certification and accreditation cs-7493-01 phase-1: definition atif sultanuddin raja chawat raja...
TRANSCRIPT
Certification Certification and and
AccreditationAccreditationCS-7493-01CS-7493-01
Phase-1: DefinitionPhase-1: Definition
Atif SultanuddinAtif Sultanuddin
Raja ChawatRaja Chawat
2
Phase-1 Overview Phase-1 Overview
Phase 1 initiates the DITSCAP process by acquiring or developing the information necessary to understand the Information System under evaluation and then using that information to plan the C&A tasks.
3
Phase-1 DefinitionPhase-1 Definition
The objectives of the Phase 1 activities are to agree on
- The intended system mission - security requirements - C&A boundary - level of effort and - resources required.
4
Phase-1 DefinitionPhase-1 Definition
Business caseMission Need
Threat,Requirement,..etc
Preparation Registration Negotiation Agreement
SSAA
Phase 2
Yes
No
Review Documentation Prepare Mission Description and System Identification Register System Describe Environment & Threat Identify Organization and resources Draft SSAA
Certification Requirements reviewApprove Phase1 SSAA
5
Phase-1 ActivitiesPhase-1 Activities
Phase 1 activities: - Preparation - Registration - Negotiation
6
Phase-1 PreparationPhase-1 Preparation
The DITSCAP process starts when an Information System is developed or modified in response to a business case, operational requirements, mission needs, or significant change in threats to be countered.
During the preparation activity, information and documentation is collected about the system.
7
Phase-1 PreparationPhase-1 Preparation
Materials Reviewed During Preparation 1. Business Case 2. Mission Needs Statement 3. System Specifications 4. Architecture and Design Documents 5. User Manuals 6. Operating Procedures 7. Network Diagrams 8. Configuration Management Documents 9. Threat Analysis 10. Federal and Organizational IA and Security Instructions
and Policies
8
Phase-1 RegistrationPhase-1 Registration
Registration initiates the risk management agreement process among the program manager, DAA, Certifier, and user representative.
Registration begins with preparing the system description and system identification and concludes with preparing an initial draft of the SSAA.
9
Phase-1 Registration
Registration Tasks 1. Prepare business or operational functional description
and system identification. 2. Inform the DAA, Certifier, and user representative that
the system will require C&A support (register the system). 3. Prepare the environment and threat description. 4. Prepare system architecture description and describe the
C&A boundary. 5. Determine the system security requirements. 6. Tailor the DITSCAP tasks, determine the C&A level of
effort, and prepare a DITSCAP plan. 7. Identify organizations that will be involved in the C&A 8. Develop the draft SSAA.
10
Phase-1 NegotiationPhase-1 Negotiation
During negotiation all the participants involved in the Information System's development, acquisition, operation, security certification, and accreditation reach agreement on the implementation strategy to be used to satisfy the security requirements identified during system registration.
11
Phase-1 NegotiationPhase-1 Negotiation
Negotiation Tasks
1. Conduct the Certification Requirements Review (CRR).
2. Agree on the security requirements, level of effort, and schedule. 3. Approve final Phase 1 SSAA.
12
NegotiationNegotiation
Negotiation starts with a review of draft SSAA
All participants review the proposed certification level and resource requirements to determine that the appropriate assurance is being applied.
13
NegotiationNegotiation
The purpose of negotiation is to ensure that the SSAA properly and clearly defines the approach and level of effort .
During negotiation all participants must develop an understanding of their roles and responsibilities.
Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached.
14
Phase-1 TasksPhase-1 Tasks
Task 1-1Task 1-1 Review DocumentationReview Documentation - Task Objective: The objective of this task is to obtain and review documentation relevant to the system. - Task Description: In the review documentation task, information and documentation is collected about the system. This Information includes - capabilities and functions the system will perform - operational organizations supported - intended operational environment, and operational threat.
- This information is contained in the business case or mission needs statement, system specifications, architecture and design
documentation, user manuals, operating procedures, network diagrams, and
configuration management documentation.
15
Phase-1 TasksPhase-1 Tasks
Task 1-2Task 1-2 Prepare the System and Functional Description and system Identification.
Task Objective: The objective of this task is to prepare an accurate description of the system.
Task Description. The system and functional description and system identification task describes the system mission and functions, system capabilities and Concept of Operations (CONOPS).
