Cyber Core Technologies CnAProcess WhitePaper[1]

8/6/2019 Cyber Core Technologies CnAProcess WhitePaper[1]

1/15

The Information Assurance Process:Tackling Certification and Accreditation

A white paper on the phased approach to achieving certification and accreditation forinformation assurance compliance.

Systems governed by only one set of rules are more vulnerable than those with variety.Dr. Geoff Mulgan

Director of the Performance and Innovation Unit, UK

Copyright 2004 CyberCore Technologies, LLC1954 Greenspring Drive, Suite 300

Timonium, MD 21093Ph.: 410.561.7177

Fax: 410.308.0950


2/15

2004 CyberCore Technologies, LLC 1954 Greenspr ng Drive, Suite 300 Timonium, MD 21093 410-561-71??

2

i

The Information Assurance Process:Tackling Certification and Accreditation

AbstractPublic laws, regulations, directives, and the resulting policies, procedures, and guidelines regarding information

systems security have generated a multitude of manuals on certification and accreditation of automatedinformation systems. These manuals and documentation issued from a variety of defense, Intel, and industryleaders in information security technologies completely define and delineate the entire process of personnel,hardware, network, and software certification and accreditation.

This white paper outlines the actual roles and overall strategy to achieve compliance for your automatedinformation systems. This roadmap must be tailored to manage the vulnerabilities and minimize the overall risksto the system security according the type of information processed. As an iterative and evolutionary process1,certification and accreditation for your organization or agency demands planning, dedication of resources,technical knowledge, negotiation skills, and a clear vision of the accreditation process.

Security Compliance MandateOften information technology professionals must define and plan major initiatives. Assuring the information

systems compliance with a four-digit year was a major undertaking in the years prior to 2000. The most recentinitiative facing organizations is assuring the privacy and security of the data within each information system.

Modern information systems are complex,integrated systems that combine hardware,software, firmware, and configurationsettings with users governed by policies andprocedures. These policies and proceduresare taught to the users during targetedtraining and enforced through systemsoftware that monitors internal and externalnetwork traffic to detect and preventunauthorized access to system resources.

At its simplest, the information assuranceprocess completely defines every elementof the information system, includininterconnected networks and certifies thateach operates at the appropriate securitymode for the information being processed.The certification process applies to existingsystems, new systems, new applications,and modified accredited systems.

g

Note: Information assurance ismandated by law and presidentialdirectives for every government agency.Based upon their information securityrequirements some agencies have

published manuals to standardize theirinformation assurance process.Magnifying the impact of the informationassurance law, directives, policies, andagency procedures is that each privatebusiness that exchanges data with thegovernment must meet the certificationand accreditation standards.

1John Kimbell and Marjorie Walrath, Life Cycle Security and DITSCAP; IAnewsletter Vol. 4, No. 2, Spring 01,

13 August 2004, Page 17

About Us:Exemplified through our client engagements anddemonstrated by our range of project competencies,CyberCore Technologies delivers a full spectrum of

information assurance services. The certification processdemands both technical competence and practical experiencewith evaluation methodologies to effectively define, verify,and develop effective and efficient strategies to manage eachinformation systems risks and vulnerabilities.

nections.

Our staff experience includes certification and accreditation(C&A) processes for departments of the Navy, Marine Corps,and NSA, as well as DoD subcontractors in meeting DITCSAP,NISCAP, DCID 6/3, NSITSSP 11, and NSA/CSS policies andregulations. With a staff of certified security specialistsserving clients in the definition, verification, validation, andpost-accreditation phases of C&A, CyberCore Technologiesprovides expertise in remediation of procedures, hardware,

software, and network conContact Us:CyberCore Technologies is a woman-owned businessheadquartered in Timonium Maryland. For additionalinformation on our information assurance practice capabilitiesand competencies, please email Doug Oakley, Vice-Presidentof Business Development at [email protected] orcall 410-561-7124.
mailto:[email protected]:[email protected]


3/15

2004 CyberCore Technologies, LLC 1954 Greenspring Drive, Suite 300 Timonium, MD 21093 410-561-71??

3Information Assurance Governance

The governing law, regulation, policy, or directive driving information assurance is a bit more complex. NationalSecurity Directive No. 42 National Policy for the Security of National Security Telecommunications and InformationSystems, dated July 5, 1990, establishes initial national objectives, policies, and an organizational structure toguide the conduct of national activities directed toward safeguarding, from hostile exploitation, systems whichprocess or communicate national security information; establishes a mechanism for policy development; andassigns responsibilities for implementation.

