integrated system for certification testing certification testing and accreditationand accreditation

System Development

Certification Analysis

Pass?

SSAA

No

Yes

Ready forCertification?

No

Yes

APhase 1

Definition

Phase 3 Validation

34

Phase 3: ValidationPhase 3: ValidationOverviewOverview

System on-handSystem on-hand((fully integrated system in its fully integrated system in its

specific operating specific operating environment and environment and configuration)configuration)

Validates system Validates system compliance w/SSAA compliance w/SSAA reqsreqs

Goal is to obtain full Goal is to obtain full approval to operate approval to operate system (accreditation)system (accreditation)

CertifySystem?

SSAA

Certification EvaluationOf Integrated System

Develop Recommendation

Yes

AccreditationGranted?

No

YesPhase 4: Post Accreditation

NoA

Phase 1Definition

35

Phase 4: Post AccreditationPhase 4: Post AccreditationOverviewOverview

Starts after site Starts after site accreditationaccreditation

Objective is to maintain an Objective is to maintain an acceptable level of acceptable level of residual riskresidual risk

DITSCAP responsibilities DITSCAP responsibilities shift to site/O&M Orgsshift to site/O&M Orgs

Ends with system Ends with system termination termination

Phase 1: Definition

SSAA

System Operation

Compliance Validation

ValidationReq’d?

No

Yes

NoChangeRequired?

Yes

36

QuestionsQuestions