- 1.2.1 System Identification: Identify the system being developed
or entering the C&A process. Provide the name, organization, and location of the organization developing the mission needs and the organizations containing the ultimate user. - 1.2.2 System Description. Describe the system focusing on the information security relevant features of the system. Describe all the components of the system.
16
Phase-1 TasksPhase-1 Tasks
- - 1.2.3 Functional Description and Capabilities: Describe the system
clearly delineating what functions or capabilities are expected in the
fully accredited system. - System Capabilities: The functions or capabilities
expected in the fully accredited system and the mission for which it will be used are clearly defined. - System Criticality: system criticality and the acceptable risk for the system in meeting the mission responsibilities are defined. - Classification and Sensitivity of Data: The type and sensitivity of the data processed by the system are defined. - System Users: User's security clearances, their access rights to specific categories of information processed, and the actual information that the system is required to process are defined. - System Life Cycle:. The system life cycle and where the system is in relationship to its life cycle is defined.
17
Phase-1 TasksPhase-1 Tasks
- 1.2.4 System CONOPS : The system CONOPS, including functions performed jointly with other systems are defined.
Task 1-3 Task 1-3 Register the System. - - Task Objective: The objective of this task is to identify the Agencies
and individuals involved in the C&A process and determine the current status of the system. - Task Description. This task identifies the applicable security and user authorities and informs them of the system status. 1.3.1 Identify Authorities: - The Agency or organization that will serve as the DAA, Certifier,
and user representative is identified . - Individuals and their responsibilities in the C&A process are identified.
18
Phase-1 TasksPhase-1 Tasks
Task 1-4: Prepare the Environment and Threat Description. - Task Objective. The objective of this task is to define the system environment and potential threats to the system. - Task Description. The environment and threat description task describes the operating environment, system development environment, and potential system threats. 1.4.1 Operating Environment: - The physical, personnel, communications, emanations, hardware, software, and procedural security features that will be necessary to support site operations are described. - Operating environment security involves the measures designed to prevent unauthorized personnel from gaining physical access to equipment, facilities, material and documents and to safeguard the assets against espionage, sabotage, damage, and theft.
19
Phase-1 TasksPhase-1 Tasks
Operating Environment task describes:Operating Environment task describes:
- - Facility - Physical security - Administrative security - Personnel - COMSEC - TEMPEST - Maintenance - Training
20
Phase-1 tasksPhase-1 tasks
1.4.21.4.2 System Development, Integration, and Maintenance Environment: - The system development approach and the environment within which
the system will be developed are described. The system development approach is an information security strategy that incorporates
security into each phase of a system's life cycle. 1.4.3 Threat Description and Risk Assessment: potential threats and single points of failure that can affect - confidentiality - availability - Integrity of the system are defined.
21
Phase-1 TasksPhase-1 Tasks
Task 1-5: Determine the System Security Requirements - Task Objective: The objective of this task is to identify the system security
requirements.
- Task Description. The system security requirements task defines the National, DoD and data security requirements, governing security requisites, network connection rules, and configuration management requirements.
22
Phase-1 TasksPhase-1 Tasks
- 1.5.1 Applicable Instructions or Directives: Determine the security
instructions or directives applicable to the system. - 1.5.2 Governing Security Requisite: Determine
requirements stipulated by local agencies and the DAA. Contact the DAA
and user representative to determine if they have any additional security requirements.
- 1.5.3 Data Security Requirements: Determine the type of data
processed by the system. - 1.5.4 Security Concept of Operations: Security CONOPS including system input, system processing, final outputs,
security controls and interactions and connections with external
systems are described.
23
Phase-1 TasksPhase-1 Tasks
- 1.5.5 Network Connection Rules: Identify any additional requirements
incurred if the system is to be connected to any other network or
system. - 1.5.6 Configuration Management: Additional requirements
based on the Configuration Management Plan are determined. - 1.5.7 Reaccreditation Requirements: Unique organizational
requirements related to the reaccredidation or reaffirmation of the
approval to operate the system are determined. - 1.5.8 Requirements Traceability Matrix (RTM) : The
directives and security requisites used to determine the system security
requirements are analyzed.