NSD-42 establishes an interagency group at the operating level, an executive agent, and a national manager toimplement these objectives and policies. The National Security Telecommunications and Information SystemsSecurity Committee (NSTISSC) was established to consider technical matters and develop operating policies,guidelines, instructions, and directives, as necessary to implement the provisions of NSD-42. The Committee onNational Security Systems (CNSS) originated with NSD-42, is responsible for the development of NSTISSP No. 11and the development and implementation of:

International Common Criteria for Information Security Technology, referred to as the Common Criteriawithin Information Assurance and transition to International Common Criteria for Information SecurityTechnology as outlined in NSTISSAM_compusec_1-99

National Security Agency: NSA/National Information Assurance Partnership (NIAP): NIAP andInformation System Certification and Accreditation Process (NISCAP)

Public Law 100-235: Computer Security Act of 1987; Public Law 107-347 Federal Information Security

Management Act (FISMA) governing national systems not classified as part of a security system Presidential Directive HS 7 July 2004 superceding Presidential Directive 63 May 1998,

Testing standards by the National Institute of Standards and Technology (NIST)

Referencing the NSA/CSS Directive 130-1 and NSTISS Policy No. 6 I.1 All federal government departments andagencies shall establish and implement programs that mandate the certification and accreditation (C&A) ofnational security systems under their operational control. These C&A programs shall ensure that informationprocessed, stored, or transmitted by national security systems is adequately protected with respect torequirements for confidentiality, integrity, and availability.

In response, the Department of Defense developed the Information Technology Security Certification andAccreditation Process (DITSCAP). Specific agencies developed the DCID 6/3 manual for protection andmanagement of compartmented information within information systems. In conjunction with allied nations and toserve information technology consumers and producers the NIAP promotes common criteria for information

systems evaluation.This proliferation of policies mandates a review and prioritization of the governing system security policies foryour organization. By reviewing the hierarchal table in the National Computer Security Center C&A document andnetworking with other agencies undergoing certification you may begin accumulating and prioritizing the securitypolicies applicable to your organization.2

Note: The Department of Defense Portal: Information Assurance Support Environment (IASE) providesverification and validation services for the security assurance of information systems. Limited to DoD agencies,IASE offers Certification Testing. To obtain more information regarding their services contact the IASE throughURL http://iase.disa.mil.

Not covered by this white paper, there are additional requirements for information assurance based on the type ofrecords. Introduction of the Gramm-Leach-Bliley Act governing financial information, HIPAA governing medicalrecords, and Sarbanes-Oxley Act demand that policies and business systems protect the privacy of the recordsand guarantee information security and assurance.

DefinitionsAccreditationFormal declaration by the Designated Approving Authority that an IT system is approved to operate in a particularsecurity mode using a prescribed set of safeguards at an acceptable level of risk.3

I2 National Computer Security Center, ntroduction to Certification and Accreditation, NCSC-TG-029, Library No. S-239,954, Version 1,

January 2004, Figure 4.1 Information Security Policy and Guidance3Department of Defense Instruction 5200.40, "DoD Information Technology Security Certification and Accreditation Process

(DITSCAP)", 12/30/1997 Page 8


4/15


4

i

CertificationComprehensive evaluation of the technical and non-technical security features of an information technologysystem and other safeguards, made in support of the accreditation process, to establish the extent that aparticular design and implementation meets a set of specified security requirements. 4

Information AssuranceDepartment of Defense Information operations that protect and defend information and information systems byensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing forrestoration of information systems by incorporating protection, detection, and reaction capabilities. Also called IA.5

Roles in the Certification and Accreditation ProcessThis certification and resulting accreditation process relies on certain roles and supporting documentation. Eachinformation systems accreditation is issued from a Designated Approving Authority (DAA) who has revieweddocumentation from the certification team during each phase of the certification and accreditation (C&A) process.

Note: In information systems processing sensitive compartmented information the Designated ApprovingAuthority is known as the Designated Accrediting Authority (interchangeably DAA). There may be a PrincipalAccrediting Authority above the DAA and a Designated Accrediting Authority Representative serving the DAA6.With eight defined roles in DCID 6/3, certain managerial roles may be consolidated but the defined operationalroles must remain separate entities.

Within the military and Intel communities, the DAA assignment is based on the security level of the information

processed and rank or position7

. In other agencies, the DAA is the owner of the system. This concept reaches anew level of complexity when considering connections between information systems and the varying level ofsecurity risk associated with the information within these systems.

Note: There are systems that are identical and under the DCID 6/3 manual may be certified jointly. This jointcertification is at the discretion of the Designated Approving Authority. 8

Systems may require joint accreditation and multiple accreditors. The number of interconnected systems andrequired level of operational security to effectively manage risk dictates the complexity of the informationassurance effort. The scope of your information systems certification process must be considered whenallocating resources and planning for your systems accreditation.

I

4 Department of Defense Instruction 5200.40, "DoD Information Technology Security Certification and Accreditation Process

(DITSCAP)", 12/30/1997 Page 85 The Department of Defense Dictionary of Military Terms, 26 September 2004 .6 Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Systems (DCID 6/3) Manual,

24 May 2000, 2 Roles and Responsibilities7National Computer Security Center, ntroduction to Certification and Accreditation, NCSC-TG-029, Library No. S-239,954, Version 1,

January 2004, Appendix B8 Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Systems (DCID 6/3) Manual,

24 May 2000, Page 9-7


5/15


5

Figure 1 Relationships Between Interconnected Information Systems.

The Information System Security Project Manager typically manages the overall procurement and development ofthe system and therefore must coordinate all security-relevant portions of the program. The Project Managerprovides the resources, coordinates the scheduling of security milestones, and determines the priorities for thecertifier or certification agent9. It is important to note that a system composed of validated products10 must stillundergo certification and accreditation for the specific configuration, information processing, operational security,and interconnected networks. The role of Information System Security Project Manager may be combined withthe role of Information System Security Manager. After the information system is certified, the InformationSystem Security Manager bears the responsibility for maintaining the systems accreditation.

As your organization determines the proper strategy for managing the certification and accreditation process, thefocal person of the effort must be submitted to the next level DAA for review of their and the technical supportstaffs qualifications. This persons role is referred to as a Certifier or may be the Information System SecurityOfficer depending on the agency. The Certifier or Information System Security Officer conducts the evaluation ofthe information system security features and delivers the recommendation to the DAA/DAAR once the certificationtesting and evaluation is completed.

Note: There is a requirement that the information system must be independently certified. In many cases theISSO would not be considered an independent certifier, as that individual is responsible for the ongoingsecurity management o the information system. You may elect to employ external certification professionalsf

t9Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Sys ems (DCID 6/3) Manual,

24 May 2000, Section 3.3 Other Security Roles10Common Criteria Validated Products List, NIAP, 8 September 2004 .


6/15


6

i

to work in conjunction with your staff. This addresses the independent certification requirement and offers thebenefit of specialized skills and expertise to most efficiently and effectively certify, validate, and accredit yourinformation system.

The number of C&A roles and number of resources assigned to fulfill the responsibilities of each role dependsupon the size and complexity of the information system(s) undergoing certification. It is essential and mandatedthat the initial appointment to fulfill each role is made concurrent with adequate training to understand theresponsibilities of their role and the C&A process.

Note: There are existing resources for DAA training. For those in the .gov or .mil domains, the IASE website atURL http://iase.disa.mil offers links for training, education, and awareness products. These tools include webbased training, CD-ROMS, and videos.

Working and User GroupsFor large and complex interconnected information systems, an information system security working group may bean appropriate strategy to coordinate certification and accreditation efforts. This group may also collectivelyaddress the specific risks of the interconnected infrastructures. Another potential concept is bringing insupplementary staffing to assist your certification team. Use of certified information security professionals offersthe additional benefit of their practical experience and expertise to improve the efficiency of your certificationproject.

The user community is also an important part of the certification process. Privileged users access operatingsystems and hardware and network configuration settings in performance of their jobs. Privileged users typically

include system administrators, system architects, or programming leads and require advanced training andexposure to the certification process. This training reinforces the security procedures and policies with theprivileged users and propagates these system security strategies in their future technology projects.

General users must be aware of the organizational security procedures and policies to appropriately limit accessand develop a conduit for incident reporting. Management of the general user population requires consistentscreening to only grant access appropriate to their role and job function within your organization. Fororganizations with multiple information systems, the information system security working group must align todevelop consistent policies regarding user access and defined roles and responsibilities. This collaborative effortassists in developing your organizations appropriate security awareness training for each role in the C&A process.The certification process mandates security awareness training.

For private sector companies interconnected to government information systems for complex transactions such asjoint application development or even simple EDI transactions, the government contract or security officers are

integral resources for the certification effort. The C&A roles may have different names in the private sector, butare equivalent to Corporate Information Officer, Director of Information Systems/Technology, Director of Security,System Administrator/Security Engineer, privileged users, and general users.

Phased ApproachThe DITSCAP identifies four phases of the C&A process. The NISCAP identifies five phases as the initial contact,or documenting of security requirements is regarded as phase 0. The phase 0 focuses on identifying theinformation system requirements, the environment, uses and users, security requirements as identified by theProgram Management Office, or DAA, and initial protection level, and levels of concern for confidentiality,integrity, and availability. As specific security requirements are tied to the protection and concern levels,establishing these levels is crucial to the budget and resource allocation of the certification program.

Note: In certifying information systems processing sensitive compartmented information, DCID 6/3 outlines

eleven steps

11

. These eleven steps are segmented into phases within this white paper to conform to a phasedcertification approach. Additional guidance is contained within DCID 6/3 for the C&A process for systemdevelopment. To further understand system development certification refer to Table 9.1 for a tabular depictionof the four phases of system development C&A.

Although there are several references to certification of information systems processing sensitivecompartmented information, this white paper does not intend to act as a reference for certificationof encrypted or classified information systems.

11Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Systems (DCID 6/3) Manual,

24 May 2000, Paragraph 1.F


7/15


7

Figure 2 Defining Certification in Phases.

The phased approach begins with defining the system and the parameters for certification. Explained in more

detail in the phase one topic, the governing policies and directives are collated and organized according to theattributes of your information system. Assignment of roles and responsibilities leads to development of an overallstrategy, budget, initial training, and resource allocation for the information assurance effort. The documentationdeveloped within phase one forms the foundation for the C&A process by reporting the security requirements ofthe information system in an initial System Security Plan or System Security Authorization Agreement.

Within this certification documentation you match the regulations to the characteristics and therefore thecomponents of your system to develop an initial testing and evaluation plan. This testing and evaluation planevolves into a security plan that is communicated to the DAA/DAAR. The first contact and phase one activitiescomprise approximately 20% of the effort required for the C&A process on a mid-range information system.

Phase two verifies the information system security requirements comply with the System Security Plan andSecurity Requirements Traceability Matrix. This leads into definition of the risk associated with the informationsystem. Risk assessment and risk management are key to dedicating the appropriate resources to the actualcertification effort completed in phase three.