24
Task 6: Task 6: Prepare the System Prepare the System Architecture DescriptionArchitecture Description
ObjectiveObjective: To prepare a high level : To prepare a high level overview of the types of hardware, overview of the types of hardware, software, and firmware and associated software, and firmware and associated interfaces interfaces
DescriptionDescription: The system architecture : The system architecture task defines the system hardware, task defines the system hardware, software, firmware, and interfaces software, firmware, and interfaces
25
Task 6 DescriptionTask 6 Description
System Hardware:System Hardware: Target hardware and its Target hardware and its function function
System SoftwareSystem Software: OS, DBMS, and software : OS, DBMS, and software applications applications
System FirmwareSystem Firmware: Firmware stored : Firmware stored permanently in a hardware devicepermanently in a hardware device
System InterfacesSystem Interfaces: The system's external : The system's external interfaces, purpose and the relationship between interfaces, purpose and the relationship between the interface and the system the interface and the system
Data FlowsData Flows: The system's internal interfaces and : The system's internal interfaces and data flows including the types of data and the data flows including the types of data and the general methods for data transmission general methods for data transmission
26
Task 7: Identify the C&A Task 7: Identify the C&A Organizations and the Resources Organizations and the Resources
RequiredRequired
ObjectiveObjective: To identify the organizations : To identify the organizations and individuals involved in the C&A and individuals involved in the C&A process. process.
DescriptionDescription: Identify the appropriate : Identify the appropriate authorities, resource, and authorities, resource, and training training requirementsrequirements and determines the and determines the certification team'scertification team's roles and roles and responsibilitiesresponsibilities
27
Task 7 DescriptionTask 7 Description
Organizations: Identify the Organizations: Identify the organizationsorganizations, , individuals, and titles of the individuals, and titles of the key authoritieskey authorities in the in the C&A process.C&A process.
Resources: Identify the Resources: Identify the resourcesresources required to required to conduct the C&A. Identify the roles of the conduct the C&A. Identify the roles of the certification team and their responsibilitiescertification team and their responsibilities
Resources and Training Requirements: Resources and Training Requirements: – Describe the Describe the training requirementstraining requirements, , – types of training, types of training, – who is responsible for preparing and conducting the who is responsible for preparing and conducting the
trainingtraining Other Supporting Organizations: Identify Other Supporting Organizations: Identify
supporting groupssupporting groups to the C&A process. to the C&A process.
28
Task 8: Tailor the DITSCAP and Task 8: Tailor the DITSCAP and Prepare the DITSCAP PlanPrepare the DITSCAP Plan
ObjectiveObjective: To tailor the DITSCAP to the : To tailor the DITSCAP to the system and prepare the DITSCAP plan.system and prepare the DITSCAP plan.
Determines the Determines the appropriate certification levelappropriate certification level Adjusts the DITSCAP activities to the program Adjusts the DITSCAP activities to the program
strategy and system life cycle. strategy and system life cycle. Tailors the security activities to system Tailors the security activities to system
development activities, ensures that the development activities, ensures that the security activitiessecurity activities are relevant to the process are relevant to the process and provide the required degree of analysis. and provide the required degree of analysis.
29
Task 9: Draft the SSAATask 9: Draft the SSAA
ObjectiveObjective: Complete and assemble the : Complete and assemble the SSAA document.SSAA document.
DescriptionDescription: : – Completes the SSAA document. Completes the SSAA document. – Assemble into the formal SSAA document.Assemble into the formal SSAA document.– Submit the draft SSAA to the DAA, Certifier.Submit the draft SSAA to the DAA, Certifier.– The draft SSAA establishes a reference for The draft SSAA establishes a reference for
discussions during negotiation discussions during negotiation
30
Task 10: Conduct Certification Task 10: Conduct Certification Requirements ReviewRequirements Review
ObjectiveObjective: To conduct a CRR.: To conduct a CRR. DescriptionDescription: :
– Provides an opportunity for the DAA, Certifier, Provides an opportunity for the DAA, Certifier, to to discuss the system functionality, security discuss the system functionality, security requirementsrequirements, and planned C&A scheduled., and planned C&A scheduled.
– The CRR results in an agreement regarding The CRR results in an agreement regarding the the level of effortlevel of effort and the and the approachapproach that will that will be taken to implement the security be taken to implement the security requirements requirements
31
Task 11: Establish Agreement Task 11: Establish Agreement on Level of Effort and Scheduleon Level of Effort and Schedule
ObjectiveObjective: To agree on the C&A level of : To agree on the C&A level of effort and schedule.effort and schedule.