These few sentences cannot accurately capture the breadth of analysis completed in phase two to ready the teamfor validation or certification of the information system. Both user training and the processes and methods forcapturing and responding to system incidents must be designed, developed, and implemented. For a mid-rangeinformation system you will expend approximately 35% of the effort required to complete the C&A process duringphase two.

Phase three testing and evaluation activities specifically address the system and security requirements. Workingthrough each of the system components, the identified risks are analyzed and strategies documented to securethe information system. Those system elements that cannot be brought into compliance to the system securityrequirements must be documented and referred to experts in system and software engineering for corrective


8/15


8

i

action. Following through on the analysis and planning of phase one, completion of phase three activitiesrequires approximately 30% of the C&A effort for a mid-range information system.

In part due to the level of ongoing documentation required and in consideration of the monitoring of modificationsto interconnected systems, phase four requires that you allocate approximately 15% of the overall C&A budgetexpended to the post accreditation of a mid-range information system. This required investment yields significantresults during the systems recertification cycle as the up-to-date system documentation speeds the preparation ofthe reaccreditation package.

Phase 1: Definition of System Certification Requirements or Pre-Certification PhaseIf this is the first information assurance effort for your information system you must assemble all of the relevantgoverning documentation. This comprehensive undertaking includes assembling copies of manuals and directives.

Your DAA/DAAR or working group provides an excellent starting point. On the Internet, refer to the InformationAssurance Support Environment (IASE) at URL http://iase.disa.mil and the National Industrial Security Program atURL http://www.dss.mil/infoas. The IASE offers a link to the most recently released DITSCAP documentation andlisted after each task outlined in the DITSCAP are relevant reference publications.

For private sector efforts, the National Information Assurance Partnership website at URL http://niap.nist.govoffers links to download documents and to the National Institute of Standards and Technology Computer SecurityResource Center at URL http://csrs.nist.gov. Utilizing the NIAP and NIST Resource Center websites to assemblethese relevant documents also exposes you to the tremendous resources available through these organizations.

Activities in Phase 1Phase one requires documentation of your information system attributes, including hardware, software, firmware,network configurations, interconnected systems, life cycle management, contingency plans, policies, procedures,user management, and training. Beyond these system administration details, your documentation must identifythe information system capabilities and functions along with the organizations and user communities supported.For newly documented systems phase one requires the concept of operations (CONOPS) for the informationsystem.

An important prerequisite to the system verification required in phase two is the definition of the systemboundaries. While the documents prepared during phase one describe the system and attributes, you mustidentify the external interfaces in preparation for phase two definitions of interconnected systems. The remainingphase one activities are grouped under the headings risk management, training, and system security certificationlevel.

Risk Management in Phase 1Once you have identified the breadth and types of information your system processes, accesses, and stores youmust catalog and categorize the type and importance of the data. Together, the documented system attributesand data profiles provide adequate details to analyze and assign relative value to your information systemcomponents.

This essential analysis provides the baseline for risk management. By identifying the high value assets, bothequipment and data records, as you document the threats to your system and assess any vulnerability, you mustweigh the level of risk against the relative value of the asset.

The next required activity during phase one is documenting and describing the information system environmentand potential threats, along with an assessment of both physical and administrative security measures. Asapplicable to your information system, the certification team must describe the investigation, study, and control of

compromising signals or emanations from your information system equipment and all relevant communicationsecurity standards the system must meet.

Note: For information systems processing secure compartmented information this description mustextend to the concept of separating circuitry and hardware that process classified text fromunclassified information. Referred to as RED-BLACK evaluation, the information system must bevalidated for meeting this security requirement.


9/15


9Training in Phase 1

As you assign roles and responsibilities in your certification program, training must support the defined roles toempower your certification team with adequate understanding of their responsibilities. Completing thedocumentation outlined under the activities, risk management, and training headings allows you to register yourinformation system with the DAA/DAAR.

System Security Certification LevelIn reviewing the information system documentation, an analysis of each information system characteristic allowsyou to assign a numeric weight. As outlined in the table, these system weights are totaled to determine thesystems required certification level. Refer to the DITSCAP for detailed definitions of the characteristics andalternatives listed.

Characteristic Weights for Alternatives Weight

Interfacing Mode Benign = 0, Passive = 2, Active = 6

Processing Mode Dedicated = 1, System High = 2, Compartmented = 5, Multilevel = 8

Attribution Mode None =0, Rudimentary = 1, Selected = 3, Comprehensive = 6

Mission-Reliance None = 0, Cursory = 1; Partial = 3, Total = 7

Availability * Reasonable = 1, Soon = 2, ASAP = 4, Immediate = 7

Integrity * Not applicable = 0, Approximate = 3, Exact = 6InformationCategories *

Unclassified = 1, Sensitive = 2, Confidential = 3, Secret = 5,Top Secret = 6, Compartmented/Special Access Classified = 8

Total Weight

The total weight of the characteristics result in assignment of a Certification Level (1-4) based on each systemscharacteristic and assigned weight in consultation with the DAA. Presented in a simplified form for referencewithin this paper, in reality your information system may have several alternatives for some of the characteristicsand the required negotiation of the required level of effort is a part of the phase one activities.

The certification level defines the type and quantity of testing and evaluation activities documented in phase two.This certification level is applied to every element examined during phase three. As these levels have overlappingweight values, the certification team (ISS Project Manager, ISSM, and Certifier/ISSO) must negotiate and come toagreement with the DAA/DAAR having final determination.

Total Weight ofthe

Characteristics

Certification Level(reflected in type andquantity of certification

activities for the IS)

Certification Requirements

Less than 16 total 1 Minimum Security Checklist

Between 12and 32

2Minimum Security Checklist and minimumIndependent Certification

Analysis as defined in verification and validation phases

Between 24and 44

3Minimum Security Checklist and detailedIndependent Certification

Analysis as defined in verification and validation phases

Between 38and 50

4Minimum Security Checklist and comprehensiveIndependentCertification Analysis as defined in verification and validation phases

From the certifications definition the security requirements are analyzed in a Security Requirements TraceabilityMatrix (SRTM or RTM) in consideration of the governing policies, procedures, and guidelines. The matrix lists theevaluation method (Interview, Document review, Test, or Observation) and the information systems complianceor deficiency for each requirement.

*Note: Certification of information systems processing sensitive compartmented information assumes that theexisting system design adequately protects the information through existing controls12. Each system mustundergo analysis o the systems technical security requirements for confidentiality, integrity, and availability as

part of the C&A process.f

t12Director of Central Intelligence, Protecting Sensitive Compartmented Information Wi hin Information Systems (DCID 6/3) Manual,

24 May 2000, Paragraph 1.D.3


10/15


10

i

In analyzing the required protection level, the user clearance, formal system access, and need to know arecharted within a matrix to ascertain the confidentiality protection level for certification13. Selecting theappropriate protection level and level of concern establishes the appropriate set of technical securityrequirements for the sensitive compartmented information system.

ConfidentialityP otection Level 1-5

r

Integrity Availability

Basic Reasonable degree of resistance Flexible tolerance for delay

Medium High degree of resistance toprevent adverse organizationalimpact

Minimum tolerance for delay toprevent adverse organizationalimpact

High Intelligence data level ofconcern is always high.

Very high degree of resistance tounauthorized modification

Always available without anydelay

Note: Information systems processing sensitive compartmented information and protecting intelligencesources, method, and analytical procedures must meet high level o concern confidentiality requirements.While these tabular approaches simplify categorization of the level of concern, in some cases there may be amix of information processed. In these instances you must assess the highest level of concern to theinformation system.

f

With a comprehensive inventory of the equipment and system data in conjunction with a preliminary riskassessment your team must develop a budget and project timeline. All of this assembled documentation forms

the foundation for the phase one System Security Authorization Agreement or initial System Security Plan.Submitted by the certifier to the DAA/DAAR for review and approval your certification team and the DAA/DAARmust agree to the proposed level of effort and schedule for the C&A process. With consensus on the SystemSecurity Authorization Agreement (SSAA) or initial System Security Plan (SSP), the definition phase concludes.

Phase 2: Verification of System Certification Requirements or Certification PhasePhase two requires the analysis of your information system as documented in phase one. This analysis includeshardware, all types of software, firmware, network configurations, interconnected systems, policies, procedures,plans, user management, and training. Software and firmware may include commercial off the shelf (COTS),government off the shelf (GOTS), and evaluated products (EPLs are listed on the NIAP website). The NIAPwebsite lists all validated hardware, software, and network products evaluated under the Common CriteriaEvaluation and Validation Schemes.

During phase two these analyses allow the certification team to assess the readiness of the information system to

be certified. The number of certification team members must increase to complete the required analysis of theinformation system components. These team members must be presented for review by the DAA as thecertification scope increases. Prior to beginning phase two activities any information system changes should bereflected in updates to the SSAA/SSP.

Activities in Phase 2Within the second phase the security requirements corresponding to the certification level allows the certificationteam to complete a task analysis summary report on:

System Architecture Analysis verifies the SSAA/SSP defined security requirements are integrated forthe appropriate certification level.

Software, Firmware, and Hardware Design Analysis evaluates compliance with the plannedrequirements and documented SSAA/SSP approach at the certification level.

Network Connection Rule Compliance Analysis evaluates the interconnected networks compliancewith the overall security policy. Network and system interfaces must be evaluated to ensure end-to-endcompliance with the defined certification level. Memorandums of Agreement or Interconnection Security

Agreements must cover all interconnected systems.

Note: In certifying information systems processing sensitive compartmented information,interconnected systems that are controlled through interfaces must meet stringent securityrequirements. Interconnection security agreements must be negotiated and integrated into theinformation system analysis.

t13 Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Sys ems (DCID 6/3) Manual,

24 May 2000, Table 4.1 Protection Levels


11/15


11 Controlling interfaces must be protected as a functional capability from general users and

physically protected. All controlling interfaces must be monitored by an automated mechanismthat is protected against failure or compromise and audited. Every controlled interface mustexplicitly prohibit any protocols, services, or communication not explicitly permitted.

Web server configurations involve disabling any services not required.

Refer to the DCID 6/3 for comprehensive guidance on certification of controlling interfaces, webservers, and interconnected system requirements.

Integrity Analysis of Integrated Products ensures compliance of software including COTS, GOTS,and EPL, hardware, and firmware with certification level security requirements.