DescriptionDescription: This task ensures that the : This task ensures that the DAA, CertifierDAA, Certifier, program manager, and , program manager, and user representative user representative agree to the level of agree to the level of effort and scheduleeffort and schedule for the C&A activities for the C&A activities
32
Task 12: Approve Phase 1 Task 12: Approve Phase 1 SSAASSAA
ObjectiveObjective: To obtain the DAA's approval on the : To obtain the DAA's approval on the Phase 1 SSAA.Phase 1 SSAA.
DescriptionDescription: DAA makes a decision on : DAA makes a decision on approving the approving the system functionalitysystem functionality, operating , operating environmentenvironment, development environment, , development environment, potential potential threatsthreats, , security requirementssecurity requirements, system , system architecture, organization and resource architecture, organization and resource requirements, requirements, tailoring factorstailoring factors, certification , certification level, and DITSCAP plan level, and DITSCAP plan
33
PHASE 1PHASE 1
ROLES AND RESPONSIBILITIESROLES AND RESPONSIBILITIES
34
DAA ResponsibilitiesDAA Responsibilities
DAA ResponsibilitiesDAA Responsibilities Define Define accreditation requirementsaccreditation requirements.. Obtain a Obtain a threat assessmentthreat assessment for the for the
system.system. Assign a Certifier to conduct vulnerability Assign a Certifier to conduct vulnerability
and and risk assessmentsrisk assessments.. Support the Support the DITSCAP tailoringDITSCAP tailoring and level and level
of effort determination.of effort determination. ApproveApprove the SSAA the SSAA
35
Certifier and Certification Team Certifier and Certification Team Responsibilities Responsibilities
Support the DAASupport the DAA as the technical expert in the as the technical expert in the certification process.certification process.
Begin Begin vulnerabilityvulnerability and and risk assessmentsrisk assessments.. Review Review threat definitionthreat definition.. Identify the Identify the security requirementssecurity requirements.. Tailor the DITSCAP, determine the Tailor the DITSCAP, determine the appropriate appropriate
certification levelcertification level, and prepare the DITSCAP Plan., and prepare the DITSCAP Plan. Provide level of effort and resource requirements.Provide level of effort and resource requirements. Develop the SSAA.Develop the SSAA. Provide oversight for the CRR. Provide oversight for the CRR.
36
ISSO Responsibilities ISSO Responsibilities
Assist the DAA, Certifier, and certification Assist the DAA, Certifier, and certification team in the certification effortteam in the certification effort
Review the business caseReview the business case or mission or mission statement to determine that it accurately statement to determine that it accurately describes the systemdescribes the system
Review the environmentReview the environment description to description to verify that it accurately describes the verify that it accurately describes the system system
37
User Representative User Representative Responsibilities Responsibilities
Support the Support the DITSCAP tailoringDITSCAP tailoring and level of effort and level of effort determinationdetermination
Provide a business case or mission statementProvide a business case or mission statement Validate or Validate or define systemdefine system performance, performance,
availability, and availability, and functionality requirementsfunctionality requirements Provide data sensitivity, Provide data sensitivity, end user functionalityend user functionality, ,
and user organization informationand user organization information Verify the Verify the ability to comply with the SSAAability to comply with the SSAA
during operations during operations
38
Acquisition or Maintenance Acquisition or Maintenance Organization Responsibilities Organization Responsibilities
Program Manager ResponsibilitiesProgram Manager Responsibilities– Initiate the dialogue with the DAA, Certifier, and user
representative.– Define the system schedule and budget.– Support the DITSCAP tailoring and determine the
certification level.– Define the system architecture.– Integrate system security requirements into the
system.– Prepare Life-Cycle Management Plans.– Define the security architecture.
39
Developer, Integrator or Maintainer Responsibilities
Provide technical equipment environment requirements.
Provide target hardware and software architecture.
Provide information regarding the system development organization.
Determine the feasibility of technical solutions and security requirements.
40
Configuration Management Configuration Management Responsibilities Responsibilities
The configuration management staff The configuration management staff support the program manager in the support the program manager in the development and maintenance of systemdevelopment and maintenance of system and system documentation and system documentation
41
System Administration System Administration Responsibilities Responsibilities
There are no system administration There are no system administration responsibilities in Phase 1. responsibilities in Phase 1.
42
Questions Questions