Life Cycle Management Analysis documents the ability of configuration management practices topreserve the integrity of all security-relevant software and hardware.

Security Requirements Validation Procedures Preparation develops the documentation required tocomplete phase three validation of the information systems compliance with the appropriate certificationlevel technical security requirements. To satisfy certification levels two through four the SRTM must beupdated and all test plans documented.

The certification team completes and submits the task analysis summary reports for updating of the SSAA/SSP.Refer to additional activities and C&A process requirements in the risk management and training sections.

Risk Management in Phase 2The risk management activity during phase two results in an analysis of the information system threats identifiedin phase one. These threats and the systems vulnerabilities are analyzed and appropriate countermeasures tomitigate the risks are developed. The certification team completes a vulnerability assessment to document theappropriate countermeasures required to address the residual risks of the confidence, integrity, availability, andaccountability security vulnerabilities identified. The level of effort to mitigate the risks must be commensurate toboth the value of the system asset and the degree of the risk. In example, more extensive and elaborate countermeasures are required to address a threat to data integrity where the level of concern for integrity is high.

Training in Phase 2Aside from their professional security and technical credentials each team member must have successfullycompleted adequate training and orientation to the system. This system training must emphasize the securityrequirements relevant to their role.

Note: For information systems processing secure compartmented information the DCID 6/3 requirements foradministrative security14 includes security training, education, and awareness targeted to the audience. Thisincludes training for all individuals involved in the C&A process. The training must cover the governingregulations and policies, common technologies and practices, testing and evaluation techniques, interconnectedsystem security consideration, incident handling procedures, audit analysis procedures and tools.The DAA and DAARs must in addition understand their responsibility for accepting risks/consequences;software protection and validation techniques; protection levels and levels of concern.Information System Security Managers must in addition to all previous topics learn destruction and release

procedures for systems, components and media.Information System Security Officers must in addition to all previous topics understand the implementation ofcommon information system security practices and technologies including support infrastructures, help teams,and assisting organizations.Privileged users must be trained in adherence with DoD IA Training for System Administration and Maintainers.This includes physical protections; authenticators and operation of applicable system security features; costimpacts to factor security into decisions; use and implementation of specific access control products;recognition and reporting of vulnerabilities, threats, violations or incidents; organizational policies, roles, andresponsibilities.General users must learn physical protections; authenticators and operation of applicable system securityfeatures; recognition and reporting vulnerabilities, threats, violations or incidents; and organizational policies.

If as a result of the outlined analysis the information passes verification the SSAA/SSP must be updated for thecertification process to advance to phase three.

14 Director of Central Intelligence, Protecting Sensitive Compartmented Information Within Information Systems (DCID 6/3) Manual,

24 May 2000, Pages 8-1 through 8-3


12/15


12

i

Phase 3: Validation of the System, Certification or Accreditation PhaseAll of the information system description and documentation completed in phase one and the detailed analysisperformed in phase two form the foundation for the validation activities during phase three. Building on thepresentation of the complete information system and the associated roles of staff to the DAA/DAAR, to theverification by the certification team of the system attributes and overall security status with test and evaluationplans, the C&A process culminates in the phase three certification activities.

Activities in Phase 3Prior to beginning phase three activities any information system changes should be reflected in updates to theSSAA/SSP. Phase three activities include completing:

All planned System Tests and Evaluations (ST&E). The ST&E certifies through the test plans documentedduring phase two that the information system performs to the security requirements documented in theSSAA/SSP. There are specific formats for recording and reporting the results of the tests andevaluations.15

Penetration testing to assess the information systems ability to withstand intentional attempts tocircumvent the security features. Key to performing appropriate penetration testing is:

Adherence to the system boundary definition completed during phase one and verified in phase two

Integration of the analysis of threats to the information processed by the information systemcompleted during phase one

Knowledge of current technologies and intrusion techniques.

Beyond scanning, penetration testing must adequately measure the information systems ability to resiststate-of-the-art attempts to disable, overwhelm, or thwart the security measures.

As applicable to your information system, the certification team must complete the evaluation ofcompliance with the investigation, study, and control of compromising signals or emanations frominformation system equipment and all relevant communication security standards.

Note: For information systems processing secure compartmented information this evaluation mustextend to the concept of separating circuitry and hardware that process classified text fromunclassified information. Referred to as RED-BLACK evaluation, the information system must bevalidated for meeting this security requirement.

Verification of the configuration management policies. In completing verification of the systemmanagement the certification team must evaluate if the existing configuration management policies

effectively address the appropriate system security implications. This requirement ensures that anymodifications to the baseline information system or operational concept maintain the systems establishedsecurity posture.

Site accreditation evaluation and site survey. This site review validates the site operation, or a laboratoryversion of a tactical or mobile system poses an acceptable risk to the information processed. This activityrelies upon the accurate description and documentation of all information accessed, processed, or relayedby the system during phase one. This assessment followed by establishing the certification andprotection levels and levels of concern must form the basis for the preliminary risk profile. All specificthreats must be analyzed and vulnerabilities assessed during phase two. Completion of these earlierphase one and two activities must precede independent validation of the information system siteoperation.

Contingency plan evaluation to ensure that the contingency, backup, and continuity portions of theoperation service plans comply with the SSAA/SSP as submitted and approved at the end of phase two.

Certification Evaluation Report that includes the raw results of the certification testing and forms thefoundation for certification by outlining the overall testing philosophy, procedures, and tester comments.This document also includes the results from automated scanning programs and results from the Site

Accreditation Survey.

Certification Statement to report to the DAA/DAAR either recommendation of full accreditation, interimapproval to operate while initial risks are remedied to residual risks, or disapproval of accreditation. Forinterim approvals the six-month interim approval period allows for completion of all countermeasures toreduce the identified risks to an acceptable level. For systems that are not recommended foraccreditation the certifying team returns to Phase 1 activities to establish new security milestones. The

15 Arthur L. Money, Department of Defense Information Technology System Certification and Accreditation Process Application Manual

(Washington DC, Department of Defense, 31 July 2000) Table C4-T4 Page 83 and C5-T2 Page 94


13/15


13system progresses through the second and third phase activities to develop a certification statementrecommending accreditation.

In addition to these outlined activities refer to specific documentation covered in the risk management andtraining sections for phase three. While these summary descriptions cannot adequately guide you in meeting thecertification requirements, it does offer a roadmap to achieving the C&A process goals.

Note: For newly developed information systems undergoing accreditation there are additional documentsrequired including the final version of the System Design Plan, Threat Description, Security Policy for System

Hardware, Netwo k, and Software Configuration, Configuration Management Plan, Continuity of OperationsPlan, System Security Requirements Specification, Trusted Facilities Manual, Security Features Users Guide, andIncident Response Plan.

r

Risk Management in Phase 3During phase three the Risk Assessment Report (RAR) must be completed to analyze any ST&E failures andexamine the threats and vulnerabilities caused by these failures. In conjunction with the threats identified inphase one and vulnerabilities documented during phase two, the RAR presents the initial risk (extremely low, low,moderate, high, extremely high) and residual risks once proposed countermeasures are instituted. Thesecountermeasures are instituted to limit the probability or impact of loss to the information system. The RiskManagement Review and Risk Assessment Report are completed during phase three to quantify that residual riskto the information system.

Training in Phase 3During phase three the certification team may require specialized training in testing and evaluation techniques.Specific to each information system, certifying teams must have comprehensive understanding of the componentsand software to adequately test and evaluate the information system in compliance with the testing plans. Thisincludes completion of the Security Training and Awareness Plan to verify achieving the training requirements foreach role within the process.

Aside from the certification team training, the user security awareness and incident reporting training must becompleted and reinforced on a regular basis to maintain the required vigilance for ongoing information systemsecurity. Part of the certification of the information system includes evaluating that the policies, plans, andprocedures are adequate to meet and mitigate risks. Ongoing user training to maintain their awareness ofsecurity risks and ensure reporting of applicable incidents is a critical element for accreditation and the riskmanagement process.

Phase 4: Post-Accreditation PhaseOnce your information system receives the DAA/DAAR accreditation the C&A process moves into the post-accreditation phase. The activities within phase four focus on the maintenance and auditing of the informationsystem accreditation through:

Monitoring and documenting any information system changes to the DAA/DAAR.

Monitoring and appropriately responding to interconnected system changes.

Certifying any new component, configuration, or subsystem to the DAA/DAAR.

Relying upon your staffs experience gained through the C&A process, any changes or modifications must bedocumented, analyzed for impact to the system security, and assessed for compliance to the defined certificationlevel of the information system. This required investment benefits your organization, as the information systemmust be certified on a three or five year cycle. Maintaining the C&A documentation greatly assists in preparation

of the accreditation renewal package.

Risk Management in Phase 4The C&A process requires that any additional threats and system vulnerabilities and the associated risks must bedocumented, mitigated, and assessed for compliance to the defined certification level of the information system.These threats may be as a result of advancing technologies, changes to your user population, or the impact ofinterconnected systems.


14/15


14

i

Training in Phase 4Ongoing security awareness and incident reporting training must be completed to reinforce to the user populationthe required vigilance for continuing information system security. All new users added to your information systemmust receive the baseline, role-specific security training in addition to the incident reporting training. You mustmaintain the appropriate training documentation to support the C&A process.

SummaryPlanning for and establishing an information assurance process is part of the reality of information technology andmanagement. Understanding the full reach of the data processed, managed, and accessed by your informationsystem establishes a foundation for protecting or securing the data. That security and protection must extendbeyond data storage and retrieval to account for each network component, including the human element thatinteracts with the data.

Following a phased approach to certifying that your information system properly protects the data helps yourorganization chart a path towards compliance. First by educating your team on the applicable laws, regulations,directives, and policies you begin understanding the requirements for certifying information assurance. Distillingthose specific requirements cannot be completed until the type of information is categorized as part of the overalldefinition of your information system. Many organizations do not even realize the breadth of data theirinformation system contains. The C&A process documents and categorizes that information along with thehardware, software, firmware, networking connections, and interfaces controlling interconnected systems.

Limiting your understanding to your information system is insufficient; you must define the boundaries andestablish the limits of the system. This assists in your exploration of the threats and vulnerabilities yourinformation system must mitigate to be accredited. With this knowledge your team quantifies the certificationprocess by assigning resources to fill the required roles, establishing milestones, and setting a budget. Thisbudget must include the administrative and potential equipment costs required to achieve accreditation.

Armed with this information, your team documents the verification of the information system. A bit more complexand requiring additional expertise, the second phase challenges any organization due to the requirement ofindependently verifying the entire system definition completed in phase one. A potential solution is contractingwith a supporting organization with certified security professionals that have practical experience in accreditinginformation systems. A critical prerequisite to selecting a partner is possessing adequate knowledge within yourorganization to understand the magnitude of support involved to complete the C&A process.

Aside from drawing on the expertise of contracted staff, there are many resources established by the same

governing agencies issuing the regulations, directives, and policies on system certification. These resourcesinclude experienced information professionals that have completed information certification for their systems andin some cases may be available to assist in certifying your information system.

Completing the information system analysis, testing and evaluation plans, and required documentation of phasetwo progresses into executing those plans throughout the phase three certification activities. Again, engaging theexpertise of system security engineers may assist your team in mitigating risks and resolving securityconundrums. These very specialized professionals have utilized the spectrum of technical tools to isolate andnavigate through hardware, software, and configuration settings to identify solutions to security issues.

Charting the path to information assurance continues through phase four. Once your information system hasearned accreditation that status must be maintained. Information systems are certified for a three or five yearcycle. After building a firm foundation for information assurance, establishing and maintaining your certificationprocesses will assist to reaccredit your system.

By understanding the certification and accreditation process and segmenting the effort into phases and stepswithin each phase your team aligns in the required effort of the process. This sharing of responsibilities andbackground experience gained in certification of your information system allows your team to maintaincertification through systematic auditing.


15/15


15About the AuthorsCyberCore Technologies staff includes certified information security professionals specializing in all phases of theinformation assurance process. With over 75 information technology specialists supporting our defense, Intel,and commercial clients, our staff play key roles in certifying systems for accreditation. A select team of oursecurity professionals teamed to author this white paper on information assurance:

Kirvin Bonner,CISSP As a certified System Design Security Officer, Mr. Bonner combines strong leadershipand management experience in the disciplines of computers, networks, networksecurity, physical security, and advanced intelligence analysis. His extensive andpractical information assurance knowledge extends beyond forensics, vulnerabilities andrisk assessment to the design of solutions utilizing best of breed security tools,appliances, and applications. Awarded the Defense Meritorious Medal, Mr. Bonneroffers expertise based on over 20 years of accomplishment in the information assurancefield.

Rodney Murphy,CCSA/E

Mr. Murphys 19 years of progressive responsibility within the information security fieldincludes eight years supervising security programs for 8,000 to 45,000 node systems. Aspecialist in forensics and isolating vulnerabilities, he is skilled at implementing physicaland logical protective measures to manage risk. His technical knowledge is enhancedby his commitment to total quality management and the continuous improvementphilosophies. Mr. Murphy relies upon his comprehensive information system securitybackground to interpret product and system test results, government and industrypolicy, practices, and procedures to craft strategies for international enterprise securitymanagement.

Sherwood Page A specialist in firewall modernization, Mr. Page is a Certified Cyberguard FirewallSecurity Officer and Administrator and trained in penetration testing and intrusiondetection. With extensive experience in multiple operating systems and hardwareconfigurations Mr. Page leverages over 18 years of experience in maintaining, designingand implementing local area networks. His expertise extends beyond Microsofttechnologies to administering IBM AS400 and Novell systems.

Robert L. St. John,CISSP

Certified as a security professional, Mr. St. John earned his Masters of Science inNetwork Security from a center of academic excellence in IA education. These scholarlyachievements mirror his professional accomplishments in the arenas of network

intelligence analysis, digital network intelligence, and counterterrorism. His expertiseresulted in development of a two-day course in network intelligence analysis. Proficientin an extraordinary array of security tools, software, and protocols, Mr. St. Johnscapabilities extend beyond information assurance and security to forensics andinvestigation of computer/network exploitation.

John Thomas, CISSP With extensive experience in systems security engineering from both a commercial andgovernment perspective, Mr. Thomas contributes over 20 years of knowledge intelecommunications, network operations, and database development. A leader inassuring security during modernization programs, he has contributed to development ofcourses for intrusion detection and information security. His Masters of ComputerResources Management and technical skills combine with outstanding leadership andoperational management to deliver results for our clients.

Rachel Welke An experienced technical writer with comprehensive knowledge and background ininformation assurance, software development life cycle, linguistics, and informationanalysis, Ms. Welkes network, programming, and graphics experience complements herconsiderable capabilities in security documentation. She tailors her documentation skillsto maintain usability while translating complex, technical concepts for system operators.

The authors wish to acknowledge editorial assistance from Patricia Fehr, CISM, CISSP, CCSA/E, NSA. Ms. Fehrserved for two years as the Commonwealth of Pennsylvania data center security manager and recently assumedresponsibility for an SAS 70 auditing team based in Philadelphia. Her extensive knowledge of system security andisolation techniques through system design and configuration has resulted in critical loss prevention for herclients. Building upon her professional certifications and Masters of Business Administration degree, Ms. Fehr ispursuing her Certification in Public Accounting.

Documents

Cyber Core Technologies CnAProcess WhitePaper[1]